b2463ffe6c7364b2b8243c1d03ab9e7ae4d0c5cfdc521c286f0cbc9be9c0b2bd

Analysis

max time kernel
914s
max time network
839s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mav.bat
Size

5KB
MD5

9cd1f26bc3bd3420abf54e82dfcd0189
SHA1

a4240a6d75ca54a3333edde2dc77bfe6f64070ce
SHA256

b2463ffe6c7364b2b8243c1d03ab9e7ae4d0c5cfdc521c286f0cbc9be9c0b2bd
SHA512

e1ed645476a8f55ddbbaa89b8dc93025acc40ee79ba8340cc0fb5024fa69238bbbfcfdee855201ecff1b9f3d2666d3178eee9573f8f6efed3855144b1e61eb32
SSDEEP

96:7DSQNWxRDDENWxLQ1HiFIOpbsHi0axX3OTGj1o:7DSQNWvDDENWMCFKCdnOTGj1o

Score

7^/10

execution

Malware Config

Signatures

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graphics.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Watch.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV.lnk	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2572	powershell.exe
2540	powershell.exe
2388	powershell.exe
2832	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
1444	timeout.exe
2788	timeout.exe
2856	timeout.exe
868	timeout.exe
2164	timeout.exe
1264	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2748	taskkill.exe
292	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2572	powershell.exe
2540	powershell.exe
2388	powershell.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	292	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2888	3040	cmd.exe	29
PID 3040 wrote to memory of 2888	3040	cmd.exe	29
PID 3040 wrote to memory of 2888	3040	cmd.exe	29
PID 2888 wrote to memory of 2572	2888	cmd.exe	31
PID 2888 wrote to memory of 2572	2888	cmd.exe	31
PID 2888 wrote to memory of 2572	2888	cmd.exe	31
PID 2888 wrote to memory of 2540	2888	cmd.exe	32
PID 2888 wrote to memory of 2540	2888	cmd.exe	32
PID 2888 wrote to memory of 2540	2888	cmd.exe	32
PID 2888 wrote to memory of 2388	2888	cmd.exe	33
PID 2888 wrote to memory of 2388	2888	cmd.exe	33
PID 2888 wrote to memory of 2388	2888	cmd.exe	33
PID 2888 wrote to memory of 2832	2888	cmd.exe	34
PID 2888 wrote to memory of 2832	2888	cmd.exe	34
PID 2888 wrote to memory of 2832	2888	cmd.exe	34
PID 2888 wrote to memory of 1444	2888	cmd.exe	35
PID 2888 wrote to memory of 1444	2888	cmd.exe	35
PID 2888 wrote to memory of 1444	2888	cmd.exe	35
PID 2888 wrote to memory of 1896	2888	cmd.exe	36
PID 2888 wrote to memory of 1896	2888	cmd.exe	36
PID 2888 wrote to memory of 1896	2888	cmd.exe	36
PID 2888 wrote to memory of 3056	2888	cmd.exe	37
PID 2888 wrote to memory of 3056	2888	cmd.exe	37
PID 2888 wrote to memory of 3056	2888	cmd.exe	37
PID 2888 wrote to memory of 544	2888	cmd.exe	38
PID 2888 wrote to memory of 544	2888	cmd.exe	38
PID 2888 wrote to memory of 544	2888	cmd.exe	38
PID 1896 wrote to memory of 580	1896	WScript.exe	39
PID 1896 wrote to memory of 580	1896	WScript.exe	39
PID 1896 wrote to memory of 580	1896	WScript.exe	39
PID 2888 wrote to memory of 2052	2888	cmd.exe	41
PID 2888 wrote to memory of 2052	2888	cmd.exe	41
PID 2888 wrote to memory of 2052	2888	cmd.exe	41
PID 2888 wrote to memory of 1628	2888	cmd.exe	42
PID 2888 wrote to memory of 1628	2888	cmd.exe	42
PID 2888 wrote to memory of 1628	2888	cmd.exe	42
PID 2052 wrote to memory of 676	2052	WScript.exe	43
PID 2052 wrote to memory of 676	2052	WScript.exe	43
PID 2052 wrote to memory of 676	2052	WScript.exe	43
PID 544 wrote to memory of 1224	544	WScript.exe	44
PID 544 wrote to memory of 1224	544	WScript.exe	44
PID 544 wrote to memory of 1224	544	WScript.exe	44
PID 1628 wrote to memory of 1220	1628	WScript.exe	46
PID 1628 wrote to memory of 1220	1628	WScript.exe	46
PID 1628 wrote to memory of 1220	1628	WScript.exe	46
PID 3056 wrote to memory of 972	3056	WScript.exe	48
PID 3056 wrote to memory of 972	3056	WScript.exe	48
PID 3056 wrote to memory of 972	3056	WScript.exe	48
PID 1224 wrote to memory of 2788	1224	cmd.exe	51
PID 1224 wrote to memory of 2788	1224	cmd.exe	51
PID 1224 wrote to memory of 2788	1224	cmd.exe	51
PID 676 wrote to memory of 2800	676	cmd.exe	52
PID 676 wrote to memory of 2800	676	cmd.exe	52
PID 676 wrote to memory of 2800	676	cmd.exe	52
PID 1220 wrote to memory of 2220	1220	cmd.exe	53
PID 1220 wrote to memory of 2220	1220	cmd.exe	53
PID 1220 wrote to memory of 2220	1220	cmd.exe	53
PID 1224 wrote to memory of 2748	1224	cmd.exe	56
PID 1224 wrote to memory of 2748	1224	cmd.exe	56
PID 1224 wrote to memory of 2748	1224	cmd.exe	56
PID 1224 wrote to memory of 2856	1224	cmd.exe	58
PID 1224 wrote to memory of 2856	1224	cmd.exe	58
PID 1224 wrote to memory of 2856	1224	cmd.exe	58
PID 1224 wrote to memory of 2216	1224	cmd.exe	59

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\mav.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\mav.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "$WshShell = New-Object -ComObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV.lnk'); $Shortcut.TargetPath = 'C:\ProgramData\Drivers\Intel_AMD\avast.vbs'; $Shortcut.Save()"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "$WshShell = New-Object -ComObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graphics.lnk'); $Shortcut.TargetPath = 'C:\ProgramData\Drivers\Intel_AMD\intel.vbs'; $Shortcut.Save()"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "$WshShell = New-Object -ComObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk'); $Shortcut.TargetPath = 'C:\ProgramData\Drivers\Intel_AMD\AMD.vbs'; $Shortcut.Save()"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "$WshShell = New-Object -ComObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Watch.lnk'); $Shortcut.TargetPath = 'C:\ProgramData\Drivers\Intel_AMD\watch.vbs'; $Shortcut.Save()"
    3⤵
    - Drops startup file
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\system32\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1444
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\intel.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\intel.bat"
      4⤵
      PID:580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\AMD.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\AMD.bat"
      4⤵
      PID:972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\watch.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\watch.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 360 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 95 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2856
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\AMD.vbs"
        5⤵
        
        PID:2216
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\AMD.bat"
        6⤵
        
        PID:1676
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\intel.vbs"
        5⤵
        
        PID:2388
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\intel.bat"
        6⤵
        
        PID:2908
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 360 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:868
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM msedge.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 95 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:2164
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\AMD.vbs"
        5⤵
        
        PID:2716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\AMD.bat"
        6⤵
        
        PID:2820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\intel.vbs"
        5⤵
        
        PID:540
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\intel.bat"
        6⤵
        
        PID:1324
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 360 /nobreak
        5⤵
        Delays execution with timeout.exe
        
        PID:1264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\avast.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\avast.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\system32\where.exe
        
        where curl
        5⤵
        
        PID:2800
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Drivers\Intel_AMD\wind.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Drivers\Intel_AMD\hits.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1220
    - - C:\Windows\system32\where.exe
        
        where curl
        5⤵
        
        PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Drivers\Intel_AMD\AMD.bat

Filesize
303B

MD5
ee37de308daff92b8a47baea070c0bc6

SHA1
0cc47e59ee3af3755d928cf28f458f1f1aaaee9a

SHA256
9497b4dd2c2b1f1d274a5d56b941cdf23023c252cf833196ea13679e2b603a8e

SHA512
185184f222142c524b152c6db63bfa4e96cfc38d1e656673907156e79ba0bb34160ba53b474d07293ebb799aa651dbb6a887c1090d07fb1c5474c6d40805f40d

Download Submit
C:\ProgramData\Drivers\Intel_AMD\AMD.vbs

Filesize
152B

MD5
518a828b63145d9169c9720311189994

SHA1
3623da32c28f6b186f2046b5d50f68c980bf76dc

SHA256
74df535f2e1b2a421242777c69ffae6bde14dc363eb3f8671ad3688d5fdedb33

SHA512
43909c52d2f21ca4b890289bc9e3acec1cbcae7dab1c3b4092504324dde82c319f3fa778956fa2b7fa19b5ce9a98d24c2830ab5ecde6be0ac85f337fd8159d47

Download Submit
C:\ProgramData\Drivers\Intel_AMD\avast.bat

Filesize
529B

MD5
7f1673ed86b36112a613900d58a854e9

SHA1
9af74991e2b99f720c08ea0e9b76d60c50f56dea

SHA256
32f60d51dc27f32b02c9db61535e5a83b91abb447c2060a11658c05f5b6915d1

SHA512
4679a1c96ecc8495a7d28e501479b5951683e67c29162338f66dc83e1bd8cc43c84231cb3b236960b20e5327570450e4ea14de800c125b3231cb9c4bee3991e8

Download Submit
C:\ProgramData\Drivers\Intel_AMD\avast.vbs

Filesize
154B

MD5
72844790d36bd633bc866f3f15fd3690

SHA1
1b5bc7faf3047267d166988c62d6d49606c8bdb0

SHA256
9d976cfb9ac2910d57e0e1102041df61e9fa8c9963cbb75b12af02da357297c2

SHA512
b5f3002986aabe382c755e7b95e40518a59767ebb127a75fb5d6049ae37d3ce3a14fec6f1ab42e685017a4e7b90bc5f8c36507ca220149e1beefbfdf64e0b775

Download Submit
C:\ProgramData\Drivers\Intel_AMD\hits.bat

Filesize
513B

MD5
63053a80d3ba3568c1a1a51c07f04cfc

SHA1
85753e449b5a7c5eae829ce93920f72a37a2c83f

SHA256
63fa0f6dc2d256e776773555c7dfc1ac19035be5067f443baece4bbdabefbbea

SHA512
828022007a0c0db6f131f5d5369dac1208e258f5d2fb8393156243754b475b9a02dfb5345c273e8cafad90f0e13c1a8bac971d2b30085245ed57b9f255b0d792

Download Submit
C:\ProgramData\Drivers\Intel_AMD\intel.bat

Filesize
305B

MD5
e4b5f881cfce2902d71d0bb1063dbdb7

SHA1
7072c3a715af578eefca63e2a0226ffa7c48e740

SHA256
aaaaf4d63222e0eeb1752435713c8e2bcdaa651d6c390960bc6fa1092c13763b

SHA512
ebf3b9e5ed8e0abb2d6b26b26132e5274a57df18c9456100dddb1663849d79f7725cfbc241b66e75fcb7e6e88af929f9d834a47510ddc06831cb799072723ee8

Download Submit
C:\ProgramData\Drivers\Intel_AMD\intel.vbs

Filesize
154B

MD5
47c7368ba476f077266837f958cc84f4

SHA1
625369a4804f5207799168fb4030f89068b21c1e

SHA256
b544f5eb09e8723bbee464cb2f72c934d658cf7b7f1b51953a698a212cc2b30b

SHA512
218f847cede88f168e536566bbed76c460d37bb3d0d657013b52f222a729ddb912b31e94abd9842a7747be9586943340e3b4c7a8217895cb6e8a0169a4b5703a

Download Submit
C:\ProgramData\Drivers\Intel_AMD\watch.bat

Filesize
219B

MD5
d9d8e80079e83247c23144dbaf6d52bd

SHA1
a071159caa4cd7b627225de0fd11c67fd989ec98

SHA256
20d4517996b119ba6bcf99c310e952ae35e1ca84708b702b4513cb2704716806

SHA512
cc0ed22cb5e7144a201e0cf24122f814bcf8b6aafa04afdcb96b1c886822b91512ff378b2578cfcb38daaeda8cfa432b9ac84953a19e9445caa0ee02b3c046cf

Download Submit
C:\ProgramData\Drivers\Intel_AMD\watch.vbs

Filesize
154B

MD5
b184a77d9a1a523d3eaf2dde5d01f3a2

SHA1
bca9870a0dc2dfd4a21f1ac41d6d1ba4d074565c

SHA256
23719bcf0a751abf6e23fc369f5bc744f62b588e259043bffc98635230648fb5

SHA512
bdacb10b666036ec0f101fbc0a119b7bf3af5242f68105b964df24cb1afaacdfd2f0c76b8e7267da321718fa79603cb97ed9fa3a5f841c35c7034885c8fd4ace

Download Submit
C:\ProgramData\Drivers\Intel_AMD\wind.vbs

Filesize
153B

MD5
dda96df8e785488ec3211ceb5e851a14

SHA1
3b6fd95963a4baf3145f457cf83704836fbd63d7

SHA256
57664555e5564361d4271710a41a4e2cdb6db7dd85e12caf62d666dc09a4b694

SHA512
f624d3cce4a35d2712e624f4e692a181af3a97601111e908b218d5dca09195816545c4de7a9ec268fe5053d4597730b2601a9196996df94028475572578e2353

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M7OWH986AF5692QHAW6B.temp

Filesize
7KB

MD5
2342657f63785ddabc230d50af437264

SHA1
8bda2087c4f5bab8b81e3c67a5c2366f2d969b4a

SHA256
e1a89ad288a84e71042d63c16af9ce89dbd65eafb8ff8467e3747785d22003af

SHA512
fbfb3356d93a0b059aa7c806ba4140d139c3d7723b41b58e4342e418e37b583516798c77e76de9da6180be72050f3dc90e8938b50561353d351544fc9effa05d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV.lnk

Filesize
845B

MD5
f1110f7dcb76b10e5f7dd6081d101799

SHA1
9fe0a174bcb246e25fd6a208dc221b0167737358

SHA256
92595f5a9916b25fdd9460a994e0dc2e406156479351e27ca44845c2eb343def

SHA512
d0a5b74c8b14bc56c68a4ee1b91fab0d501ec70f17ce1fbe5845315a17c81984ced31bc4483e86f390a99bed29ee3b14c499af4b015af674686cde456417149d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Graphics.lnk

Filesize
845B

MD5
cb199b8e45db9d24468b132bac9a8d64

SHA1
c9f70551fdeb72df7e4805976b31a2af166a319f

SHA256
df452a2684edf137ccd1bdff14e76adf87be89b3cb3ecab14931c3974163a5c8

SHA512
cf5edeb3ea4dbb29f7f6fee167b49d06021873458e72f5402071e2cf53edc1872f35be0665d74c7402053f8db120ded52cd345f5f7577033ae3348cfaa1a9c74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.lnk

Filesize
833B

MD5
c6696465669f5a68bd44e2a95d2c3d37

SHA1
163a7c9b2843ca125ff38e60f6408ada01eaa132

SHA256
698b185a901ccec33bcb17577b5e87a3f4969f299a1ace10587933e758b58885

SHA512
22d09aad287053ca3dbddcd45736ebda536a65bd0c63693f4443917cbdd7403487371b8c08cbb76578b9255ebcc228a1cf5f7570c20537503053f8be8aabe218

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Watch.lnk

Filesize
845B

MD5
e0244348bcb8b104582efbc9ed1361cd

SHA1
fc7c997aa13ad568127b61b91da8942e75f54304

SHA256
7696b50d3fcd7364b4780c22c73f2e6369f1caefffb9f88ef365f30f786193e9

SHA512
aa27cab163acdeb73da2d8cbbf68e9e7a89ac5442ab2d3d4a2e34f86f4ebdba1232ef506b9068a8d34976fef3a96bc1ed4655147c5cdbf17efdcb97371c3ff3e

Download Submit
memory/2540-29-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2540-28-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-14-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

Filesize
4KB

Download
memory/2572-22-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-20-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-21-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-19-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2572-16-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2572-15-0x000000001B860000-0x000000001BB42000-memory.dmp

Filesize
2.9MB

Download