Overview

overview

10

Static

static

7

libavresample-4.zip

windows10-2004-x64

10

libavresample-4.zip

windows11-21h2-x64

1

NexusChecker.exe

windows10-2004-x64

9

NexusChecker.exe

windows11-21h2-x64

9

freebl3.dll

windows10-2004-x64

1

freebl3.dll

windows11-21h2-x64

1

gkcodecs.dll

windows10-2004-x64

1

gkcodecs.dll

windows11-21h2-x64

1

libavresample-4.dll

windows10-2004-x64

3

libavresample-4.dll

windows11-21h2-x64

6

libavutil-56.dll

windows10-2004-x64

3

libavutil-56.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    1797s
  • max time network
    1137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NexusChecker.exe

  • Size

    605.6MB

  • MD5

    2ba4db56200d2b07505c1eff5faed706

  • SHA1

    5cf6b2fcd1fd2f93a324151f86b124ea2bb94dd6

  • SHA256

    543fee52f65842ef6397ceca2b2516785103e93aecc58d340360ee76260684fa

  • SHA512

    59873ce651896d3a3fc11656b3e3a1e56b94be13bf7244521c29194d75517514325765a00e1da9189b15dd291b09b5fb43509d61599c4ea0fe77a053c5f988b1

  • SSDEEP

    49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

Score
9/10
discoveryevasionexecutionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 32 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 32 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 31 IoCs
  • Themida packer 49 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 32 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NexusChecker.exe
    "C:\Users\Admin\AppData\Local\Temp\NexusChecker.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4196
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sh8.0.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:3392
      • C:\ProgramData\software\ULEXPY.exe
        "C:\ProgramData\software\ULEXPY.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Checks computer location settings
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4092
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3384
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "ULEXPY" /tr C:\ProgramData\software\ULEXPY.exe /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2200
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4080
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4468
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3412
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4052
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:4572
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:812
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:1876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4512
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1176
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:516
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3576
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:3384
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4688
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:1392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4768
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:4864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4816
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4152
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:748
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:3304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2584
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:3680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3964
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4888
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:372
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3116
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:3948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1576
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:2640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:5036
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:3792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4080
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:3052
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3720
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:412
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3756
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2332
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3136
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:4248
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4184
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4092
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3496
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:212
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    PID:2940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1200
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4384
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:3556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2412
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2420
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4912
  • C:\ProgramData\software\ULEXPY.exe
    C:\ProgramData\software\ULEXPY.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4484
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    1f939a8f066685fd980d1d9a57b6dcf7

    SHA1

    b11ff1873cb10bdfca65a1f78753180c4cb5adbb

    SHA256

    0b7d4c14b4a7fc538ae460f95aee6904d1d7f5c98a95d7000c1c9227d0c4cfe4

    SHA512

    3b67bae7e82fdd3330b39aecd17f4ba580d5f846fcaf3a7487756c2c8f50e03db7174a7e63ccbaade13ccee47b06ce0f8a86391982427e9e8d0bcf47378afcc1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    f2f83c782818265ae289fdb0b1c483cf

    SHA1

    a2edc7c68abe310e828ecfacb4cb1a1c7f8db8ad

    SHA256

    a42e3867e422461399ecafbdba17e064a1d9682b4afaf5fd171c3c605e0bcca8

    SHA512

    fdfb03741117be4daead25f354e1ba197468aca89ccba7301d4f5ff1b5f2277b01fd1b1ea0c32e1d1a69604d9b58f4162029edc37cd7f6685a2f04a4652a2707

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    b313aaa954c52684562ea430fdbef905

    SHA1

    b1d1de7c512578aa0096d3e1e9b4dd0568c8aeb8

    SHA256

    1cab695e5f07044bf4c0f199b9de6cb521f4a0b08278819b66522c8e37b198a1

    SHA512

    171805c070e6fc8b1b1a1227259e92223ca2edcf897d4f6993c6efb91732c767090cdc2f50ad6526b7acd8586293d628ecd1201828297ce4829000e3ce9cbb3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    33c42d7902e8f36fc6196fadff21850a

    SHA1

    541b164f200033ccd7d4e999ca7b76ca5d9c5b7a

    SHA256

    8f33db197a46f1fb57519646b61d685ef4f94eb95c0cfc1b4e70d068a872a488

    SHA512

    ed40d776606b2b56ef37802a39e27fec727a243927189446ef58f94cc5d84f0506d24ee7388da692163a0d151cb037271f3ae8358ba043377de89df9683742e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    4459c9e29494eb30ae1e7890dcd461a1

    SHA1

    fde5e0b97e4c8d82c6365ecc6ce64aecec7185cf

    SHA256

    10c27bc9f46dace6f3fe87f9161c585c98863b0bf71c5efebf13001a1ce9a460

    SHA512

    612d59dad8728c5c893e3653043da428383f1932aea54b8de92353944f2bd2eacccb8555d1d63720e36915d7562e3bb374d1a9c907188fd60f78f3e0b4279d12

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    f9137daa7856bd3c4bb4ce26555469d3

    SHA1

    d9ea40eb798a99be7b6a5c62a07e3c4e80f64977

    SHA256

    378dda0ce168725b60cc04fd2dc4ffb09108754b21d8c9cf210a538152a2bd80

    SHA512

    261b69b38f031a93ec2e44eca525c9f63adb58925928f34531f5ceb747666049fdbf7cc11a9dee53e3fd1f6685079cc5766b946c076ad476c03dc058cd24999f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    a68fa0f950e6ae23190cc14519afe098

    SHA1

    25048fd313e9f973f4e0f95c34ec878358d2d515

    SHA256

    9672f3a2468226d0567d32ce623d69debf2653e53526620a4f5af5218592369b

    SHA512

    2717f5a6a5308aac05246230c01405bc379d75c9e540de6b026f073b8fae984e455292422af8139a680db8bd140c4ac0c16ffed2ff831093337090dea50a27d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    607818e45fd76b5f7fd354144a89a43e

    SHA1

    749c3cab5cec29211f255b124fa8d6e8a7c82b6c

    SHA256

    c6790293752b974aecbcc639cfa05a990b81ac272543979a0fc177100a8bfb3f

    SHA512

    a9d6bd7cbaacea75fd2ea3cb9510fe845a59f02f4812281a575559ced29394629684be804ff90616554841b3fad10cfb7e4358162b65a957a5b9ff7ece2da5d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    75489fe0867dda0fa4079268711f1625

    SHA1

    c0adfb04950c14e81e32fa1a789d8260c75a161f

    SHA256

    f41d621f3c38ab8b4cb880edf60c8b2ed75c7b2052c2b99e074c0cf74807c02a

    SHA512

    fc6e31ac49e93dd409871611605fc594a1ac2b25c95cbc8b25a27294212f13d19ddc992226d09cba4cf9984cd12a35cd9e163acc04b3ce37f6459be39a879934

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    bb1aa338c1bb268b35277cbbb674726d

    SHA1

    f4d09be016e803b26952fe47507587c8ce7b7c1c

    SHA256

    f48b9f910abd015911f482600f80778516a63ce66f5e54d591e98ea1beda40a1

    SHA512

    d959ac49fdf9f6fe4d4dd533d108289a24b7e0fe8357b6c2dafb20bdea106b5fbadc4ab4b15cffe616e9b474e656f8847647285aaefd8b547c1a518fed7fde50

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    fd08af8aa345e9a9543720f059df1beb

    SHA1

    ccb1e53f850d7c3fd0014afb2cbea881ca94bdda

    SHA256

    820c0fb03e401c3782a0994730e20dc987c17903d99a335a547d68d143fe4bca

    SHA512

    27098c8ad5bb8fc3346a6b3209d39715eafb4c3f2fabb31696a02a7124269f158b6e4281a15a6d058f8b66d66321327fb0f4f030725a38891a3caed3c3e858fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    80198aa148a85e2fac464a8ff4d24479

    SHA1

    bd1925cf807b47b787495b3a6c9c7ffb641d3311

    SHA256

    8d85b1124d0678d10afb895b46c48b3acbfd53f7ade94a6634133274b087f33a

    SHA512

    5e74edf10fc317283c7854711572a50bf7426071721aee37bdca556b8219e24898763b7a40d6e60b0e0b3c8c04c7425cb34421dd26c8714094d39a4df54e5884

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    258669344ac6d5890b73ca8d73a1c1f5

    SHA1

    042b48ee3e77b793b2f19455906d8518c76a2aab

    SHA256

    26f8ea4ecd01e619b61c8c54e3b240fe9449237805119c508eb4295b0366013b

    SHA512

    ff068644420c2007d084a1c1d7cbcbced93fb5f67b16f5409f6f9de5b3e2ca991fcf1994ec6fd7c742fda6fc3a5ac8ec3aeb71002b54d285aa60050b250fd6ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    04a57719b8499604bfad90261b38de88

    SHA1

    28d5e6b66b508633533796301ff1c407ab63f2c9

    SHA256

    b8d20682f8d349adcbece4cb7e60cbc87a02b965603aab5de466fc392973e5b5

    SHA512

    75859f60eb553f645a3253139b36a6058a3d5aad432436076f6ec042c0865acc7c68ef0bf345f54c5cf4b686604e695083e63c7f7c8a7319b6e6c370e0bf155a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    c9add6ae01b5cecb54ab7daf46e542c7

    SHA1

    939de6f916fd2023fd0201481eb72e96c58afb41

    SHA256

    8e974bd489fbd685ba0ede0104783ba11cd608837f564d4196fa80f2c1c13b83

    SHA512

    73a33c3977493c6172389dbca8387fbb5ce7c9d7902161d23014a1a3d8c0001972931990c976b6308b2c46cf7a9e2ed844c8f8185ba207fc678e3d61ceba89d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    5d42db488e043bfcdfb0dd5e14971941

    SHA1

    a8e53abcf19c26b588c52d56fc76e70a1f3fd949

    SHA256

    c983a4c58fa0d446744b3c55e6e939b8e5a2185969d7817b05e0df57934e9ff1

    SHA512

    76518dda270e19715e231d5fe7659a765497e73e5ea32dca87d811122fd4f3d45114b87d994a294411e8a8959d0491f7a4f754772721f6f06ef07fc78d60510a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    fb0415257ca247e5ad27db1d81c941b1

    SHA1

    f7d5ad32fb6a8049da2572684db7cbcdf32d8733

    SHA256

    8d6eb9e282fdb7b6e8d6e8e0be47b8c072155df5d69654411ff8bcee85f5a364

    SHA512

    76b3f18c6a7bb397140f23962ee4de7de0ae71d5a5d1631d687ec6bb3ef4c7a9204e45ed35ebe1d1e2d63672f7d134a7e23cb8e8d9d68fe7cf4b7946cd9a0c8f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    31acdbff9f6ceed32f44ac02b7065676

    SHA1

    de12666e625a4f0d2b29ea3e3ac7b2ba65e89a73

    SHA256

    92fc16b5d5b7bdb2096881a06a59530a147d8cda4c1700d371cc37e08d2940e6

    SHA512

    43fd8643e2a1f05036d6092d24f8543f7b78a46d7cf254f778f69557016f057a14974e4c35a2993b29c6069fb85e621bd02ba67593526af07045acf2bea03d03

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    ac28f659b3f86344b7be443306581666

    SHA1

    51a72c4f044568afeebf2ea3c160ac75ebd0fc33

    SHA256

    9f14b314f823d4f0edf5ae49ce6212423cc31f6c84913b1453ab8018b2a8d0c1

    SHA512

    a37fe67a4843612b7ab9f83c23ccaf98868a2af1260a8eedf73396a055f7e44d4fba1e518723b593b94abc301ecf3427550035b7ae53e57177b783aa57b06b00

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    b0f9754b907a9178b2f5a3106999e817

    SHA1

    42d1a8f02603cfb9b3854aeb3af0af200ef518df

    SHA256

    8f6793dfe22d0febf55d3adda18c9da30e527e93e5627eb01203f98b2f979aaf

    SHA512

    01e8efd50f41fec347aa6ee8d846e55bb3768ad823bdbc8b8dd33141330db9ed2b08ef0814d3eae2928501c88e29c93d6db3f60e02ce3ac2590103ca1a5af47c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5a4jj2ka.v4l.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sh8.0.bat
    Filesize

    172B

    MD5

    16d8e83afaa53f64ffb307cc82c6df50

    SHA1

    67a14813beeb58a162b3d80f49ff5452834f7bb1

    SHA256

    7288c48bf3498bf0462419f0fa33d97c0801df83638abd16ad8eb50eab555749

    SHA512

    dcdc52f114db3687192d86b4225445b10e6f708484f45cc497a64ab4e356c54cfa9ab21bca381e5bff51681653683ff54133a891a11a67bbb2aa29676a6291aa

    Download Submit

  • memory/516-627-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/620-0-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/620-5-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/620-1-0x0000000077274000-0x0000000077276000-memory.dmp

    Filesize

    8KB

    Download

  • memory/620-4-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/620-3-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/620-2-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/620-6-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/620-83-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/620-74-0x0000000000300000-0x0000000000983000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/756-617-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/812-507-0x0000000070370000-0x00000000703BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1028-184-0x0000000070370000-0x00000000703BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1176-596-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1392-766-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1616-267-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1616-268-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1616-264-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1616-266-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1616-265-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1620-685-0x0000000007380000-0x0000000007391000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1620-686-0x00000000073C0000-0x00000000073D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1620-652-0x00000000056A0000-0x00000000059F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1620-683-0x0000000006E30000-0x0000000006ED3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1620-673-0x0000000073DD0000-0x0000000073E1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1620-672-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1648-94-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1648-97-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1648-95-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1648-141-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1648-142-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1648-96-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1648-93-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1648-203-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1676-732-0x0000000073DD0000-0x0000000073E1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1876-541-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1948-431-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2128-822-0x00000000054C0000-0x0000000005814000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2128-855-0x0000000073D70000-0x0000000073DBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2324-900-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2348-797-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2356-206-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2356-207-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2356-209-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2356-205-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2356-208-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2668-299-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2816-243-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3108-289-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3156-407-0x0000000070370000-0x00000000703BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3204-373-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3204-374-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3204-375-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3204-376-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3204-372-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3372-396-0x0000000070370000-0x00000000703BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3384-128-0x000000006FCC0000-0x000000006FD0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3384-711-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3412-343-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3464-517-0x0000000070370000-0x00000000703BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3496-451-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3544-148-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3544-149-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3544-150-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3544-146-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3544-147-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3576-687-0x0000000073DD0000-0x0000000073E1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3740-651-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4052-462-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4080-194-0x0000000007E60000-0x0000000007E71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4080-195-0x0000000007EA0000-0x0000000007EB4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4080-183-0x0000000007B60000-0x0000000007C03000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4080-173-0x0000000070370000-0x00000000703BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4080-172-0x0000000006ED0000-0x0000000006F1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4080-156-0x0000000005FC0000-0x0000000006314000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4092-98-0x0000000005820000-0x0000000005B74000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4092-118-0x000000006FCC0000-0x000000006FD0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4196-10-0x0000000004D30000-0x0000000005358000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4196-11-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4196-84-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4196-53-0x000000006FCC0000-0x000000006FD0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4196-71-0x0000000007200000-0x000000000721A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4196-70-0x0000000007100000-0x0000000007114000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4196-9-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4196-12-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4196-15-0x00000000053D0000-0x0000000005436000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4196-66-0x0000000006F30000-0x0000000006F3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4196-16-0x0000000005540000-0x00000000055A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4196-65-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4196-26-0x00000000056B0000-0x0000000005A04000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4196-36-0x0000000005B80000-0x0000000005B9E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4196-37-0x0000000005C20000-0x0000000005C6C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4196-40-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4264-72-0x0000000007880000-0x0000000007888000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4264-14-0x0000000005AC0000-0x0000000005AE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4264-50-0x00000000067F0000-0x000000000680E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4264-51-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4264-39-0x000000006FCC0000-0x000000006FD0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4264-38-0x0000000006810000-0x0000000006842000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4264-63-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4264-64-0x0000000007BB0000-0x000000000822A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4264-67-0x00000000077E0000-0x0000000007876000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4264-52-0x0000000007410000-0x00000000074B3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4264-13-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4264-68-0x0000000007760000-0x0000000007771000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4264-69-0x0000000007790000-0x000000000779E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4264-89-0x0000000073430000-0x0000000073BE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4264-7-0x000000007343E000-0x000000007343F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4264-8-0x0000000004C70000-0x0000000004CA6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4468-353-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4512-562-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4572-486-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4688-742-0x0000000073DD0000-0x0000000073E1C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4696-572-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4768-787-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4816-854-0x00000000073C0000-0x0000000007463000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4816-866-0x0000000007750000-0x0000000007764000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4816-865-0x0000000007720000-0x0000000007731000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4816-842-0x0000000006250000-0x000000000629C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4816-844-0x0000000073D70000-0x0000000073DBC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4864-821-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4900-321-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4900-319-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4900-320-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4900-322-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4900-318-0x0000000000DD0000-0x0000000001453000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/5056-254-0x00000000077F0000-0x0000000007804000-memory.dmp

    Filesize

    80KB

    Download

  • memory/5056-253-0x00000000077C0000-0x00000000077D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5056-242-0x0000000007260000-0x0000000007303000-memory.dmp

    Filesize

    652KB

    Download

  • memory/5056-232-0x0000000073DF0000-0x0000000073E3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5056-230-0x00000000062E0000-0x000000000632C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5056-210-0x0000000005AB0000-0x0000000005E04000-memory.dmp

    Filesize

    3.3MB

    Download