hxxps://cdn[.]discordapp[.]com/attachments/1261678832868392980/1261691973853646960/eulen[.]exe?ex=6693e1b7&is=66929037&hm=dfff718fe70557c25d700cbeec9034981d65127c1e6abf69bfbba52ef0e01b5b&

Analysis

max time kernel
117s
max time network
124s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
13/07/2024, 14:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1261678832868392980/1261691973853646960/eulen.exe?ex=6693e1b7&is=66929037&hm=dfff718fe70557c25d700cbeec9034981d65127c1e6abf69bfbba52ef0e01b5b&

Score

8^/10

defense_evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4340	powershell.exe
360	powershell.exe
528	powershell.exe
2532	powershell.exe
4604	powershell.exe
2188	powershell.exe

Downloads MZ/PE file

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	eulen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	eulen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌‌ ‏‏.scr	eulen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌‌ ‏‏.scr	eulen.exe

Executes dropped EXE 4 IoCs

pid	Process
2884	eulen.exe
2224	eulen.exe
4580	bound.exe
4860	bound.exe

Loads dropped DLL 64 IoCs

pid	Process
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
4580	bound.exe
4580	bound.exe
2224	eulen.exe
2056	taskmgr.exe
2464	eulen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001afa7-830.dat	upx
behavioral1/memory/2224-834-0x00007FF919660000-0x00007FF919ACE000-memory.dmp	upx
behavioral1/files/0x000700000001ab95-836.dat	upx
behavioral1/memory/2224-841-0x00007FF92A9B0000-0x00007FF92A9D4000-memory.dmp	upx
behavioral1/files/0x000700000001abe0-842.dat	upx
behavioral1/files/0x000700000001ab93-845.dat	upx
behavioral1/files/0x000700000001ab98-847.dat	upx
behavioral1/memory/2224-885-0x00007FF92A980000-0x00007FF92A98D000-memory.dmp	upx
behavioral1/memory/2224-887-0x00007FF929B80000-0x00007FF929BAE000-memory.dmp	upx
behavioral1/memory/2224-886-0x00007FF929BB0000-0x00007FF929BBD000-memory.dmp	upx
behavioral1/memory/2224-884-0x00007FF929BC0000-0x00007FF929BD9000-memory.dmp	upx
behavioral1/memory/2224-883-0x00007FF92A770000-0x00007FF92A7A4000-memory.dmp	upx
behavioral1/memory/2224-888-0x00007FF925120000-0x00007FF9251DC000-memory.dmp	upx
behavioral1/memory/2224-889-0x00007FF929430000-0x00007FF92945B000-memory.dmp	upx
behavioral1/memory/2224-850-0x00007FF92A910000-0x00007FF92A93D000-memory.dmp	upx
behavioral1/memory/2224-849-0x00007FF92A990000-0x00007FF92A9A9000-memory.dmp	upx
behavioral1/memory/2224-848-0x00007FF92D1E0000-0x00007FF92D1EF000-memory.dmp	upx
behavioral1/memory/2224-890-0x00007FF929400000-0x00007FF92942E000-memory.dmp	upx
behavioral1/memory/2224-891-0x00007FF9195A0000-0x00007FF919658000-memory.dmp	upx
behavioral1/memory/2224-894-0x00007FF919660000-0x00007FF919ACE000-memory.dmp	upx
behavioral1/memory/2224-892-0x00007FF919220000-0x00007FF919595000-memory.dmp	upx
behavioral1/memory/2224-896-0x00007FF9296A0000-0x00007FF9296B0000-memory.dmp	upx
behavioral1/memory/2224-895-0x00007FF9297A0000-0x00007FF9297B5000-memory.dmp	upx
behavioral1/memory/2224-899-0x00007FF929310000-0x00007FF929324000-memory.dmp	upx
behavioral1/memory/2224-898-0x00007FF928460000-0x00007FF9284E7000-memory.dmp	upx
behavioral1/memory/2224-897-0x00007FF92A9B0000-0x00007FF92A9D4000-memory.dmp	upx
behavioral1/memory/2224-900-0x00007FF929690000-0x00007FF92969B000-memory.dmp	upx
behavioral1/memory/2224-902-0x00007FF9292E0000-0x00007FF929306000-memory.dmp	upx
behavioral1/memory/2224-901-0x00007FF929BC0000-0x00007FF929BD9000-memory.dmp	upx
behavioral1/memory/2224-903-0x00007FF919100000-0x00007FF919218000-memory.dmp	upx
behavioral1/memory/2224-904-0x00007FF925120000-0x00007FF9251DC000-memory.dmp	upx
behavioral1/memory/2224-906-0x00007FF928770000-0x00007FF928788000-memory.dmp	upx
behavioral1/memory/2224-905-0x00007FF928CF0000-0x00007FF928CFA000-memory.dmp	upx
behavioral1/memory/2224-909-0x00007FF918F80000-0x00007FF9190F1000-memory.dmp	upx
behavioral1/memory/2224-908-0x00007FF928750000-0x00007FF92876F000-memory.dmp	upx
behavioral1/memory/2224-907-0x00007FF929400000-0x00007FF92942E000-memory.dmp	upx
behavioral1/memory/2224-910-0x00007FF9195A0000-0x00007FF919658000-memory.dmp	upx
behavioral1/memory/2224-912-0x00007FF9282E0000-0x00007FF928318000-memory.dmp	upx
behavioral1/memory/2224-911-0x00007FF919220000-0x00007FF919595000-memory.dmp	upx
behavioral1/memory/2224-917-0x00007FF9297A0000-0x00007FF9297B5000-memory.dmp	upx
behavioral1/memory/2224-919-0x00007FF928730000-0x00007FF92873C000-memory.dmp	upx
behavioral1/memory/2224-918-0x00007FF928740000-0x00007FF92874B000-memory.dmp	upx
behavioral1/memory/2224-916-0x00007FF928A00000-0x00007FF928A0C000-memory.dmp	upx
behavioral1/memory/2224-915-0x00007FF928CB0000-0x00007FF928CBB000-memory.dmp	upx
behavioral1/memory/2224-914-0x00007FF928CE0000-0x00007FF928CEB000-memory.dmp	upx
behavioral1/memory/2224-921-0x00007FF928640000-0x00007FF92864C000-memory.dmp	upx
behavioral1/memory/2224-920-0x00007FF928650000-0x00007FF92865B000-memory.dmp	upx
behavioral1/memory/2224-923-0x00007FF928600000-0x00007FF92860C000-memory.dmp	upx
behavioral1/memory/2224-922-0x00007FF9292E0000-0x00007FF929306000-memory.dmp	upx
behavioral1/memory/2224-930-0x00007FF927950000-0x00007FF92795C000-memory.dmp	upx
behavioral1/memory/2224-936-0x00007FF9275F0000-0x00007FF9275FD000-memory.dmp	upx
behavioral1/memory/2224-935-0x00007FF927940000-0x00007FF92794C000-memory.dmp	upx
behavioral1/memory/2224-934-0x00007FF925460000-0x00007FF925489000-memory.dmp	upx
behavioral1/memory/2224-933-0x00007FF9275E0000-0x00007FF9275EC000-memory.dmp	upx
behavioral1/memory/2224-932-0x00007FF925490000-0x00007FF9254A2000-memory.dmp	upx
behavioral1/memory/2224-931-0x00007FF918F80000-0x00007FF9190F1000-memory.dmp	upx
behavioral1/memory/2224-929-0x00007FF928770000-0x00007FF928788000-memory.dmp	upx
behavioral1/memory/2224-928-0x00007FF927A20000-0x00007FF927A2B000-memory.dmp	upx
behavioral1/memory/2224-927-0x00007FF927A10000-0x00007FF927A1B000-memory.dmp	upx
behavioral1/memory/2224-926-0x00007FF9282D0000-0x00007FF9282DC000-memory.dmp	upx
behavioral1/memory/2224-925-0x00007FF928450000-0x00007FF92845E000-memory.dmp	upx
behavioral1/memory/2224-924-0x00007FF919100000-0x00007FF919218000-memory.dmp	upx
behavioral1/memory/2224-940-0x00007FF925440000-0x00007FF92545C000-memory.dmp	upx
behavioral1/memory/2224-939-0x00007FF926F30000-0x00007FF926F3B000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
17	discord.com
18	discord.com
25	discord.com
27	discord.com
36	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3196	cmd.exe
168	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4580	bound.exe
4580	bound.exe
4860	bound.exe
4860	bound.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3096	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133653548277449661"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	taskmgr.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\EAF13B2D48840DFBE4F29AC5CC5E13743AB74018	bound.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\EAF13B2D48840DFBE4F29AC5CC5E13743AB74018\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000630030003100340063006200390030002d0032006600640030002d0034003100650033002d0061003500340062002d003100630061003700330038003300380066003800380036000000000000000000230000000000000014000000eaf13b2d48840dfbe4f29ac5cc5e13743ab74018	bound.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	bound.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\F4B726FB3EFD526626839659963FA12DC41C50CF	bound.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys\F4B726FB3EFD526626839659963FA12DC41C50CF\Blob = 02000000000000006c0000001c000000000000000100000020000000000000000000000002000000380035003600360064003900310065002d0037006100660034002d0034003300320063002d0038003700300032002d003700610063003300610062003300330031003900340030000000000000000000230000000000000014000000f4b726fb3efd526626839659963fa12dc41c50cf	bound.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Keys	bound.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	chrome.exe
4488	chrome.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
2224	eulen.exe
3164	powershell.exe
360	powershell.exe
360	powershell.exe
3164	powershell.exe
360	powershell.exe
3164	powershell.exe
528	powershell.exe
528	powershell.exe
528	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
4340	powershell.exe
4340	powershell.exe
4340	powershell.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe
4580	bound.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4488	chrome.exe
4488	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeDebugPrivilege	2224	eulen.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeShutdownPrivilege	4488	chrome.exe
Token: SeCreatePagefilePrivilege	4488	chrome.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeIncreaseQuotaPrivilege	360	powershell.exe
Token: SeSecurityPrivilege	360	powershell.exe
Token: SeTakeOwnershipPrivilege	360	powershell.exe
Token: SeLoadDriverPrivilege	360	powershell.exe
Token: SeSystemProfilePrivilege	360	powershell.exe
Token: SeSystemtimePrivilege	360	powershell.exe
Token: SeProfSingleProcessPrivilege	360	powershell.exe
Token: SeIncBasePriorityPrivilege	360	powershell.exe
Token: SeCreatePagefilePrivilege	360	powershell.exe
Token: SeBackupPrivilege	360	powershell.exe
Token: SeRestorePrivilege	360	powershell.exe
Token: SeShutdownPrivilege	360	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeSystemEnvironmentPrivilege	360	powershell.exe
Token: SeRemoteShutdownPrivilege	360	powershell.exe
Token: SeUndockPrivilege	360	powershell.exe
Token: SeManageVolumePrivilege	360	powershell.exe
Token: 33	360	powershell.exe
Token: 34	360	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
4488	chrome.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe
2056	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4580	bound.exe
4860	bound.exe
4860	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4924	4488	chrome.exe	71
PID 4488 wrote to memory of 4924	4488	chrome.exe	71
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1928	4488	chrome.exe	73
PID 4488 wrote to memory of 1704	4488	chrome.exe	74
PID 4488 wrote to memory of 1704	4488	chrome.exe	74
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75
PID 4488 wrote to memory of 4328	4488	chrome.exe	75

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1028	attrib.exe
1208	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1261678832868392980/1261691973853646960/eulen.exe?ex=6693e1b7&is=66929037&hm=dfff718fe70557c25d700cbeec9034981d65127c1e6abf69bfbba52ef0e01b5b&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9298f9758,0x7ff9298f9768,0x7ff9298f9778
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:1
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5380 --field-trial-handle=1832,i,11619186977638210780,17159088124173800808,131072 /prefetch:8
  2⤵
  PID:3288
- C:\Users\Admin\Downloads\eulen.exe
  "C:\Users\Admin\Downloads\eulen.exe"
  2⤵
  - Executes dropped EXE
  PID:2884
- - C:\Users\Admin\Downloads\eulen.exe
    "C:\Users\Admin\Downloads\eulen.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
      4⤵
      PID:3840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "start bound.exe"
      4⤵
      PID:3500
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
      4⤵
      PID:4944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:3196
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .scr"
        5⤵
        Drops startup file
        Views/modifies file attributes
        
        PID:1028
  - - C:\Windows\SYSTEM32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
      4⤵
      PID:4280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:208
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:2700
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      PID:308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:3692
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:4460
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:1028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
      4⤵
      PID:2964
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        5⤵
        
        PID:608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
      4⤵
      PID:4028
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path softwarelicensingservice get OA3xOriginalProductKey
        5⤵
        
        PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:324
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:1352

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2108

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\eulen.exe" ContextMenu
1⤵
PID:1788
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW6D08.xml /skip TRUE
  2⤵
  PID:2400

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:1804

C:\Users\Admin\Desktop\eulen.exe
"C:\Users\Admin\Desktop\eulen.exe"
1⤵
PID:1136
- C:\Users\Admin\Desktop\eulen.exe
  "C:\Users\Admin\Desktop\eulen.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    PID:2568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌‌ ‏‏.scr"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:168
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‌‌ ‏‏.scr"
      4⤵
      Views/modifies file attributes
      PID:1208
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
    3⤵
    PID:5072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024071314.000\PCW.debugreport.xml

Filesize
2KB

MD5
47205fc7de5695f9c595a9cae49b7c0c

SHA1
50a44193cdf61b5caddb1a8c32b508ae49370da2

SHA256
c542fb6b52a349d1527bfe8b3b31e9ae3137ac19dac6a71e09e57a6a2e53781c

SHA512
07e1e189f9fcf1aaed56d7447f8766220fb3828ab6b6c8b895575893762434094f5135dfba75a628ad1616756bf8fb43b342d452e72879b86143c46b5f7ebe45

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024071314.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
449B

MD5
195086cdd4a17a5eccdb614e43b4bd36

SHA1
ad523da532545de5b9d15140fa6911f1dfd39090

SHA256
eb44fd9b3e71dab2aa2b62e89b1ef79f50f772e1f3c16fc2b868e195b350be88

SHA512
702d1549f9e0c70e02a70145b5a90fcf0bcf66cdd3db4a1dbf7c29b1e6ac7512699966cfb59adb48a53f113bc13f70744dfe06f7641b525f9adb35cc579871c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
684836329ce82e39cdb4a586448f2a28

SHA1
81258d68530d3623d44690de2eb43155989da6af

SHA256
563b0332dad6b91b8c1adf565a771f4b8ef357602e630cab03babb0cd8084707

SHA512
778fa9911dd83dc725f92aa79b606a74ffd8edfc93a2d5333db3ad4b75371fdaf1e574ce2ceadd8261b571f3ea48e8a2936c5820e3319d0b694db0617a36ec3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
712974fee4a529248805d278cc94acde

SHA1
cfddde57e33d44a48602396e0b20ea026d50ffe0

SHA256
b80e7d9480a3497440d46b7685694339d1979d21db5ffced81b626b963a283d8

SHA512
ee01499434de426d9b95e5e944ac50d66368976dece65070935dab374a4246dbf006557e7b2bb7d7de53b9a0e947c8abee5e19fdf5f18319a7dd9dd111d15142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
65582f375522c6c5d73cb16c2b3a1ee0

SHA1
0026a3aafdde444c808615e94da10e99584d3644

SHA256
7c4f47f21f5fdd66ac0e90b3725f7b5cf58f3ce9610bef56a0bdc848f8848387

SHA512
7c461cabf45fcfb068bd6912e4a10316f5d89ee029deecea44c939810611e6a681f503fbdf8767acba8031745aa63b900cecc9c981b0c1b879371d1a6202062d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
36d75a1cb9a3e87021d44f8a52de27fd

SHA1
620997edb83fa90c6d5a5de5588f3c1ac58a2023

SHA256
2b33bb087ea587521c82831dd227376a20fdeafb2b426e54b2ff97502a806839

SHA512
b9647f9a731b997afb7925f422c6e2e2b0bfba278c6bd77e7d89753c7f923518841090d705065cc4a18f3d2292164f8e5641bfddea05833ad0acf3fc7c5449cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
ecc3de33f7da246df1f014cf083faae9

SHA1
cc9db9e2f2b2c2894062e86ac99d2e636dae654b

SHA256
5fbd0852709ea33ad1e6c5fcf226de3827e9f320fdb3fa84575e62e09fe03d5d

SHA512
992e54287841ae6494b9567b45c34621b7b7d5d14e4a20108844a800d631b432101fecf40cba6b7484f4118e923c39f266514f5ce6a2063abce5cf825d019ea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\QpX76Y3f1c\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\QpX76Y3f1c\Browser\cookies.txt

Filesize
255B

MD5
b0ac578492f3d789d85d01a515a545a7

SHA1
a6a6ad607986cbde52ceed9b745087602836c7a2

SHA256
9cfa99c2119d4a5b08286f32dc15e90f55ce76226206742f4b3cac417c3636c2

SHA512
7da019b02cfbf68dbb8c09f5b247d3e35080e13540ba6d93a508ff52ff1259d49151cbf72b2d78c046d8bd90acab024299ec5ebd36004d3be640bf709dd8f316

Download Submit
C:\Users\Admin\AppData\Local\Temp\QpX76Y3f1c\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QpX76Y3f1c\Wifi\No Wifi Networks Found.txt

Filesize
23B

MD5
ee5aea0be15d3fbe09fde56c712d5478

SHA1
d26dcac8c96f9a2422012ef19d8539e449c13ed6

SHA256
008f085ba3eb767dfbba6996130381d46882f4f8845ac0facd32dec918b236a2

SHA512
69ab01956f085efdf79d48be9ba425b630049c997ccad3a6f9bd44fc0d2936c1a4360536e48dc3b15fd96b4aa693d86cdbdbb699ea5cd11d619cf2dabd8a3e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11362\cryptography-42.0.8.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\_ctypes.pyd

Filesize
56KB

MD5
c8b1e1f994b23a47ebae0a1f3a2f314c

SHA1
5636ed108b67958988586fdb7bf7aa9bc841960c

SHA256
4ad24645396dee635c6900b48704df0ba3f9d728331d207b73d1efa67c8564c6

SHA512
b584b0cbaa10c7eeb5c292fc2c9cd52831592acdb79afa239ee516f1914c7d50db0fa78616780be2fdcf6a6b3caab7971d794cf6956699b5e9c79145c52f334a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-console-l1-1-0.dll

Filesize
15KB

MD5
7b2104389f75bcaf9a183e6728fc5af3

SHA1
7af1047caecba104fb726fdb3649c128e1dca430

SHA256
f75e6c1a5a46a23042b1d28b9af4e8688da8a3201f6e1beb2de2e314435cc800

SHA512
a3cb3461e4d62c5918b3e0ec312e3f4872aa49e129d4d0d968aeb012d021b772efbf9af122609e2a93af00914bbc7b52f789dfbdf971dac4e5f4fd1e923d068e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-datetime-l1-1-0.dll

Filesize
14KB

MD5
d1f8dcfbf1e7f769ae6860c7264c7d4c

SHA1
bd1bf21970e120f808c6d9ae089420acc2827fcd

SHA256
c9363fec30c95976669ef3f35a14786665cbd92e61eb81172dfbff6c6fb85d5e

SHA512
e4c578203947bb757f7aa1f80a3536d21e3d993f7ac5d87bad7960806f5ac4aa3c130f40f3c2e47e9f1ddfe256dc1bc6164f838ad23edfcf71307320ff858e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-debug-l1-1-0.dll

Filesize
14KB

MD5
927674413a12ffe13349916c1cb9ec9b

SHA1
f12c0de97e2210ab7cc369128565c642e22cccbb

SHA256
8bbdebd3360f5e24f006e3427bd79b033e79591d12aab8a6cab1a031d7a10116

SHA512
f90088e1d2e9598d81bef70af21a9f6c1d32d4c3bbc5bad977de45200a4395e0fb99c0c20bfc5a78eb0263e46fc47f2dc88cd458a0f2a07e7c218c6e58f5a5c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
14KB

MD5
d8625ceb73641841f4d791a10e5aa0cc

SHA1
bd0a7121536e7ff3025d0c46c04bc54f500745de

SHA256
3a068d030e9004373087c52a3d7289af64b9cbeee509b8c47183b1ddf51b3440

SHA512
98c67128efbb672c8c785302be0939cf21c38554e3649f84dfc89b07e5b029860da27cfe9706d6011c8bcbea336a46be51a48f1f31911fdd455b5dfde3952660

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-file-l1-1-0.dll

Filesize
18KB

MD5
c454441bde12f0d06ee0f4a5048edaa2

SHA1
8d52b3a139c3dbb3e55e013f61137c3e8772f1a0

SHA256
bd020d925a95d98851c1f28e3f3e37090a44c67201f4b05a95cf793170a78e3b

SHA512
a7bb5f48efaa85dbb720849c17ea569f7bef40ad1029cebb95f5e21673520d183e7beae45faa1fd9763bda4de7b58a243181da83cc1c0954dfc2c1548381d9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-file-l1-2-0.dll

Filesize
14KB

MD5
c77578445e0a7c7aaf0097669cf8a7b0

SHA1
b50ff432095821504bc6b00268c9d0112226e4e5

SHA256
f5f0fc82118d1d9bf68a35fce4f5cfbad01598681eadc54cb56ad71c1c57128e

SHA512
cf649772b85f9da0e5a707f38e17907f5815033f77b0124f8e1701fa408a506936d99ac9bc95c63d7fabd009539a30935b060a679dfc53b75c7b1d9ba87a4c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-file-l2-1-0.dll

Filesize
14KB

MD5
5fbc5cfea1d4bc7c9286a888bd36caba

SHA1
936af416794b7a598fe0aa9e02dc0261153a9464

SHA256
c4731309e01703f57dbe5db5c58b7b394090a806e316a381e7bb162fb3935e5c

SHA512
304282c5c04320e00798db05a5c56fc02c37abac484f641e4907cae2deefeab4c011170223cc3b2a5b1ccf8c416329c6c22b49ad179c746271379d56fa27af2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-handle-l1-1-0.dll

Filesize
14KB

MD5
e72ad22ea306666a4d2ed413fb01e26d

SHA1
a745aa2b3f1219e97c1183d2a8a6d98f53d4da21

SHA256
a0b4ce721a37620c2a4ff08217387dcf2ef77d935c6ebfcb0e39a8eff4af070a

SHA512
5e663833eebc365399637d8c2507eb5087151c4ff1673ef824bf06faef0b51d5cf235e973b92ea3b407950683fe4d90e0cf10936b8939c1424fbcd57a8073203

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-heap-l1-1-0.dll

Filesize
15KB

MD5
f3f0fdfd4d328818037a917d50d02301

SHA1
5d816c9e90f2f4404ca2a6d6dce3db692ac1835d

SHA256
9333de5729e54a60467707abb368527b16cad973602522d332bfe7777a85c640

SHA512
d0fe316854c6fa08a52cde0860c67fc11a8d6db827715dbeba5bea41d39c595b427afe112d9a34b44af691ba5f243c426a641e8375db0b5ce6aebadeba63b401

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
14KB

MD5
4d20a51d621e3b2e5e606ee8ca964653

SHA1
43e3595c25a1d0237af9cf39a270812b78c33167

SHA256
85f568fe0ac210f8e5ef935a13fca57723481fbf3d03f81cb5ef205496c0a64d

SHA512
1f0d30086baabd4707b20ba1d8ac55244d90039a98c6f1dfcf104972079c91891a4120ac797a09b6e733ab9ed58321cb3667df622f0da519004d02adbaf98786

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
15KB

MD5
b1e14440722fc63cc0d408a4237a107e

SHA1
e170a2bf06bc2ef76d84ed3f253421e436d111cf

SHA256
546d154b64aa89c1cd8e24f220fa2fd94d9c9603450b6904687c9ae1f4961a97

SHA512
62dfd15cc62b8637441d9368bbacd40ccc2505c1e67ad84cfaf28b54c048e6a899aa947d6d507e65a432e690b13879502cf25c60190a3f6a3374a2b7c8be914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-localization-l1-2-0.dll

Filesize
17KB

MD5
670b223b2b794fc632e2ce5138a26ec1

SHA1
6e62a5ac12768493525a2ffd5206a173b1fbacf5

SHA256
10f26333b35891e5cf53b2915e96c879635227ebe7ee591200265d90cc00bf67

SHA512
1913735404b7909904352a0eca49caec8b3bbf46b0ce44d728bdd8f3bba27f30bcf43425a3498ec109d11007635b415128f367a692be34b3de27cd91deee48c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-memory-l1-1-0.dll

Filesize
15KB

MD5
a7fec788b8534837db5e8c071fe7975a

SHA1
07d376552406325d211a79c0ebedbac09c463c44

SHA256
f1c4cfee2a3370dc673be5754128acbf565bdf0ca240a120d2ce221fd420f73d

SHA512
b17af0f005fc3dab97ff4805aa7d0df884f8062cf174d007e03eeb21f91f6d071a903084ef4f2f8a725223a2aaf8c48d2bfc63e4526e22d92aa53215414e0600

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
14KB

MD5
4ee6bb6fe7750ed9be7d93845aeae3f2

SHA1
338e52c7b6d7a0fa2b5e41a190b13bec53c654bc

SHA256
495911b1b36e456d1f740ec033cbc5e4d29fdae57ee12684bcb18ba4c2597510

SHA512
b5a6fc257a549c10fc2afbb0b05f8a68780edaf56729b3cfdfa52eaccf78735366cdf60d81007b7ec92a23f6b244d5e4d9d04c86f46a829da930e67ac7352be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
15KB

MD5
f01cb66709eedc2b9665efb1d604e9a4

SHA1
202d2bf3dfcec6f192ecaca796d52e411a9558a1

SHA256
f7e5b21e1410549723d7523f187d9b576709c042c5eb5e849e9b139aeb37dd96

SHA512
f02508acf32dbc6d7cc09631d7c010ed27da2b4e9c0489ca0bd10946bf81f571b50790150b069f75c99951a22236aaade37661a32654b65d006391de84db132a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
16KB

MD5
a585904afb92b8a141250724597e93bd

SHA1
5dc40d5314b08294a09bdc6241be39922d5d17bb

SHA256
0d0f9acc67e53dece058d4899104a6090ff5d5d7719126f957f7856921f80aef

SHA512
837b607181dda5a331dce25f8275b776a3d8d8cd8a1dd0ce0d4aba45345fd2a32938e93befe20d7b0ab7a3857981fb9bf5fcd81cd3519ac003e8f3a23304734f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
15KB

MD5
111be417909ae7dd64a061990424c23b

SHA1
aac39e99a900bda8853e023bd03eca22ad0794e0

SHA256
a417f39dbae331420d0212fae8561627d7a28670ac6a29d81ee52d4f01c798a2

SHA512
2b4c4da0e353bf2b6d207e43adcf99ee72f7602dc108821d2fbb25e4bfe5227900aab16f218dc77e4abf65b5830a2e93d7f0ec22af200da47fe30f6c65d3915d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-profile-l1-1-0.dll

Filesize
14KB

MD5
17c52ccada0639fb4f04252faee37d90

SHA1
12cff8cfc1a263d1591e811aecd33417176f7a94

SHA256
b205abc99b02631e3aad2939538ba74decfb5046313af5097e0cb7322a5b8aff

SHA512
b2f13805f78a00aa97f9572465bc6738a498473c09be4cc28636e8814b5a0438efb3e276f5ae9431fd0f6c6765482720e2d729950d28c1aa333af96cc1182781

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
15KB

MD5
fab6d95d865549a6a86b9c707061022f

SHA1
516e99a6369d563a4dd1bea578d6e132e1b1ecec

SHA256
760b39f051c4d92ed76ae28f07466497d31f0c3241bc9789d47d45d1f5752cb4

SHA512
2aaddd0b074c0e848456bcadb85e5300b5dec748ac552ce6faca5f9525df0247c4cdb9daaeead3d7037fdf6abf572d8c7d94006d05c57b3ff2616b70ecfc43ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-string-l1-1-0.dll

Filesize
14KB

MD5
025c9739b8a2f67dd097edf8e5ee5fa4

SHA1
a9fa1d585e6768b42678fa9c120f7ac66236c66f

SHA256
7199313c9044bb1a64ab0cb0942742c8c366723d1b6eb0f21e88d8d778b0866e

SHA512
6b01bef8a099c312a9613da4d26da73af69d2c56cbe3b51c4a035580a85cc639a786a8963b47b79831e85e0318964dbadcc1c2fdbac4abf364e1be2683b7f9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-synch-l1-1-0.dll

Filesize
16KB

MD5
3399c7976e3799fb90f06ae4a0b2d7d4

SHA1
b423d4f018166614f1c85d15dda282b4a441c971

SHA256
b7a0fb52b2344e26c71c0287af8e794c3656d2226a661965152075c236453096

SHA512
710e4bdbb2ff7461ab6c530c3eb03c0b4a1c6dd4361618220578d11d3279dc48b3514bc60f34b37632a9f370bd41032d4803ce3d4d6c134e95298357758954d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-synch-l1-2-0.dll

Filesize
15KB

MD5
d6618210dbeb5b236d753aebe1dc5502

SHA1
9455ed2bb3d8a5a1df678d343488780d46d1a556

SHA256
4e700fb8b8402fa260ba4a307fc424e02335fb9df7f01ba43c0ab193e186c3cb

SHA512
655fa79a46f100b7a53a16dd30ce95c6904494f2fc40c357635deca1d375af4d7606db33cfefad6f8f326a2c27a40c89fc44347e2b6b75624bab1f677a14e5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
15KB

MD5
a26f26bf9fb90084f0ac198bad558d33

SHA1
e0d6e7bf044867529179a8a91aee4affc7c0048d

SHA256
5a9108563bb24e7b30d0a29b4c549684f2ad8609e294618e03a1df68d4fe06ac

SHA512
371728aaf3e5cde66e020ff9cf70f1e3554e4594a7ed115ca89ff2b38c82bdcff10b67d783fdc5e03d5b1cf804d56251d46479dfcf6ad3874f6f434ed2459f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
14KB

MD5
e50986384ae58571b5a7cf60e87c586b

SHA1
e4c3324957d9ef9dd93b7b118f824d6b9f649847

SHA256
e4134b8b9ed99612ab18f5db7f594c840448f84294ae34e71d0c1ddf1253c041

SHA512
4edb64e9ff76c4667bd1b16b084f89e869121428c9f5d4cd4883a2f72f895f655683733c5bd52e42c3d58ef240719a18c73fc2acde9206da1c2828a1fafac33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-core-util-l1-1-0.dll

Filesize
14KB

MD5
d3c7e2a9ccaf398c8ea1f9a1e65b79de

SHA1
8617e572c860f9e9c06f5c178bfbef9fedaf3c48

SHA256
5048062d0a62ca0003fc55af707a835ae6b9787b4d534ca7b675239198eaee8d

SHA512
de0fc1262fa6ab662f265a432c2f782ebac7373945d6aeb7b0fb692bc8132e3c31e8a307178488d0d087c1681e00b56c3f946cfc0653d94042f0c4b211931f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
15KB

MD5
194d7c41db65a418b67a88ed7daefdcf

SHA1
633aab57ffb52ba6c71e97f253dc0d7836565487

SHA256
421df560744ce5d32265c1b746f2f737ca3da21036ce695f071869223b706d2a

SHA512
7f8b6a2978c2830e998313c4a37ec2caba2daf923e71e3ddfb9a0922a87ab84ee8f9c34817bdf7c626f9d09d2cda77aac1a4a061ff1b59a5bd838ddd5d04f77a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
18KB

MD5
cf0ecaf032ce8144e1fb239f149a613b

SHA1
3ccce3b665f94aa8369ccc24588a5e009af863d4

SHA256
eaec33c484b4a4f0729eed99383f4857a09a34a3d6d38be0bc482f3d5a0ae1f6

SHA512
2da0897918edb7375e7038bb27ce040c1ac52093f237d84ca947cd94ecbdec837507a482ecdb89608a081a635c6880a1370b9a90dfb4d39aa8e26ce9e2a42e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
15KB

MD5
0791f56b950d95fb3a7cb83f6ecada69

SHA1
671f76c862acc74a7acfe25167367df494f1df0b

SHA256
303db02f8a4366009423abaeb9fc17215c08662351479377446c0819cc4fa64e

SHA512
56ee86e255bb1b098a8f38c48999fb0433928284e9baf80e394834fdea403b415d92750ad1a85a062cf0ae75465984688730c5750a92ba436a49ea77460adecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
16KB

MD5
b66c8091ddb2dac21fde217f77b74190

SHA1
8af014ee8fe6df8d430939c73134d98b4211428a

SHA256
10695bb03f77548cd3f2995bdddd0741074fc321c6b12a55555b7778f1395f26

SHA512
1a1e96a63b655aef0098360822998a04624e1067a358594a6e1e881f3dfcfb327cbfceaa554d9a02af153e9c2a1a3ec456ac90dda70be9194a0b597a0f549c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
15KB

MD5
23caa73f109c23d7d076e221ba5cbb0f

SHA1
e408483a3d0632c56d9679317ffb063121938a02

SHA256
2530a40b4406c51ce62290d88ea7f8b888117b267a81683cd2760e2c420395b5

SHA512
7b5bf9a0bb478065298ca521aaa0c438d20390f995e6e5995fe1c950814416d5091bac2b7d3e76bf734a762533715d27a0d7365709af5ee486266787f93138f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
15KB

MD5
a4a5a2ae83a93daa7ea9dbfc9184770c

SHA1
006c52b9c1ccfdfcc86a9dc0a8cc4b63e0ac1e98

SHA256
381fad498508c6dd2d85cfd4429f392f8f60ce10f05b8638b2a6dc746f6915b5

SHA512
d7d695b4922a122329f470ebaba7b902c185eea497119c7c573d5443dd577ac065c804f5bd2fe8cd0a3406663663f631863021fef156f2bc1ab2ab5dc3de63dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\api-ms-win-crt-math-l1-1-0.dll

Filesize
23KB

MD5
9afe289c9e59d5c2272e207332724445

SHA1
f06692007593a41acd3888045826a6e5a1e50c4a

SHA256
2793538c731b35579f5af4161eb26f532055111999ba844cf68e0599ccb0eed3

SHA512
ca222e2d1b4454522ecc608c928b311b08e1cfacab3a1553a24b507bde99a414a8d1126e38132300457d1bc7ad531de7ab11481d9263134b9b5fb7aef63f44a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\base_library.zip

Filesize
859KB

MD5
ef64aada63e21f121d1a7421ed7777bd

SHA1
c35fbebe1b82a4b206b0a75524d2b15c859d3ccb

SHA256
5ed386b1751727a8cf74e812ea624754d4868675aaedaa57ddca45346a6c8832

SHA512
3c625db8fcfcd14832b2cc82a0272a0d91aab1ef39f6f40005a558dad63e78689216eabf0d2019cdf7ba7528d51c2746f9584518bf58243c46a43595e11c8195

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\libffi-7.dll

Filesize
23KB

MD5
4e261cbb8247260ea91860986110f805

SHA1
1563d67c2aabcb5e00e25ef293456c6481a2adc3

SHA256
ddfd0755e011ea0df26d77cf3628e2cc59653aee02bf241b54b6b08561520453

SHA512
076cdc8759f9cbbf7f8dc7b1eaba3c51f6c40ae6043b1fb55aa2fb83f81e86933d0f885a61d83300173b9bd7c589ff126e2a5d858a3f4036390d02eb1e73d229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\python310.dll

Filesize
1.4MB

MD5
701e2e5d0826f378a53dc5c83164c741

SHA1
62725dbee8546a7c9751679669c4aeb829bcb5a7

SHA256
9db7ebafff20370df1ae6fc5ee98962e03fcfc02ec47abed28802191f6750dd2

SHA512
df30dfba245a64f72bcf8c478d94a9902797493ce25f266fa04a0b67ad7887c8f9253404c0425285342ae771c8a44ae414887447f14d76c696f7902933367f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28842\ucrtbase.dll

Filesize
964KB

MD5
46e3c39bb0758058af02fb0dbc115cdb

SHA1
eb89d853afc80f1d4786f8ddaf1e08d788077e07

SHA256
1142120d03f3ba4e241e41a8ae8e61089e2e46ffe88a223fc39f9e638e5dde46

SHA512
4b4cb596ba18ed3dbb77b44b3369facab7a5096c1cd17580172acfd111b73807d04b42e83eaae1d2828d2be7ca7bc9cbe67c4f72309e66a513fbf5b2c57cac18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnwncwv5.fcy.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\tmp\Fj23KknCqhySPJA5pfL

Filesize
20KB

MD5
e4b0cc1d4769ad29243c466c2e1987db

SHA1
27d1fcd2c0f01f7e8895aaa8c2e46b2b565caeed

SHA256
7482e266bae2240adcc56a467369813ec65a4821b844b58f28693237696ce7de

SHA512
027534d14c8a634a3a6468181bbbc096f8a6ea73700f1220349c32eacdae72339041d5d98223252c3af489031a709057bad26fb731936f5c1f3f80758dd0d82c

Download Submit
C:\Windows\Temp\SDIAG_a6535649-fdfc-42e0-be5e-c00749fbf97c\DiagPackage.dll

Filesize
65KB

MD5
e99b38cf7f4a92fc8b1075f5d573049d

SHA1
406004e7acd41b3a10daae89f886ef8b13b27c32

SHA256
812ebb05968818932d82e79422f6fd6c510fd1b14d20634e339c61faeb24b142

SHA512
5637e6e949c24dca3b607b4f8b5745e0bb557e746fc17eff1274af36d52d5d7576723f4cd055fcf8fcf9fd267254e6d7fbb53cc173a15d3dfd3cce2015ac757d

Download Submit
C:\Windows\Temp\SDIAG_a6535649-fdfc-42e0-be5e-c00749fbf97c\en-US\DiagPackage.dll.mui

Filesize
11KB

MD5
65e3646b166a1d5ab26f3ac69f3bf020

SHA1
4ef5e7d7e6b3571fc83622ee44102b2c3da937ff

SHA256
96425923a54215ca9cdbe488696be56e67980829913edb8b4c8205db0ba33760

SHA512
a3782bfa3baf4c8151883fe49a184f4b2cba77c215921b6ce334048aee721b5949e8832438a7a0d65df6b3cbd6a8232ab17a7ad293c5e48b04c29683b34ecee2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\_bz2.pyd

Filesize
46KB

MD5
5f1fcfa6577ed6ecf4099650873ee9d0

SHA1
7f65d93c52f7bbddcad0420822700c3e43881f78

SHA256
f68775b81e881f2bddeda06442e44d2c6820db2dbab37fa1852dc411d8e28a85

SHA512
590d7961656e52b7979deb6b20a344bcac184041ba0f22f58d6422b8f60877260eab57032e41b6375360ff62879f336a7b453494dc435f332198965107857575

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28842\_lzma.pyd

Filesize
84KB

MD5
b45eca52c04371b2812c9104c7698738

SHA1
4da64729787e58d24ca7dda23c50aedbffe2fc22

SHA256
c31b390ad7834ec10dec2ea2af9d110ffd0483df920046c74236ef736b10fbd7

SHA512
0404effb490fda47f1899c931b7de137038ae7afbfad9aa0155e49066f0b7cd74ba3a92628022197d657114a7d84451521bf0a47037252c158b5c83d0ea1d15f

Download Submit
memory/360-1054-0x0000022BDE790000-0x0000022BDE806000-memory.dmp

Filesize
472KB

Download
memory/360-1049-0x0000022BDDC40000-0x0000022BDDC62000-memory.dmp

Filesize
136KB

Download
memory/2224-916-0x00007FF928A00000-0x00007FF928A0C000-memory.dmp

Filesize
48KB

Download
memory/2224-893-0x0000015B0F530000-0x0000015B0F8A5000-memory.dmp

Filesize
3.5MB

Download
memory/2224-899-0x00007FF929310000-0x00007FF929324000-memory.dmp

Filesize
80KB

Download
memory/2224-898-0x00007FF928460000-0x00007FF9284E7000-memory.dmp

Filesize
540KB

Download
memory/2224-897-0x00007FF92A9B0000-0x00007FF92A9D4000-memory.dmp

Filesize
144KB

Download
memory/2224-900-0x00007FF929690000-0x00007FF92969B000-memory.dmp

Filesize
44KB

Download
memory/2224-902-0x00007FF9292E0000-0x00007FF929306000-memory.dmp

Filesize
152KB

Download
memory/2224-901-0x00007FF929BC0000-0x00007FF929BD9000-memory.dmp

Filesize
100KB

Download
memory/2224-903-0x00007FF919100000-0x00007FF919218000-memory.dmp

Filesize
1.1MB

Download
memory/2224-904-0x00007FF925120000-0x00007FF9251DC000-memory.dmp

Filesize
752KB

Download
memory/2224-906-0x00007FF928770000-0x00007FF928788000-memory.dmp

Filesize
96KB

Download
memory/2224-905-0x00007FF928CF0000-0x00007FF928CFA000-memory.dmp

Filesize
40KB

Download
memory/2224-909-0x00007FF918F80000-0x00007FF9190F1000-memory.dmp

Filesize
1.4MB

Download
memory/2224-908-0x00007FF928750000-0x00007FF92876F000-memory.dmp

Filesize
124KB

Download
memory/2224-907-0x00007FF929400000-0x00007FF92942E000-memory.dmp

Filesize
184KB

Download
memory/2224-910-0x00007FF9195A0000-0x00007FF919658000-memory.dmp

Filesize
736KB

Download
memory/2224-912-0x00007FF9282E0000-0x00007FF928318000-memory.dmp

Filesize
224KB

Download
memory/2224-911-0x00007FF919220000-0x00007FF919595000-memory.dmp

Filesize
3.5MB

Download
memory/2224-917-0x00007FF9297A0000-0x00007FF9297B5000-memory.dmp

Filesize
84KB

Download
memory/2224-919-0x00007FF928730000-0x00007FF92873C000-memory.dmp

Filesize
48KB

Download
memory/2224-918-0x00007FF928740000-0x00007FF92874B000-memory.dmp

Filesize
44KB

Download
memory/2224-896-0x00007FF9296A0000-0x00007FF9296B0000-memory.dmp

Filesize
64KB

Download
memory/2224-915-0x00007FF928CB0000-0x00007FF928CBB000-memory.dmp

Filesize
44KB

Download
memory/2224-914-0x00007FF928CE0000-0x00007FF928CEB000-memory.dmp

Filesize
44KB

Download
memory/2224-913-0x0000015B0F530000-0x0000015B0F8A5000-memory.dmp

Filesize
3.5MB

Download
memory/2224-921-0x00007FF928640000-0x00007FF92864C000-memory.dmp

Filesize
48KB

Download
memory/2224-920-0x00007FF928650000-0x00007FF92865B000-memory.dmp

Filesize
44KB

Download
memory/2224-923-0x00007FF928600000-0x00007FF92860C000-memory.dmp

Filesize
48KB

Download
memory/2224-922-0x00007FF9292E0000-0x00007FF929306000-memory.dmp

Filesize
152KB

Download
memory/2224-930-0x00007FF927950000-0x00007FF92795C000-memory.dmp

Filesize
48KB

Download
memory/2224-936-0x00007FF9275F0000-0x00007FF9275FD000-memory.dmp

Filesize
52KB

Download
memory/2224-935-0x00007FF927940000-0x00007FF92794C000-memory.dmp

Filesize
48KB

Download
memory/2224-934-0x00007FF925460000-0x00007FF925489000-memory.dmp

Filesize
164KB

Download
memory/2224-933-0x00007FF9275E0000-0x00007FF9275EC000-memory.dmp

Filesize
48KB

Download
memory/2224-932-0x00007FF925490000-0x00007FF9254A2000-memory.dmp

Filesize
72KB

Download
memory/2224-931-0x00007FF918F80000-0x00007FF9190F1000-memory.dmp

Filesize
1.4MB

Download
memory/2224-929-0x00007FF928770000-0x00007FF928788000-memory.dmp

Filesize
96KB

Download
memory/2224-928-0x00007FF927A20000-0x00007FF927A2B000-memory.dmp

Filesize
44KB

Download
memory/2224-927-0x00007FF927A10000-0x00007FF927A1B000-memory.dmp

Filesize
44KB

Download
memory/2224-926-0x00007FF9282D0000-0x00007FF9282DC000-memory.dmp

Filesize
48KB

Download
memory/2224-925-0x00007FF928450000-0x00007FF92845E000-memory.dmp

Filesize
56KB

Download
memory/2224-924-0x00007FF919100000-0x00007FF919218000-memory.dmp

Filesize
1.1MB

Download
memory/2224-940-0x00007FF925440000-0x00007FF92545C000-memory.dmp

Filesize
112KB

Download
memory/2224-939-0x00007FF926F30000-0x00007FF926F3B000-memory.dmp

Filesize
44KB

Download
memory/2224-938-0x00007FF9282E0000-0x00007FF928318000-memory.dmp

Filesize
224KB

Download
memory/2224-937-0x00007FF928750000-0x00007FF92876F000-memory.dmp

Filesize
124KB

Download
memory/2224-941-0x00007FF918840000-0x00007FF918C24000-memory.dmp

Filesize
3.9MB

Download
memory/2224-942-0x00007FF916670000-0x00007FF918796000-memory.dmp

Filesize
33.1MB

Download
memory/2224-947-0x00007FF9253A0000-0x00007FF9253B7000-memory.dmp

Filesize
92KB

Download
memory/2224-948-0x00007FF925370000-0x00007FF925391000-memory.dmp

Filesize
132KB

Download
memory/2224-953-0x00007FF916420000-0x00007FF916668000-memory.dmp

Filesize
2.3MB

Download
memory/2224-892-0x00007FF919220000-0x00007FF919595000-memory.dmp

Filesize
3.5MB

Download
memory/2224-894-0x00007FF919660000-0x00007FF919ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2224-895-0x00007FF9297A0000-0x00007FF9297B5000-memory.dmp

Filesize
84KB

Download
memory/2224-891-0x00007FF9195A0000-0x00007FF919658000-memory.dmp

Filesize
736KB

Download
memory/2224-890-0x00007FF929400000-0x00007FF92942E000-memory.dmp

Filesize
184KB

Download
memory/2224-848-0x00007FF92D1E0000-0x00007FF92D1EF000-memory.dmp

Filesize
60KB

Download
memory/2224-849-0x00007FF92A990000-0x00007FF92A9A9000-memory.dmp

Filesize
100KB

Download
memory/2224-850-0x00007FF92A910000-0x00007FF92A93D000-memory.dmp

Filesize
180KB

Download
memory/2224-1186-0x00007FF928770000-0x00007FF928788000-memory.dmp

Filesize
96KB

Download
memory/2224-1175-0x00007FF929400000-0x00007FF92942E000-memory.dmp

Filesize
184KB

Download
memory/2224-1171-0x00007FF929BB0000-0x00007FF929BBD000-memory.dmp

Filesize
52KB

Download
memory/2224-1164-0x00007FF92A9B0000-0x00007FF92A9D4000-memory.dmp

Filesize
144KB

Download
memory/2224-1163-0x00007FF919660000-0x00007FF919ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2224-834-0x00007FF919660000-0x00007FF919ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2224-841-0x00007FF92A9B0000-0x00007FF92A9D4000-memory.dmp

Filesize
144KB

Download
memory/2224-885-0x00007FF92A980000-0x00007FF92A98D000-memory.dmp

Filesize
52KB

Download
memory/2224-1338-0x00007FF919660000-0x00007FF919ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2224-1363-0x00007FF925460000-0x00007FF925489000-memory.dmp

Filesize
164KB

Download
memory/2224-887-0x00007FF929B80000-0x00007FF929BAE000-memory.dmp

Filesize
184KB

Download
memory/2224-886-0x00007FF929BB0000-0x00007FF929BBD000-memory.dmp

Filesize
52KB

Download
memory/2224-884-0x00007FF929BC0000-0x00007FF929BD9000-memory.dmp

Filesize
100KB

Download
memory/2224-1399-0x00007FF92F430000-0x00007FF92F43F000-memory.dmp

Filesize
60KB

Download
memory/2224-1432-0x00007FF92D1E0000-0x00007FF92D1EF000-memory.dmp

Filesize
60KB

Download
memory/2224-1443-0x00007FF9195A0000-0x00007FF919658000-memory.dmp

Filesize
736KB

Download
memory/2224-1444-0x00007FF919220000-0x00007FF919595000-memory.dmp

Filesize
3.5MB

Download
memory/2224-1442-0x00007FF929400000-0x00007FF92942E000-memory.dmp

Filesize
184KB

Download
memory/2224-1441-0x00007FF929430000-0x00007FF92945B000-memory.dmp

Filesize
172KB

Download
memory/2224-1440-0x00007FF925120000-0x00007FF9251DC000-memory.dmp

Filesize
752KB

Download
memory/2224-1439-0x00007FF9292E0000-0x00007FF929306000-memory.dmp

Filesize
152KB

Download
memory/2224-1438-0x00007FF929BB0000-0x00007FF929BBD000-memory.dmp

Filesize
52KB

Download
memory/2224-1437-0x00007FF92A980000-0x00007FF92A98D000-memory.dmp

Filesize
52KB

Download
memory/2224-1436-0x00007FF929BC0000-0x00007FF929BD9000-memory.dmp

Filesize
100KB

Download
memory/2224-1435-0x00007FF929B80000-0x00007FF929BAE000-memory.dmp

Filesize
184KB

Download
memory/2224-1434-0x00007FF92A910000-0x00007FF92A93D000-memory.dmp

Filesize
180KB

Download
memory/2224-1433-0x00007FF92A990000-0x00007FF92A9A9000-memory.dmp

Filesize
100KB

Download
memory/2224-1431-0x00007FF92A9B0000-0x00007FF92A9D4000-memory.dmp

Filesize
144KB

Download
memory/2224-1445-0x00007FF919660000-0x00007FF919ACE000-memory.dmp

Filesize
4.4MB

Download
memory/2224-1448-0x00007FF928460000-0x00007FF9284E7000-memory.dmp

Filesize
540KB

Download
memory/2224-1454-0x00007FF928750000-0x00007FF92876F000-memory.dmp

Filesize
124KB

Download
memory/2224-1453-0x00007FF928770000-0x00007FF928788000-memory.dmp

Filesize
96KB

Download
memory/2224-1452-0x00007FF928CF0000-0x00007FF928CFA000-memory.dmp

Filesize
40KB

Download
memory/2224-1451-0x00007FF92A770000-0x00007FF92A7A4000-memory.dmp

Filesize
208KB

Download
memory/2224-1450-0x00007FF929690000-0x00007FF92969B000-memory.dmp

Filesize
44KB

Download
memory/2224-1449-0x00007FF929310000-0x00007FF929324000-memory.dmp

Filesize
80KB

Download
memory/2224-1447-0x00007FF9296A0000-0x00007FF9296B0000-memory.dmp

Filesize
64KB

Download
memory/2224-1446-0x00007FF9297A0000-0x00007FF9297B5000-memory.dmp

Filesize
84KB

Download
memory/2224-889-0x00007FF929430000-0x00007FF92945B000-memory.dmp

Filesize
172KB

Download
memory/2224-888-0x00007FF925120000-0x00007FF9251DC000-memory.dmp

Filesize
752KB

Download
memory/2224-883-0x00007FF92A770000-0x00007FF92A7A4000-memory.dmp

Filesize
208KB

Download
memory/4580-1366-0x00007FF935E40000-0x00007FF935F8A000-memory.dmp

Filesize
1.3MB

Download
memory/4580-1365-0x00007FF934FE0000-0x00007FF93508E000-memory.dmp

Filesize
696KB

Download
memory/4580-1364-0x00007FF9360A0000-0x00007FF93627B000-memory.dmp

Filesize
1.9MB

Download
memory/4580-1327-0x0000000140000000-0x0000000142EA6000-memory.dmp

Filesize
46.6MB

Download
memory/4580-1325-0x00007FF936280000-0x00007FF936282000-memory.dmp

Filesize
8KB

Download
memory/4580-1326-0x00007FF936290000-0x00007FF936292000-memory.dmp

Filesize
8KB

Download