7ba60c548a30dfd291328ea52c96c5aa5f3eb1beeb71f195802842b645d27a8e

Analysis

max time kernel
134s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TETR.IO.exe
Size

168.2MB
MD5

320d2c73c633341c2b114c796d941161
SHA1

09fe45a79a6d6accbc20e6a84ae169a82531f0d4
SHA256

eb12da60c8f3c26bc96406b06b38718b23f13f22c74f56b8196968fe386fe9eb
SHA512

da784359301460e681f62108ab61fd253be11ab76f05fc4e593d52cf31d420c7b28455205a73c85aff4096b907e9004a71614298a31c43684f6d87406475f8b2
SSDEEP

1572864:TQqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/5:FBKRcAMyAzB5

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TETR.IO.exeTETR.IO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TETR.IO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TETR.IO.exe

Loads dropped DLL 1 IoCs

Processes:

TETR.IO.exe

pid process

1760 TETR.IO.exe

pid	process
1760	TETR.IO.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4252	powershell.exe
2928	powershell.exe
2752	powershell.exe
428	powershell.exe
2804	powershell.exe
4476	powershell.exe
4748	powershell.exe
1652	powershell.exe
4128	powershell.exe

Modifies registry class 7 IoCs

Processes:

TETR.IO.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TETR.IO.exe\" \"%1\""	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio	TETR.IO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\URL Protocol	TETR.IO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\ = "URL:tetrio"	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell\open\command	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\tetrio\shell\open	TETR.IO.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4252	powershell.exe
4252	powershell.exe
4128	powershell.exe
4128	powershell.exe
2752	powershell.exe
2752	powershell.exe
428	powershell.exe
428	powershell.exe
1652	powershell.exe
1652	powershell.exe
2804	powershell.exe
2804	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTETR.IO.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeShutdownPrivilege	1760	TETR.IO.exe
Token: SeCreatePagefilePrivilege	1760	TETR.IO.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeShutdownPrivilege	1760	TETR.IO.exe
Token: SeCreatePagefilePrivilege	1760	TETR.IO.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

TETR.IO.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 4832	1760	TETR.IO.exe	cmd.exe
PID 1760 wrote to memory of 4832	1760	TETR.IO.exe	cmd.exe
PID 4832 wrote to memory of 996	4832	cmd.exe	chcp.com
PID 4832 wrote to memory of 996	4832	cmd.exe	chcp.com
PID 1760 wrote to memory of 4748	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 4748	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 1652	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 1652	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 4128	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 4128	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 4252	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 4252	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 4476	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 4476	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 2804	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 2804	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 2928	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 2928	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 428	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 428	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 2752	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 2752	1760	TETR.IO.exe	powershell.exe
PID 1760 wrote to memory of 1840	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1840	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 2892	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 2892	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe
PID 1760 wrote to memory of 1596	1760	TETR.IO.exe	TETR.IO.exe

C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
"C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4832
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=gpu-process --disable-gpu-sandbox --disable-gpu-vsync --disable-gpu-vsync --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1912 --field-trial-handle=1916,i,17097646681137502845,18152338013841969895,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --mojo-platform-channel-handle=2076 --field-trial-handle=1916,i,17097646681137502845,18152338013841969895,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --app-user-model-id=sh.osk.tetrio-client --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-blink-features=PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies --autoplay-policy=no-user-gesture-required --disable-frame-rate-limit --force-color-profile=srgb --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2504 --field-trial-handle=1916,i,17097646681137502845,18152338013841969895,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --app-user-model-id=sh.osk.tetrio-client --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-blink-features=PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies --autoplay-policy=no-user-gesture-required --disable-frame-rate-limit --force-color-profile=srgb --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1752 --field-trial-handle=1916,i,17097646681137502845,18152338013841969895,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --mojo-platform-channel-handle=3704 --field-trial-handle=1916,i,17097646681137502845,18152338013841969895,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --disable-gpu-sandbox --disable-gpu-vsync --disable-gpu-vsync --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3108 --field-trial-handle=1916,i,17097646681137502845,18152338013841969895,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:3708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4b4
1⤵
PID:5188

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\9bcc25f193a94c2bb25ca3058d5c63c1 /t 4256 /p 1812 5188
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\809a8350-a234-4db9-8da4-77ba8824f661.tmp.node

Filesize
95KB

MD5
e9dd3524a69d66b498da49581e72b70b

SHA1
b6ade7129a96d3be63d01da67f3917451b4eb999

SHA256
7aca2ed3da7e033d1a4251f7a92b774bbd8b794734ae8bac750d86dbaf62385f

SHA512
154c11f4d78f160c76f5610e3efde82eaea5159fb7eefb0e8bd5da129a0fecccfceeceb4102488ba36d881733f808959c57cf85dd150232d1f493f08d3d2a929

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isecpo1b.svy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
497929c01e0f46a744b41f54201a0b1a

SHA1
4e19a6d6129c38bfaec2b1f580873194cdb0500c

SHA256
9ae0258cbe7d5e061b1f309236d83ecc6adbd994535d64730f4bd2ed0ac03b49

SHA512
a7f980ff9e7d45ff3bcefec948a617c8130017f055706ac6ebaa4dd1a2f27774bedf7dcdc25f90ae0bbf15c46852cc7c165c0bc415990b0c4dee7569f87d21da

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
124bb009a54c033be56bca75c96138ab

SHA1
201063f53ea56732ee7bbf4a22bf00838099fdd2

SHA256
09d20851e8251462e4ef05fd111a3efd403404df980bff3803f84b1f82929ce1

SHA512
d54ac00b2a278e224b69792c42b645bae882334cc8a0531e1b920735a6504df4997a3b5217fb6e0e7b55008add28329d47d5cf53e43ef45779ab2ebeacfeff51

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
b6b22c812ee4e8c7fe1368cd472017a6

SHA1
d55157be9c1b61cd99e34efe6136e37b46ddda0e

SHA256
2b49260dcbd2cd3f9762200534b36c96412342474e3fad7a4d00a97086223b01

SHA512
9dde1e415599d8cbe4650b2f83c438c64481b585241fd790075ad25d4337620f96e772e97b828e8943b6882975c93ab886dd2c37e5b63098c18d6e911e044cab

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
c1a0d135032a1f648aff792d090d7220

SHA1
b4fbab08d402422ad253e48f02d7fb500756b1d6

SHA256
c32951e9c7e439a7714a80197eded17f23b00f743943dc9fb2ca3ee1e079fa34

SHA512
2db900d37d316117a5143952eebc981d1cb4fd1b48ffefeaf322d9dd98c5a53ca3795e2903d390692b60391aca360c48d67ba515e3fe73f237b55ab06021c1e5

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State

Filesize
719B

MD5
ddccbf71529a44990a453d643049e245

SHA1
eff77eb5f0eda048a1b5145f26d021664540b190

SHA256
8ae8afb9811e35eb72b959d7a558bf422885cd70beb59b29fe432290d4d2e048

SHA512
9ba213093d69565adcc1be73717dbbbeeeeabf1fcec246eefb71d5d4baef257451ad99b8e8bc874499451f107737c261556f42a4b399d3ff4dc71690c0b4f4ad

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State~RFe585dfa.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
857B

MD5
c88f3d1086ad293a4c91ae18e5d181ff

SHA1
e7ae87dd6860633f4d11013b62f5f0d4f462fd8a

SHA256
72fbae24d1dd3a07948b408a8da2b364ee7d2942da73df99cf52c642b3fff777

SHA512
928f904815d164af4c168b7f8d09000b7b43deb7a852b1003dc3594ba5c0ae215059d92a1f45b9159472d7ef21322a2ca1376cc7eeaf622573da455ead4bb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
857B

MD5
6e1600e70de2cc62765ac1bfde471b78

SHA1
fb088c523d0f15dc01ea622ad2f4390a986d060e

SHA256
809c52ed9e614fae8e9fdefbd35af5b2a53bf29d7ee7eac7d3e37cfa5d6c17c5

SHA512
a849eaa2b17526a66e8016df3910c873ab0ca637f298c945efc4b3ea83acc234f40f0a3a3b64013478e9bead297ebe3675d5cf310941fdd6e4c97f036d308db0

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
853B

MD5
0020a4bcaaa40db272a33f0d3f71bfd9

SHA1
587fd01ea46bdab932711586efb9f45d37a597e3

SHA256
c41b14bd5cc9eae11608aed38d3ba182c8c0ff9fef1bc66dd32a3781010b7f34

SHA512
c2f679d5bf401d5ace040181a106217172dd273c116268186f47a1c6465201983dee493d96ba5c2984e857fca8e3c337fb9a6d5b2ef47b796373f210576a1518

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
849B

MD5
f362127f3fa41b0241521a941ce7ffd3

SHA1
3595198ee74a4c9e5cd632cc0566d21b70c78751

SHA256
60c6da0711f25e04a468bb73f99bf8ac9f757252be00867fe9f9ff182aad8b74

SHA512
23f40746e6b57a339c4c32354b60f87f819de727765348059e432b64a3237ddafc533ae13204c27be83d5823fba71f6b4ef307f7a85f2f4e3fa767f4efd3e0ea

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
849B

MD5
2e793aa360bffdcd48566a527aa52fc0

SHA1
9910713c73500327097ff714d8f3b3f0ecbaae2b

SHA256
f9fbabafc9d4703d2742bd128e3477fa6e17025e2cdd4b7d34ac1231e6c2b80d

SHA512
5329ff6d46d0a9d2e08ff27c0a59d7f59ac0c3f477490c158ada6beac0982d7960e35d860d9a88487830f2bf96aa956055ddff9cfbd1a42043a29688a4604623

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
857B

MD5
d418c2a07c1f415ef982ecb3268b5faf

SHA1
f2fc02e2ad8080827077a3f0306238ef6f7335ed

SHA256
db5bcfebff395f583079c10afc14a28c749dd8bbe3cf06b808d7c336c6106c78

SHA512
64efdda0e3459d0351e8f448fb3720de0b2b5f84c9f7ecd12b644661460431637a43b6b95035d79f11e8dfbf6b7faa5009f4be94a46fca32cca5ae8ec0e7217a

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity~RFe581fb8.TMP

Filesize
690B

MD5
f8fbeb1d56ca78468ab91d63e26d9748

SHA1
d6ff39b6a8cee3be8e813d4479f620a0b0d87ad4

SHA256
8eb62ea0a0f5d6dcfcbc7687ba028459d90faf1039fe403e4db4d44972b2485d

SHA512
e24679ee01763e6232834e2d4ebf5c87cc10d16806f89b31b49d184858a1428c0a2fb4e414504e4104a6e225171e86128968cbc9084ee1be3ee5ba40520e91a2

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/1596-53-0x00007FFE73980000-0x00007FFE73981000-memory.dmp

Filesize
4KB

Download
memory/1596-52-0x00007FFE73DF0000-0x00007FFE73DF1000-memory.dmp

Filesize
4KB

Download
memory/3708-409-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-407-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-398-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-399-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-405-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-400-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-411-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-410-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-406-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/3708-408-0x00000284527B0000-0x00000284527B1000-memory.dmp

Filesize
4KB

Download
memory/4128-329-0x00000286703B0000-0x00000286703DA000-memory.dmp

Filesize
168KB

Download
memory/4128-330-0x00000286703B0000-0x00000286703D4000-memory.dmp

Filesize
144KB

Download
memory/4128-64-0x0000028655AB0000-0x0000028655AD2000-memory.dmp

Filesize
136KB

Download
memory/4252-191-0x00000195F4AD0000-0x00000195F4B46000-memory.dmp

Filesize
472KB

Download
memory/4252-184-0x00000195F4A00000-0x00000195F4A44000-memory.dmp

Filesize
272KB

Download