7ba60c548a30dfd291328ea52c96c5aa5f3eb1beeb71f195802842b645d27a8e

Analysis

max time kernel
133s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TETR.IO.exe
Size

168.2MB
MD5

320d2c73c633341c2b114c796d941161
SHA1

09fe45a79a6d6accbc20e6a84ae169a82531f0d4
SHA256

eb12da60c8f3c26bc96406b06b38718b23f13f22c74f56b8196968fe386fe9eb
SHA512

da784359301460e681f62108ab61fd253be11ab76f05fc4e593d52cf31d420c7b28455205a73c85aff4096b907e9004a71614298a31c43684f6d87406475f8b2
SSDEEP

1572864:TQqT4eFUirK1e2zSQ5Rcw/N5cae/bHhrPdacyodvcPSBoHESUlyAzl/5:FBKRcAMyAzB5

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	TETR.IO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	TETR.IO.exe

Loads dropped DLL 1 IoCs

pid	Process
4296	TETR.IO.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2160	powershell.exe
2240	powershell.exe
2576	powershell.exe
2028	powershell.exe
840	powershell.exe
3392	powershell.exe
1860	powershell.exe
336	powershell.exe
3880	powershell.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tetrio	TETR.IO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tetrio\URL Protocol	TETR.IO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tetrio\ = "URL:tetrio"	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tetrio\shell\open\command	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tetrio\shell	TETR.IO.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tetrio\shell\open	TETR.IO.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\tetrio\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TETR.IO.exe\" \"%1\""	TETR.IO.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3880	powershell.exe
3880	powershell.exe
336	powershell.exe
336	powershell.exe
2240	powershell.exe
2240	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 2756	4296	TETR.IO.exe	90
PID 4296 wrote to memory of 2756	4296	TETR.IO.exe	90
PID 2756 wrote to memory of 564	2756	cmd.exe	92
PID 2756 wrote to memory of 564	2756	cmd.exe	92
PID 4296 wrote to memory of 3392	4296	TETR.IO.exe	93
PID 4296 wrote to memory of 3392	4296	TETR.IO.exe	93
PID 4296 wrote to memory of 2576	4296	TETR.IO.exe	94
PID 4296 wrote to memory of 2576	4296	TETR.IO.exe	94
PID 4296 wrote to memory of 3880	4296	TETR.IO.exe	95
PID 4296 wrote to memory of 3880	4296	TETR.IO.exe	95
PID 4296 wrote to memory of 336	4296	TETR.IO.exe	96
PID 4296 wrote to memory of 336	4296	TETR.IO.exe	96
PID 4296 wrote to memory of 1860	4296	TETR.IO.exe	97
PID 4296 wrote to memory of 1860	4296	TETR.IO.exe	97
PID 4296 wrote to memory of 2240	4296	TETR.IO.exe	98
PID 4296 wrote to memory of 2240	4296	TETR.IO.exe	98
PID 4296 wrote to memory of 2160	4296	TETR.IO.exe	99
PID 4296 wrote to memory of 2160	4296	TETR.IO.exe	99
PID 4296 wrote to memory of 840	4296	TETR.IO.exe	100
PID 4296 wrote to memory of 840	4296	TETR.IO.exe	100
PID 4296 wrote to memory of 2028	4296	TETR.IO.exe	101
PID 4296 wrote to memory of 2028	4296	TETR.IO.exe	101
PID 4296 wrote to memory of 4360	4296	TETR.IO.exe	111
PID 4296 wrote to memory of 4360	4296	TETR.IO.exe	111
PID 4296 wrote to memory of 2932	4296	TETR.IO.exe	112
PID 4296 wrote to memory of 2932	4296	TETR.IO.exe	112
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113
PID 4296 wrote to memory of 3728	4296	TETR.IO.exe	113

C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
"C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=gpu-process --disable-gpu-sandbox --disable-gpu-vsync --disable-gpu-vsync --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1908 --field-trial-handle=1912,i,2859595305331596343,9625312300243155486,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
  2⤵
  PID:4360
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --mojo-platform-channel-handle=2208 --field-trial-handle=1912,i,2859595305331596343,9625312300243155486,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
  2⤵
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --app-user-model-id=sh.osk.tetrio-client --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-blink-features=PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies --autoplay-policy=no-user-gesture-required --disable-frame-rate-limit --force-color-profile=srgb --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2460 --field-trial-handle=1912,i,2859595305331596343,9625312300243155486,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3728
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --app-user-model-id=sh.osk.tetrio-client --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --disable-blink-features=PreloadMediaEngagementData,AutoplayIgnoreWebAudio,MediaEngagementBypassAutoplayPolicies --autoplay-policy=no-user-gesture-required --disable-frame-rate-limit --force-color-profile=srgb --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1704 --field-trial-handle=1912,i,2859595305331596343,9625312300243155486,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1
  2⤵
  PID:800
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --mojo-platform-channel-handle=3544 --field-trial-handle=1912,i,2859595305331596343,9625312300243155486,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:5596
- C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe
  "C:\Users\Admin\AppData\Local\Temp\TETR.IO.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --disable-gpu-sandbox --disable-gpu-vsync --disable-gpu-vsync --user-data-dir="C:\Users\Admin\AppData\Roaming\tetrio-desktop" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1224 --field-trial-handle=1912,i,2859595305331596343,9625312300243155486,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
  2⤵
  PID:3584

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x2cc
1⤵
PID:5688

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\0aeb7079525246c5b1efc20f29673d4a /t 376 /p 1900 5688
1⤵
PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5c3cc3c6ae2c1e0b92b502859ce79d0c

SHA1
bde46d0f91ad780ce5cba924f8d9f4c175c5b83d

SHA256
5a48860ad5bdf15d7a241aa16124163ec48adc0f0af758e43561ac07e4f163b2

SHA512
269b79931df92c30741c9a42a013cb24935887272ed8077653f0b6525793da52c5004c70329d8e0e7b2776fc1aba6e32da5dadf237ae42f7398fdf35a930663e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d4da3cbb27ff58bca7eabcc5659ccf11

SHA1
5d90e87aeaf461c880e0ba36d51ce875509c87e4

SHA256
646a4f8ead5f29df18ecfb707ca640d9499ff10d8419b367f8b5896b711fb13b

SHA512
f675a9926d871eca38654d85ada39bcee315d30be75c78f5124c3c660eb7646561090e014efcc9052f8ea574066c064651bf586be17f1b8ece951d58111b8b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
7a1e03fe1039bf494d77070f2c583626

SHA1
bb6b31d644873fea13cb3c37e6225670b5682c8b

SHA256
53bb6e31c2534c61d2bb23c0ef4d9550c1b9361610bd01ef1816a97297147ed2

SHA512
e45c36ab8a4ba0c84783b2ddb2c26a9ab66cd5d26f1f0999b1288656288b1f8f33922a92c05641e6dfad03fac708525a1a37815d8ce1088ed0c72217e2f82827

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1ntsvbz.5li.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1664c92-58d7-4c5a-9069-1217316b34b2.tmp.node

Filesize
95KB

MD5
e9dd3524a69d66b498da49581e72b70b

SHA1
b6ade7129a96d3be63d01da67f3917451b4eb999

SHA256
7aca2ed3da7e033d1a4251f7a92b774bbd8b794734ae8bac750d86dbaf62385f

SHA512
154c11f4d78f160c76f5610e3efde82eaea5159fb7eefb0e8bd5da129a0fecccfceeceb4102488ba36d881733f808959c57cf85dd150232d1f493f08d3d2a929

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
8a9003e83e3ccc04a517829b2373fff8

SHA1
9e03ac172d68687f7141bfa31d5cbdaa038fdc42

SHA256
6495e54e678abde9d57dd6b9b97247ef026f9e9ab070521af9f310e1dd842078

SHA512
fc7bb19485ea260afc512c4a609a04d53ec95c4238dcf733347971652881941798dffe65f3b79c187e80c938d7058f6e09e09c0648ffbf65a401eb4e12f2bf92

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
ccf8cc16a1d15fcf010201e6ce77dd4b

SHA1
98b70ec33ce0fa647cb34d46281803365c5fe850

SHA256
8c9c88d90902024c920138e9c0f96040a595fcc7b2c0ef8dd82c7f9bd22a7a2d

SHA512
0a634af8163c96027a2012ae9fd6053bf48d78dc0c1e03df09342d0c7ab86e95f60b986c987d61715b1e2ba4695c4cf4718728e3f0f6294df16ef6af13f953aa

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State

Filesize
64B

MD5
30c3067d39a63cb3b178409dc953c2ef

SHA1
46f3dbec7acd4de1738207b556afde398fdd8702

SHA256
91d04cebf9751137a4b2ae458a533c659d8378a6923d6a35abdeaf413a952f78

SHA512
4fc3eac1c97126ae203f87d1f5d8d3388f5ecf76921374a32b1e021861fc15d9e97b9dcaff695b209c1b88c99165716b9d00ba4ebca446471b5971746596b0d3

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State

Filesize
661B

MD5
d8d687b6c34f88fdcb900eb92437ca8a

SHA1
a1117c78fd64d8f823402aebb2d3ccdf536b90f5

SHA256
29207b252eaac5b8c289eb495b33b99cf8e5f081f74df3db4522ba5b47c63b62

SHA512
a3a136250642febc5bba634b12324535c4e547f18daee4e3f9c0233fbf96a550256a00aa8d822b8e9947384e558039fb13d1a93c4626ccbf9e8fec5c632da869

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\Network Persistent State~RFe5842e0.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
355B

MD5
55bb4f69677274ecb034bd616cbb323d

SHA1
3b7e562cc5d493eedec37dc542c6080e77378110

SHA256
d0cb4df1fdec8bdda4eade61a92365b8c437d7b5559e3d52b0e08bb4a3ee4622

SHA512
00ec1254cc47f607a4f786df00e95921ca1bbc5bcb61b5794035efb9164f7bcd0ecdff609ad29ab53a4372478f3b5972eedd93b9c1d5170edf676750f327553e

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
355B

MD5
1428ed096ab3441957f2334b452a849e

SHA1
a5e2768429dc1fab7d3ed522c2da6a20f32ab4eb

SHA256
3074bae9495adbfaac6151cd45255e675485ed3291c46b21b468b601f7d1f9e3

SHA512
949d98eaf10bfe21e9eaa86f171c7bd63c58324c4b67c097ee8d87b29427daafd4d89d148e663c31f2dae67842662c6fd6d904b8ae98dcea7452380e399a1362

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
355B

MD5
d54a54925e7c075e935d0f9f232ec09b

SHA1
ab655366388881a3dc614446ec1df6f30e18d508

SHA256
f51e1fe01b5b92a65cf01cb074e69dd96140386b2bc5cff5c622b27b076bf4cc

SHA512
dbbb29828342a5d8072bbc0c7cf32072192533c9068ca01621ebda353f52412217d29f9a9baa4cb63934c85ec5e2129de75a9533abfc7369a9af6e86b7d297ae

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
355B

MD5
ad6f7a3ac1feb36e13915bca6580d05b

SHA1
4e8c9b7bd7e9d5e44895d1dbd07ba3aae10d2cd5

SHA256
03308866695e634727aed92bd3379ec6c5fee62e5581f1be125991cd82aac4e8

SHA512
6dc20405e586b000f290e59d8c1e65d79aedcfe21eadc69d535e2ced6731c83068af456a179ae75778322d41bbf9da24063486a3c46ee295591f8912ad3570e3

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity

Filesize
355B

MD5
57b9d4ea2549f7d90106461a3ca560a3

SHA1
46e649fd3dc896d308ddcda7b2ef0c307b67d59d

SHA256
a759514a50c04bd1c9f9b7520d55d4aa63fdf8886acc669c29ae6557e8d193e4

SHA512
0fafb4085dcce4975885636426c0fae2f9837cc5ad18070144466312623e499e7c0a0f024f7f588beae3f1cb8ef2734c0955471f123af9978a386e9271a5b7e7

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Network\TransportSecurity~RFe58561a.TMP

Filesize
355B

MD5
7cc48c811973442ec44a8acbffe4353e

SHA1
6c5379e53d621abf7614f7e2e14ab5b7b1d7ad57

SHA256
3beb7167ca09e91eb5b7902f3491d42a6c960689d4cd5c5b213356c158670517

SHA512
2686a8c8ffd885c605453bf109032f42d309bfdc56be2b37fadeb7296b21eb4640756c1befa8cc177c0deeaad84ec7dfd93ebcc7d5500bd1e9b51da46c61d123

Download Submit
C:\Users\Admin\AppData\Roaming\tetrio-desktop\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
memory/2240-215-0x00000174FB3F0000-0x00000174FB41A000-memory.dmp

Filesize
168KB

Download
memory/2240-216-0x00000174FB3F0000-0x00000174FB414000-memory.dmp

Filesize
144KB

Download
memory/2240-158-0x00000174FB470000-0x00000174FB4E6000-memory.dmp

Filesize
472KB

Download
memory/2240-155-0x00000174FB3A0000-0x00000174FB3E4000-memory.dmp

Filesize
272KB

Download
memory/3584-375-0x000002B1DDC10000-0x000002B1DDC11000-memory.dmp

Filesize
4KB

Download
memory/3584-365-0x000002B1DDC10000-0x000002B1DDC11000-memory.dmp

Filesize
4KB

Download
memory/3584-374-0x000002B1DDC10000-0x000002B1DDC11000-memory.dmp

Filesize
4KB

Download
memory/3584-373-0x000002B1DDC10000-0x000002B1DDC11000-memory.dmp

Filesize
4KB

Download
memory/3584-372-0x000002B1DDC10000-0x000002B1DDC11000-memory.dmp

Filesize
4KB

Download
memory/3584-371-0x000002B1DDC10000-0x000002B1DDC11000-memory.dmp

Filesize
4KB

Download
memory/3584-370-0x000002B1DDC10000-0x000002B1DDC11000-memory.dmp

Filesize
4KB

Download
memory/3728-43-0x00007FFABD820000-0x00007FFABD821000-memory.dmp

Filesize
4KB

Download
memory/3728-44-0x00007FFABD660000-0x00007FFABD661000-memory.dmp

Filesize
4KB

Download
memory/3880-75-0x000001DD76200000-0x000001DD76222000-memory.dmp

Filesize
136KB

Download