orcus | cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-10-2022 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
Size

260KB
MD5

2c7eeef34a1b35c0b025c43c7233f453
SHA1

82e361e77aaf426fcc8d18a46391ce2bf064f493
SHA256

cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9
SHA512

50178b34dadedcd370d031b668906ed3016fd79706b87fd665cfdab942a487625d552629d7ec97a300b63b012a412226b0c128a88e96a17f6189896cb2473010
SSDEEP

6144:8ea7tvhFs3Huy3Pu2eAHNabHtqY+dpEnPM43:67FPeOy3Pu8hNdpEk4

Score

10^/10

orcus plaguebot quasar skynet botnet evasion persistence rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

SKYNET

173.225.115.99:7702

Mutex

938cda17-a814-4925-8420-83a35a350164

Attributes

encryption_key
F04A75E6507173FAEEC2BB82C564030A5E8413FF
install_name
FileHistory.exe
log_directory
Logs
reconnect_delay
4000
startup_key
FileHistory
subdirectory
FileHistory

Extracted

Family

orcus

146.70.143.176:81

Mutex

712d31c7a3f54904a08d968a15b836e9

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\orc\orc.exe
reconnect_delay
10000
registry_keyname
orc
taskscheduler_taskname
orc
watchdog_path
AppData\Watchdog.exe

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sqls982.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\sqls982.exe	disable_win_def
behavioral1/memory/2416-274-0x0000000000710000-0x000000000071A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

sqls982.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sqls982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sqls982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sqls982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sqls982.exe

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

sqls982.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	sqls982.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinDefend\Start = "4"	sqls982.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus
C:\Program Files\orc\orc.exe	family_orcus

PlagueBot
PlagueBot is an open source Bot written in Pascal.
botnet plaguebot
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IU3AFV9G\FileHistory[1].exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe	family_quasar
behavioral1/memory/2300-279-0x0000000000420000-0x00000000006EA000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe	family_quasar
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe

description pid process target process

PID 2208 created 2312 2208 cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe Explorer.EXE

description	pid	process	target process
PID 2208 created 2312	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	Explorer.EXE

Orcurs Rat Executable 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Users\Admin\AppData\Local\Temp\orc.exe	orcus
C:\Program Files\orc\orc.exe	orcus
behavioral1/memory/4604-483-0x0000000000880000-0x000000000096A000-memory.dmp	orcus
C:\Program Files\orc\orc.exe	orcus

PlagueBot Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\plage.exe	plaguebot
C:\Users\Admin\Downloads\plage.exe	plaguebot

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

joined.exesqls982.exenitrsso64.exeFileHistory.exeorc.exeplage.exeFileHistory.exeWindowsInput.exeWindowsInput.exeblmkgrp.exeblmkgrp.exeorc.exewinmgr.exeWatchdog.exeWatchdog.exeorc.exewinmgr.exenitrsso64.exewinmgr.exenitrsso64.exe

pid	process
4916	joined.exe
2416	sqls982.exe
3188	nitrsso64.exe
2300	FileHistory.exe
4232	orc.exe
4208	plage.exe
3192	FileHistory.exe
5044	WindowsInput.exe
4132	WindowsInput.exe
4584	blmkgrp.exe
3584	blmkgrp.exe
4604	orc.exe
4652	winmgr.exe
2096	Watchdog.exe
2760	Watchdog.exe
1492	orc.exe
3320	winmgr.exe
4816	nitrsso64.exe
1864	winmgr.exe
940	nitrsso64.exe

Loads dropped DLL 18 IoCs

Processes:

blmkgrp.exe

pid	process
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe
3584	blmkgrp.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sqls982.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	sqls982.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	sqls982.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

orc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\orc = "\"C:\\Program Files\\orc\\orc.exe\""	orc.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

orc.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini orc.exe
File opened for modification C:\Windows\assembly\Desktop.ini orc.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	orc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	orc.exe

Drops file in System32 directory 3 IoCs

Processes:

orc.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	orc.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	orc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe

description	pid	process	target process
PID 2208 set thread context of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe

Drops file in Program Files directory 3 IoCs

Processes:

orc.exe

description	ioc	process
File created	C:\Program Files\orc\orc.exe	orc.exe
File opened for modification	C:\Program Files\orc\orc.exe	orc.exe
File created	C:\Program Files\orc\orc.exe.config	orc.exe

Drops file in Windows directory 3 IoCs

Processes:

orc.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	orc.exe
File created	C:\Windows\assembly\Desktop.ini	orc.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	orc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4016 schtasks.exe
2196 schtasks.exe
2756 schtasks.exe
3652 schtasks.exe
4712 schtasks.exe

pid	process
4016	schtasks.exe
2196	schtasks.exe
2756	schtasks.exe
3652	schtasks.exe
4712	schtasks.exe

Modifies registry class 4 IoCs

Processes:

cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeorc.exeWatchdog.exe

pid	process
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe
3408	powershell.exe
4604	orc.exe
4604	orc.exe
4604	orc.exe
3408	powershell.exe
4604	orc.exe
3408	powershell.exe
4604	orc.exe
2760	Watchdog.exe
2760	Watchdog.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe
4604	orc.exe
2760	Watchdog.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

nitrsso64.exeFileHistory.exeFileHistory.exepowershell.exepowershell.exeWatchdog.exeorc.exeWatchdog.exenitrsso64.exenitrsso64.exe

description	pid	process
Token: SeDebugPrivilege	3188	nitrsso64.exe
Token: SeDebugPrivilege	2300	FileHistory.exe
Token: SeDebugPrivilege	3192	FileHistory.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2096	Watchdog.exe
Token: SeDebugPrivilege	4604	orc.exe
Token: SeDebugPrivilege	2760	Watchdog.exe
Token: SeIncreaseQuotaPrivilege	3408	powershell.exe
Token: SeSecurityPrivilege	3408	powershell.exe
Token: SeTakeOwnershipPrivilege	3408	powershell.exe
Token: SeLoadDriverPrivilege	3408	powershell.exe
Token: SeSystemProfilePrivilege	3408	powershell.exe
Token: SeSystemtimePrivilege	3408	powershell.exe
Token: SeProfSingleProcessPrivilege	3408	powershell.exe
Token: SeIncBasePriorityPrivilege	3408	powershell.exe
Token: SeCreatePagefilePrivilege	3408	powershell.exe
Token: SeBackupPrivilege	3408	powershell.exe
Token: SeRestorePrivilege	3408	powershell.exe
Token: SeShutdownPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeSystemEnvironmentPrivilege	3408	powershell.exe
Token: SeRemoteShutdownPrivilege	3408	powershell.exe
Token: SeUndockPrivilege	3408	powershell.exe
Token: SeManageVolumePrivilege	3408	powershell.exe
Token: 33	3408	powershell.exe
Token: 34	3408	powershell.exe
Token: 35	3408	powershell.exe
Token: 36	3408	powershell.exe
Token: SeDebugPrivilege	4816	nitrsso64.exe
Token: SeDebugPrivilege	940	nitrsso64.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

nitrsso64.exeOpenWith.exeOpenWith.exeOpenWith.exeFileHistory.exenitrsso64.exe

pid process

3188 nitrsso64.exe
4144 OpenWith.exe
3728 OpenWith.exe
4548 OpenWith.exe
3192 FileHistory.exe
940 nitrsso64.exe

pid	process
3188	nitrsso64.exe
4144	OpenWith.exe
3728	OpenWith.exe
4548	OpenWith.exe
3192	FileHistory.exe
940	nitrsso64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exejoined.execc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exenitrsso64.exesqls982.exeorc.exeFileHistory.exeplage.execsc.exeFileHistory.exeblmkgrp.exeblmkgrp.exeorc.execmd.exenet.exe

description	pid	process	target process
PID 2208 wrote to memory of 4916	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	joined.exe
PID 2208 wrote to memory of 4916	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	joined.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 2208 wrote to memory of 5068	2208	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
PID 4916 wrote to memory of 2416	4916	joined.exe	sqls982.exe
PID 4916 wrote to memory of 2416	4916	joined.exe	sqls982.exe
PID 4916 wrote to memory of 2416	4916	joined.exe	sqls982.exe
PID 5068 wrote to memory of 3188	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	nitrsso64.exe
PID 5068 wrote to memory of 3188	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	nitrsso64.exe
PID 5068 wrote to memory of 2300	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	FileHistory.exe
PID 5068 wrote to memory of 2300	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	FileHistory.exe
PID 5068 wrote to memory of 4232	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	orc.exe
PID 5068 wrote to memory of 4232	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	orc.exe
PID 3188 wrote to memory of 4016	3188	nitrsso64.exe	schtasks.exe
PID 3188 wrote to memory of 4016	3188	nitrsso64.exe	schtasks.exe
PID 2416 wrote to memory of 1824	2416	sqls982.exe	powershell.exe
PID 2416 wrote to memory of 1824	2416	sqls982.exe	powershell.exe
PID 2416 wrote to memory of 1824	2416	sqls982.exe	powershell.exe
PID 5068 wrote to memory of 4208	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	plage.exe
PID 5068 wrote to memory of 4208	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	plage.exe
PID 5068 wrote to memory of 4208	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	plage.exe
PID 4232 wrote to memory of 4280	4232	orc.exe	csc.exe
PID 4232 wrote to memory of 4280	4232	orc.exe	csc.exe
PID 2300 wrote to memory of 2196	2300	FileHistory.exe	schtasks.exe
PID 2300 wrote to memory of 2196	2300	FileHistory.exe	schtasks.exe
PID 4208 wrote to memory of 2756	4208	plage.exe	cmd.exe
PID 4208 wrote to memory of 2756	4208	plage.exe	cmd.exe
PID 4208 wrote to memory of 2756	4208	plage.exe	cmd.exe
PID 2300 wrote to memory of 3192	2300	FileHistory.exe	FileHistory.exe
PID 2300 wrote to memory of 3192	2300	FileHistory.exe	FileHistory.exe
PID 4280 wrote to memory of 1500	4280	csc.exe	cvtres.exe
PID 4280 wrote to memory of 1500	4280	csc.exe	cvtres.exe
PID 4208 wrote to memory of 5036	4208	plage.exe	schtasks.exe
PID 4208 wrote to memory of 5036	4208	plage.exe	schtasks.exe
PID 4208 wrote to memory of 5036	4208	plage.exe	schtasks.exe
PID 4232 wrote to memory of 5044	4232	orc.exe	WindowsInput.exe
PID 4232 wrote to memory of 5044	4232	orc.exe	WindowsInput.exe
PID 3192 wrote to memory of 3652	3192	FileHistory.exe	schtasks.exe
PID 3192 wrote to memory of 3652	3192	FileHistory.exe	schtasks.exe
PID 5068 wrote to memory of 4584	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	blmkgrp.exe
PID 5068 wrote to memory of 4584	5068	cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe	blmkgrp.exe
PID 4584 wrote to memory of 3584	4584	blmkgrp.exe	blmkgrp.exe
PID 4584 wrote to memory of 3584	4584	blmkgrp.exe	blmkgrp.exe
PID 4232 wrote to memory of 4604	4232	orc.exe	orc.exe
PID 4232 wrote to memory of 4604	4232	orc.exe	orc.exe
PID 4208 wrote to memory of 4652	4208	plage.exe	winmgr.exe
PID 4208 wrote to memory of 4652	4208	plage.exe	winmgr.exe
PID 4208 wrote to memory of 4652	4208	plage.exe	winmgr.exe
PID 3584 wrote to memory of 968	3584	blmkgrp.exe	cmd.exe
PID 3584 wrote to memory of 968	3584	blmkgrp.exe	cmd.exe
PID 4604 wrote to memory of 2096	4604	orc.exe	Watchdog.exe
PID 4604 wrote to memory of 2096	4604	orc.exe	Watchdog.exe
PID 4604 wrote to memory of 2096	4604	orc.exe	Watchdog.exe
PID 968 wrote to memory of 4380	968	cmd.exe	net.exe
PID 968 wrote to memory of 4380	968	cmd.exe	net.exe
PID 4380 wrote to memory of 904	4380	net.exe	net1.exe
PID 4380 wrote to memory of 904	4380	net.exe	net1.exe
PID 3584 wrote to memory of 2756	3584	blmkgrp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
"C:\Users\Admin\AppData\Local\Temp\cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\joined.exe
"C:\Users\Admin\AppData\Local\Temp\joined.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\sqls982.exe
"C:\Users\Admin\AppData\Local\Temp\sqls982.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\sqls982.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4712

C:\Users\Admin\AppData\Local\Temp\cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe
"C:\Users\Admin\AppData\Local\Temp\cc7dc07df5e85f948998b1d711b7ea362e529799b2f47d35f256ccd901ab3af9.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe
"C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "nitro64" /tr "C:\Users\Admin\AppData\Local\nitrsso64.exe"
4⤵
- Creates scheduled task(s)
PID:4016

C:\Users\Admin\AppData\Local\Temp\FileHistory.exe
"C:\Users\Admin\AppData\Local\Temp\FileHistory.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "FileHistory" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\FileHistory.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2196

C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe
"C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "FileHistory" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3652

C:\Users\Admin\AppData\Local\Temp\orc.exe
"C:\Users\Admin\AppData\Local\Temp\orc.exe"
3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sfdogazb.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB9C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB9B.tmp"
5⤵
PID:1500

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5044

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Users\Admin\AppData\Roaming\Watchdog.exe
"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /launchSelfAndExit "C:\Program Files\orc\orc.exe" 4604 /protectFile
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Users\Admin\AppData\Roaming\Watchdog.exe
"C:\Users\Admin\AppData\Roaming\Watchdog.exe" /watchProcess "C:\Program Files\orc\orc.exe" 4604 "/protectFile"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\Downloads\plage.exe
"C:\Users\Admin\Downloads\plage.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN "WinManager" /XML "C:\Users\Admin\AppData\Local\Temp\NewTask.xml"
4⤵
- Creates scheduled task(s)
PID:2756

C:\Windows\SysWOW64\schtasks.exe
schtasks /Query /FO "LIST" /TN "WinManager"
4⤵
PID:5036

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
"C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe" /wait
4⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
"C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
"C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "net session"
5⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\net.exe
net session
6⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
7⤵
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableRealtimeMonitoring $true && netsh Advfirewall set allprofiles state off"
5⤵
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:4132

C:\Program Files\orc\orc.exe
"C:\Program Files\orc\orc.exe"
1⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\nitrsso64.exe
C:\Users\Admin\AppData\Local\nitrsso64.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
C:\Users\Admin\AppData\Roaming\discordnitro\winmgr.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Local\nitrsso64.exe
C:\Users\Admin\AppData\Local\nitrsso64.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Program Files\orc\orc.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FileHistory.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IU3AFV9G\FileHistory[1].exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTLSM8KG\nitro64[1].exe
Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\FileHistory.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NewTask.xml
Filesize
1KB

MD5
38cdf45eebc00d28c5f53e6b7650ff2d

SHA1
cb956d5fe11543c8a59e863806fdc3a477e39e30

SHA256
b77b31701f46cb65811ffdd623834e98bd40482ef8ed2e09e2e4caf2135cd4ce

SHA512
3411f111ae838e849df8008ea0ba080b9d5615866a4cbfa184130912c711899f9cd860bde0de94aadfe0c68885da477d7a1f876cd391e4dbf72c3b001961f80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB9C.tmp
Filesize
1KB

MD5
06064d268535fe8c1ed7f06ddb19a160

SHA1
b5a65b9f74e8e4ffd08f9b942d914a6bb1fa995f

SHA256
b09dafd1db865be826afeaa83f19d94fe36bc71f96370058a8aa734ecd080b0d

SHA512
878166069afb194e2a5eea4762d156e87226727aedf5c883b158579a4981c2a4127dfed219b118a16804f7929094c2ceec4403e860265957bf2a68b02fbb4083

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\blmkgrp.exe
Filesize
7.6MB

MD5
cb565c1afd8469f43dd6917af55b733f

SHA1
e71a56a7b13536d686ab9f4f2492d60c02a7790e

SHA256
4a6b790629a17abb31de40da6a9faafdedbbc794f3e23816776621a83b068056

SHA512
d4ae535bdc800581c0fbcd186edd9d03067c08280376f06ec2e96e3118eb682663de260be6e756a85c4f6240fa9ba2c1ab265b54a56b57865b273af68d650645

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\MSVCP140.dll
Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\PIL\_imaging.cp310-win_amd64.pyd
Filesize
955KB

MD5
f4f2116ea9397fecf3c02a43706ee6e7

SHA1
f31b77b893f1bce048e48b93f493b1eb729b6ad0

SHA256
4a0af9cf2265ec7799e02870f8eec6a01bc796a45d786b34c8b980014c4a1c69

SHA512
04d96cac6c2d2c03d83d3e5513850b08151387303708373c22faa2410404c2145dac1118539145bb1f2f2ad90e458c7af257ef89d1ec683bca91b4575814f365

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\VCRUNTIME140_1.dll
Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_bz2.pyd
Filesize
47KB

MD5
bf3679866df99540937628081af5537d

SHA1
bdbbd56b0fe20d3746aed33d89b4caeb08fc0a1f

SHA256
d0dd970620243dd87ae77db8a631a389b2cbeee216c7bee2b3425469a315618b

SHA512
34955168113c87750b91f4b794bed257b2215485b3abafb8b459b58599a3fc5381487a7f5157358336e7626501762765443b91ec117b949e7da91a3f9e56f682

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_hashlib.pyd
Filesize
33KB

MD5
05b06b9fdcf074e10f67e105588d713c

SHA1
0993bc372eb6b517bde9919d5f5a0bb9891945c5

SHA256
0d9d24dc4886321d68491db93921415c06871dc34de2ed91031de6fa369a1d93

SHA512
617752b8420e87b5ce3070238e18b24c9d4a2a7144a0070efbb068efc1ef98e0d8df15776fb644de57b554f89f887f96b6e7b09dda9278d3d32a0e81d5f1fa24

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_lzma.pyd
Filesize
84KB

MD5
89c7f76c784854d62a8e516137d43607

SHA1
1dad4da521cd2ad1470aaa3a51aa4c004e77181e

SHA256
4612008b686994ab7bd4f384f6566a3a853d9a1c8935bfaa07eb595fdebd01a1

SHA512
bb83ac17a114665101446188279e7689e9661e18c5596c3a2e9625b72aeb748149db36bf96423c85f7ee448fd3ffeeeab6102ca7522ed1c4e3318d9c3bfc46e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_queue.pyd
Filesize
24KB

MD5
5aafc702d526cd407a1c806a9e84f84a

SHA1
96ace17b3355dbfb9e81a913e058b2c815279e3f

SHA256
16b07e2496bd084845a2b41b6d98786a16c796a9eaba2f90046ec44be9338d78

SHA512
b610dd56d05b534ee1de45e1a0af66aba3076f5f9977622548ecbdd87d7c95fa562c4ad37cbf1e6ccae0e8dec2d0ea9f9b9c725f6d053ea388fe65e1c038c4d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_socket.pyd
Filesize
41KB

MD5
10bddaab060fe231dd96b1c3859367a6

SHA1
44ae0c7f505158a044e9dfbd2283d8bb54d9a8ac

SHA256
d1eaea0b871e2b97a30a7ef7aefbe30c6d658598a994d707aedd7d59ee880e02

SHA512
acb03d9e2729b8643b4e14fb29c5e044ad55f342688b4203beb27420abd454ed4534eba14300b3db624e56921b787a76b787e91888a5257e133962878968d65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_ssl.pyd
Filesize
60KB

MD5
b1e9214217b06262bfc0e55247b5adc7

SHA1
4070a35c41e0e59216931bc06e94a8f2b5fd84fd

SHA256
34fd7be67093600009c73e010eef81dac32f1c560708a34b8cca382d94f759b2

SHA512
73463229ca3c3d137d24a7edff1601faf9a39ee15a5abb0b214dca2fb04ba9f9847b4e99ce19d9431feab0748fcc5671a5558ebaa4f4d950c17d7a9784c02ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\base_library.zip
Filesize
812KB

MD5
22ae93d5665578cdbed09bfa02c63648

SHA1
fa32b9dcfad5cacee03582e18762e6fc0f949875

SHA256
53afa83b6c48e7d641839c0967c5123dd2702d57c5c1dca9cf2850a94b12dd71

SHA512
8276c5f9d78bcd6be6f294279ab8d7dbe74407b7e13b9eb6076e54fa9619ad8057bf924c73fbb7b85f26a0faea532b239978d8f697cc3299aa0c881b31964415

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\libcrypto-1_1.dll
Filesize
1.1MB

MD5
730ffd5fc87b96950c61d6f16c1d888a

SHA1
596802d785321bd9af39b083c10fc94ef18eef4e

SHA256
d3357cc31e9fda8afe230f49a35d61791c9e420b417e9929aac16d79c2a02b41

SHA512
5ca793e38e7023269deea9c54b15afca689fa85bd5e8e12903e36108b385270cde2f0c4801c2a360b88c7ce4a63234a3927f2e27d369e7c5cc5cc351184f191b

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\libssl-1_1.dll
Filesize
203KB

MD5
c222c1d04c4ccac9fe48408000b2a86e

SHA1
e71344c9f1f8c0441c8757df4f72af9354c122a1

SHA256
4f64cebd3d99810518e8f6fe2762bb11f1ea54c8128dd77d99f2a3fbcdc5d253

SHA512
a57333303c759be965d7c4b3fcd8f76f569eec5bb8d46071f122be28e21c8f302ad52c563f6260e671dc69eb7478b7817f0f08a3b2986fdff645f1dba55a402d

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\python310.dll
Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\select.pyd
Filesize
24KB

MD5
7bb6ccfeb77e3b3c812271f3c57c7139

SHA1
d60ff5c903ef276823ab294f38295b24c4886e38

SHA256
1c035581c147204882a2ebeb2fee46f95c0cf738b889081bca8250b1739d7aa3

SHA512
b5bf030e08d3ddb1c90b8d236d0c40b485f5a26e34bddcbd23b96b08b142992712584645e9bf621263f6a75979c6bbf90aa7ec14d08248a285caa420f44d9c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\tinyaes.cp310-win_amd64.pyd
Filesize
21KB

MD5
5e29122bad14fb002d9e34c7659a8af9

SHA1
c2ac4019339856735f64421debd83d4beaf383e5

SHA256
87869f86ca6696e0daca8dbed3e5e738e79a519f695b058212a0e00567130f75

SHA512
c2c9b2fefeb9d910f1524b7c574000b02e596667a4b69834b962779cf7ff8778e2d3171ca9269cf85c7c4d1c83c14b6db7049041bf85f968da696731e8d5ff1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\joined.exe
Filesize
56KB

MD5
cf96dc2c8aa103b404761701c0e9e38e

SHA1
84c300ec07b1182ee095e9550395e1d5669934ca

SHA256
6dc79af279e0324e3afb2621d812510d47fe29226cf3af1b37beee37fe2cada8

SHA512
2e66127e212f014da3cb2f2e0fd2b969639d3e7ffb18d343e107e0449d889ebc262d96ac7b47ca8b95909790d7175afd509b9e3a1d7f34d5cb0bcb49058a9ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\joined.exe
Filesize
56KB

MD5
cf96dc2c8aa103b404761701c0e9e38e

SHA1
84c300ec07b1182ee095e9550395e1d5669934ca

SHA256
6dc79af279e0324e3afb2621d812510d47fe29226cf3af1b37beee37fe2cada8

SHA512
2e66127e212f014da3cb2f2e0fd2b969639d3e7ffb18d343e107e0449d889ebc262d96ac7b47ca8b95909790d7175afd509b9e3a1d7f34d5cb0bcb49058a9ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe
Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitrsso64.exe
Filesize
54KB

MD5
ebd7887003feaad033856253c14de51c

SHA1
1ef092f6c79df2e57c8a49469e4b44815d384948

SHA256
faca607d5b505b97923a02c6a7b92517aaa6523d611126609663b0deaf23a315

SHA512
969b45cad215ce2632e044b0d5712a7dfdd1c43083477fc1277a981d3771d2738e0972dc81c82cc8fb198c345b5afa235c306ffb85b8c5f493482fc70d8d929a

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\orc.exe
Filesize
916KB

MD5
ac0431f34683bcbbb2cf23aaf29ea8cf

SHA1
275ec0e362cb074d5f080aaa41c25a8ecebe3205

SHA256
1780430ff5ad71b8c89b9c59d2924b16cb7fd07da479b8b394846c792f7523cb

SHA512
156da3158d29d293daf9a74cf04d855ec162836fef87473afcc861688630f2da01234e1f40a4f84235ba457c0a6ae1770c3cc55fb0375cbea6813d0186a87b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfdogazb.dll
Filesize
76KB

MD5
dffb3f613002f9498fcfd9e3e401d600

SHA1
9740c58c781eb32940c80202526c54dd1087afee

SHA256
4e826ca40c5b9f2ccfb157a2c4a5adcf7bee8124567177ccd56349ca90438b20

SHA512
adad0a10eeec78bb1a2ebfc0cee7841f895dab7679812f8ac46ab2c616bd48e36198239830b010d4fee17e4d83dede69f526642c76afa5d71e4709715a9f9c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls982.exe
Filesize
16KB

MD5
d7f2c50640108c104286ef71923c70d7

SHA1
7ccd84daed8ca9572ae3a8c98c38adf753fb8f33

SHA256
53aef6261df3f802393d9196a5c87e69d1e07e2aaff45a606344b91f5801255a

SHA512
eeb34a038920d0ff833f3140afd256dd6a0ea589052223d9bf61135d4557e8302e582782893348a7d40ef07af0c68a3068a052822d244ad65b7365cd0aeea0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqls982.exe
Filesize
16KB

MD5
d7f2c50640108c104286ef71923c70d7

SHA1
7ccd84daed8ca9572ae3a8c98c38adf753fb8f33

SHA256
53aef6261df3f802393d9196a5c87e69d1e07e2aaff45a606344b91f5801255a

SHA512
eeb34a038920d0ff833f3140afd256dd6a0ea589052223d9bf61135d4557e8302e582782893348a7d40ef07af0c68a3068a052822d244ad65b7365cd0aeea0f0

Download Submit
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\AppData\Roaming\FileHistory\FileHistory.exe
Filesize
2.8MB

MD5
a73e083297e46d8e23f012d66a08f3a3

SHA1
83527df5a484494894ad2c71908a170a115751af

SHA256
0ef4667fb2bd5b2184048913181bd7b03bf63d0e7959214b879efa4d6b75ad5d

SHA512
78c2231eb48ed1f246b960b1afbd2b6b1c9b99495b2a1e8b45ea1aa90a21fbd23fd10223dbc7eba9aa057b5932290e20cdcfe2df583b1a93d2cea2bf350495f2

Download Submit
C:\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Users\Admin\Downloads\plage.exe
Filesize
967KB

MD5
b03ccade490854df220914c4430967e2

SHA1
1911a59e8c4b427d3fbc8fc9c794886bd2d81305

SHA256
81cb1fa3507209f360261e795cc68622c4163cbb0c6082dc7d8358a04492f961

SHA512
0c05ff99f2d2f448c431073b9a339e6dc1ccab43c9442be44edfd493c3d4d9bd604a0deb792b91295571817113c309bafc6d230b470a4874493561bd5aa9bc36

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFB9B.tmp
Filesize
676B

MD5
35b3f2a5e9d6611f79133c143c6a7a0c

SHA1
edbcd3fc125115630449a6f5a668551e89176b9e

SHA256
f0f32b7ec16176deb7ec734e9ff0bdeb2bdfa5b51bb64a7d0d12af7aa4f50504

SHA512
fae464d96f6feef7664761b22ee22cd6159c84f1cda0ee5181258640f41f9d7869ac0a634881cdc5ff58f4dd16f698d52e9a6ae66b11c95ab1d427a0a1485310

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfdogazb.0.cs
Filesize
208KB

MD5
a64f94327bf8d310f735c847ddcf1e4c

SHA1
0f31b3e6b1927790722d938ee0febeb9c1b14a34

SHA256
17d3a0e199254fbddd0d40116f7a22867560f5057e22700d39ba0c709f308a4e

SHA512
eeaf1460f14fac4d2e34a75795c5bead9d57d3e818bf2c2fbdf842828c2d8fd5379deb9207586c3a61e3712bf34182e4ed8b37c384c5ebd325256f0779d80512

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sfdogazb.cmdline
Filesize
349B

MD5
c09c5bb5c823488d555f0d36212cde6a

SHA1
acbae89d6dd6d7256906949b7af3fa7454ae9e44

SHA256
f7a2cc34aa19f680d11e7ae3c85bfe1b39313201506884aaae138671f20c38b8

SHA512
695638dab7db6e99dec3492799cffc8d3259c21de2e8756b504d994a11401ff34159a127a47c0f07841945301a50b4185c6afe62023fa7d26b985f71e1e009f5

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\MSVCP140.dll
Filesize
553KB

MD5
6da7f4530edb350cf9d967d969ccecf8

SHA1
3e2681ea91f60a7a9ef2407399d13c1ca6aa71e9

SHA256
9fee6f36547d6f6ea7ca0338655555dba6bb0f798bc60334d29b94d1547da4da

SHA512
1f77f900215a4966f7f4e5d23b4aaad203136cb8561f4e36f03f13659fe1ff4b81caa75fef557c890e108f28f0484ad2baa825559114c0daa588cf1de6c1afab

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\PIL\_imaging.cp310-win_amd64.pyd
Filesize
955KB

MD5
f4f2116ea9397fecf3c02a43706ee6e7

SHA1
f31b77b893f1bce048e48b93f493b1eb729b6ad0

SHA256
4a0af9cf2265ec7799e02870f8eec6a01bc796a45d786b34c8b980014c4a1c69

SHA512
04d96cac6c2d2c03d83d3e5513850b08151387303708373c22faa2410404c2145dac1118539145bb1f2f2ad90e458c7af257ef89d1ec683bca91b4575814f365

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\VCRUNTIME140_1.dll
Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_bz2.pyd
Filesize
47KB

MD5
bf3679866df99540937628081af5537d

SHA1
bdbbd56b0fe20d3746aed33d89b4caeb08fc0a1f

SHA256
d0dd970620243dd87ae77db8a631a389b2cbeee216c7bee2b3425469a315618b

SHA512
34955168113c87750b91f4b794bed257b2215485b3abafb8b459b58599a3fc5381487a7f5157358336e7626501762765443b91ec117b949e7da91a3f9e56f682

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_hashlib.pyd
Filesize
33KB

MD5
05b06b9fdcf074e10f67e105588d713c

SHA1
0993bc372eb6b517bde9919d5f5a0bb9891945c5

SHA256
0d9d24dc4886321d68491db93921415c06871dc34de2ed91031de6fa369a1d93

SHA512
617752b8420e87b5ce3070238e18b24c9d4a2a7144a0070efbb068efc1ef98e0d8df15776fb644de57b554f89f887f96b6e7b09dda9278d3d32a0e81d5f1fa24

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_lzma.pyd
Filesize
84KB

MD5
89c7f76c784854d62a8e516137d43607

SHA1
1dad4da521cd2ad1470aaa3a51aa4c004e77181e

SHA256
4612008b686994ab7bd4f384f6566a3a853d9a1c8935bfaa07eb595fdebd01a1

SHA512
bb83ac17a114665101446188279e7689e9661e18c5596c3a2e9625b72aeb748149db36bf96423c85f7ee448fd3ffeeeab6102ca7522ed1c4e3318d9c3bfc46e0

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_queue.pyd
Filesize
24KB

MD5
5aafc702d526cd407a1c806a9e84f84a

SHA1
96ace17b3355dbfb9e81a913e058b2c815279e3f

SHA256
16b07e2496bd084845a2b41b6d98786a16c796a9eaba2f90046ec44be9338d78

SHA512
b610dd56d05b534ee1de45e1a0af66aba3076f5f9977622548ecbdd87d7c95fa562c4ad37cbf1e6ccae0e8dec2d0ea9f9b9c725f6d053ea388fe65e1c038c4d9

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_socket.pyd
Filesize
41KB

MD5
10bddaab060fe231dd96b1c3859367a6

SHA1
44ae0c7f505158a044e9dfbd2283d8bb54d9a8ac

SHA256
d1eaea0b871e2b97a30a7ef7aefbe30c6d658598a994d707aedd7d59ee880e02

SHA512
acb03d9e2729b8643b4e14fb29c5e044ad55f342688b4203beb27420abd454ed4534eba14300b3db624e56921b787a76b787e91888a5257e133962878968d65d

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\_ssl.pyd
Filesize
60KB

MD5
b1e9214217b06262bfc0e55247b5adc7

SHA1
4070a35c41e0e59216931bc06e94a8f2b5fd84fd

SHA256
34fd7be67093600009c73e010eef81dac32f1c560708a34b8cca382d94f759b2

SHA512
73463229ca3c3d137d24a7edff1601faf9a39ee15a5abb0b214dca2fb04ba9f9847b4e99ce19d9431feab0748fcc5671a5558ebaa4f4d950c17d7a9784c02ffc

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\libcrypto-1_1.dll
Filesize
1.1MB

MD5
730ffd5fc87b96950c61d6f16c1d888a

SHA1
596802d785321bd9af39b083c10fc94ef18eef4e

SHA256
d3357cc31e9fda8afe230f49a35d61791c9e420b417e9929aac16d79c2a02b41

SHA512
5ca793e38e7023269deea9c54b15afca689fa85bd5e8e12903e36108b385270cde2f0c4801c2a360b88c7ce4a63234a3927f2e27d369e7c5cc5cc351184f191b

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\libssl-1_1.dll
Filesize
203KB

MD5
c222c1d04c4ccac9fe48408000b2a86e

SHA1
e71344c9f1f8c0441c8757df4f72af9354c122a1

SHA256
4f64cebd3d99810518e8f6fe2762bb11f1ea54c8128dd77d99f2a3fbcdc5d253

SHA512
a57333303c759be965d7c4b3fcd8f76f569eec5bb8d46071f122be28e21c8f302ad52c563f6260e671dc69eb7478b7817f0f08a3b2986fdff645f1dba55a402d

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\python310.dll
Filesize
1.5MB

MD5
e06ce8146da66871aa8aeedc950fd12b

SHA1
6ee749bdd0bc857a41ac8018c5553e895784b961

SHA256
aabd51782e4edb80561dd2ff065079a8381c7c86a6db1c6884bc09c73cde07a4

SHA512
0d8c16832d5242595eff4993a1563de09f1eba988ca6e9bcd9afdb0891a164ea2972ac9df40f575e8e1021d535c3b807ce025bc15788f08f84c71246d64f1198

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\select.pyd
Filesize
24KB

MD5
7bb6ccfeb77e3b3c812271f3c57c7139

SHA1
d60ff5c903ef276823ab294f38295b24c4886e38

SHA256
1c035581c147204882a2ebeb2fee46f95c0cf738b889081bca8250b1739d7aa3

SHA512
b5bf030e08d3ddb1c90b8d236d0c40b485f5a26e34bddcbd23b96b08b142992712584645e9bf621263f6a75979c6bbf90aa7ec14d08248a285caa420f44d9c9b

Download Submit
\Users\Admin\AppData\Local\Temp\github.com_Blank-c_45842\tinyaes.cp310-win_amd64.pyd
Filesize
21KB

MD5
5e29122bad14fb002d9e34c7659a8af9

SHA1
c2ac4019339856735f64421debd83d4beaf383e5

SHA256
87869f86ca6696e0daca8dbed3e5e738e79a519f695b058212a0e00567130f75

SHA512
c2c9b2fefeb9d910f1524b7c574000b02e596667a4b69834b962779cf7ff8778e2d3171ca9269cf85c7c4d1c83c14b6db7049041bf85f968da696731e8d5ff1c

Download Submit
memory/904-586-0x0000000000000000-mapping.dmp

Download
memory/968-538-0x0000000000000000-mapping.dmp

Download
memory/1500-380-0x0000000000000000-mapping.dmp

Download
memory/1824-506-0x0000000008370000-0x00000000083E6000-memory.dmp

Filesize
472KB

Download
memory/1824-436-0x00000000079A0000-0x0000000007A06000-memory.dmp

Filesize
408KB

Download
memory/1824-975-0x00000000091E0000-0x00000000091E8000-memory.dmp

Filesize
32KB

Download
memory/1824-970-0x00000000095B0000-0x00000000095CA000-memory.dmp

Filesize
104KB

Download
memory/1824-479-0x0000000008320000-0x000000000836B000-memory.dmp

Filesize
300KB

Download
memory/1824-735-0x00000000096A0000-0x0000000009734000-memory.dmp

Filesize
592KB

Download
memory/1824-470-0x0000000007A50000-0x0000000007A6C000-memory.dmp

Filesize
112KB

Download
memory/1824-448-0x0000000007A80000-0x0000000007DD0000-memory.dmp

Filesize
3.3MB

Download
memory/1824-438-0x0000000007930000-0x0000000007996000-memory.dmp

Filesize
408KB

Download
memory/1824-290-0x0000000000000000-mapping.dmp

Download
memory/1824-699-0x0000000009500000-0x00000000095A5000-memory.dmp

Filesize
660KB

Download
memory/1824-435-0x0000000007900000-0x0000000007922000-memory.dmp

Filesize
136KB

Download
memory/1824-674-0x0000000009180000-0x00000000091B3000-memory.dmp

Filesize
204KB

Download
memory/1824-382-0x0000000007190000-0x00000000077B8000-memory.dmp

Filesize
6.2MB

Download
memory/1824-677-0x0000000009160000-0x000000000917E000-memory.dmp

Filesize
120KB

Download
memory/1824-364-0x0000000006B00000-0x0000000006B36000-memory.dmp

Filesize
216KB

Download
memory/2096-569-0x0000000000000000-mapping.dmp

Download
memory/2096-629-0x00000000007E0000-0x00000000007E8000-memory.dmp

Filesize
32KB

Download
memory/2196-369-0x0000000000000000-mapping.dmp

Download
memory/2208-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2208-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-185-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2208-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2300-272-0x0000000000000000-mapping.dmp

Download
memory/2300-279-0x0000000000420000-0x00000000006EA000-memory.dmp

Filesize
2.8MB

Download
memory/2416-200-0x0000000000000000-mapping.dmp

Download
memory/2416-274-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download
memory/2756-618-0x0000000000000000-mapping.dmp

Download
memory/2756-377-0x0000000000000000-mapping.dmp

Download
memory/2760-656-0x0000000000000000-mapping.dmp

Download
memory/3188-270-0x00000271854F0000-0x0000027185502000-memory.dmp

Filesize
72KB

Download
memory/3188-280-0x00000271857F0000-0x0000027185806000-memory.dmp

Filesize
88KB

Download
memory/3188-265-0x0000000000000000-mapping.dmp

Download
memory/3188-283-0x0000027185820000-0x000002718582A000-memory.dmp

Filesize
40KB

Download
memory/3192-482-0x000000001C1B0000-0x000000001C262000-memory.dmp

Filesize
712KB

Download
memory/3192-379-0x0000000000000000-mapping.dmp

Download
memory/3192-467-0x000000001B950000-0x000000001B9A0000-memory.dmp

Filesize
320KB

Download
memory/3408-700-0x000001E6B5A80000-0x000001E6B5AF6000-memory.dmp

Filesize
472KB

Download
memory/3408-664-0x000001E6B58D0000-0x000001E6B58F2000-memory.dmp

Filesize
136KB

Download
memory/3408-631-0x0000000000000000-mapping.dmp

Download
memory/3584-551-0x00007FF9DC2C0000-0x00007FF9DC2D4000-memory.dmp

Filesize
80KB

Download
memory/3584-533-0x00007FF9DCDB0000-0x00007FF9DCDBD000-memory.dmp

Filesize
52KB

Download
memory/3584-485-0x00007FF9C5640000-0x00007FF9C5AAF000-memory.dmp

Filesize
4.4MB

Download
memory/3584-558-0x00007FF9DA1E0000-0x00007FF9DA20B000-memory.dmp

Filesize
172KB

Download
memory/3584-555-0x00007FF9C9060000-0x00007FF9C9384000-memory.dmp

Filesize
3.1MB

Download
memory/3584-650-0x00007FF9D2F20000-0x00007FF9D3038000-memory.dmp

Filesize
1.1MB

Download
memory/3584-508-0x00007FF9E0D00000-0x00007FF9E0D13000-memory.dmp

Filesize
76KB

Download
memory/3584-511-0x00007FF9E0B90000-0x00007FF9E0BA9000-memory.dmp

Filesize
100KB

Download
memory/3584-464-0x0000000000000000-mapping.dmp

Download
memory/3584-524-0x00007FF9DB460000-0x00007FF9DB48E000-memory.dmp

Filesize
184KB

Download
memory/3584-553-0x00007FF9DAEF0000-0x00007FF9DAF1D000-memory.dmp

Filesize
180KB

Download
memory/3584-836-0x00007FF9C5640000-0x00007FF9C5AAF000-memory.dmp

Filesize
4.4MB

Download
memory/3584-525-0x00007FF9C9390000-0x00007FF9C9705000-memory.dmp

Filesize
3.5MB

Download
memory/3584-560-0x00007FF9DA1A0000-0x00007FF9DA1D1000-memory.dmp

Filesize
196KB

Download
memory/3584-519-0x00007FF9DD0F0000-0x00007FF9DD0FD000-memory.dmp

Filesize
52KB

Download
memory/3584-513-0x00007FF9E0940000-0x00007FF9E0959000-memory.dmp

Filesize
100KB

Download
memory/3584-847-0x00007FF9DAF20000-0x00007FF9DAFD8000-memory.dmp

Filesize
736KB

Download
memory/3584-845-0x00007FF9DB460000-0x00007FF9DB48E000-memory.dmp

Filesize
184KB

Download
memory/3584-837-0x00007FF9C9390000-0x00007FF9C9705000-memory.dmp

Filesize
3.5MB

Download
memory/3584-532-0x00007FF9DAF20000-0x00007FF9DAFD8000-memory.dmp

Filesize
736KB

Download
memory/3652-442-0x0000000000000000-mapping.dmp

Download
memory/4016-287-0x0000000000000000-mapping.dmp

Download
memory/4132-456-0x000000001AAA0000-0x000000001ABAA000-memory.dmp

Filesize
1.0MB

Download
memory/4208-295-0x0000000000000000-mapping.dmp

Download
memory/4232-284-0x0000000000000000-mapping.dmp

Download
memory/4280-361-0x0000000000000000-mapping.dmp

Download
memory/4380-571-0x0000000000000000-mapping.dmp

Download
memory/4584-457-0x0000000000000000-mapping.dmp

Download
memory/4604-522-0x000000001B880000-0x000000001B8CE000-memory.dmp

Filesize
312KB

Download
memory/4604-471-0x0000000000000000-mapping.dmp

Download
memory/4604-557-0x000000001BB20000-0x000000001BB30000-memory.dmp

Filesize
64KB

Download
memory/4604-516-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/4604-546-0x000000001BA00000-0x000000001BA18000-memory.dmp

Filesize
96KB

Download
memory/4604-483-0x0000000000880000-0x000000000096A000-memory.dmp

Filesize
936KB

Download
memory/4604-486-0x0000000000E60000-0x0000000000EBC000-memory.dmp

Filesize
368KB

Download
memory/4604-489-0x00000000010C0000-0x00000000010CE000-memory.dmp

Filesize
56KB

Download
memory/4652-531-0x0000000000000000-mapping.dmp

Download
memory/4712-993-0x0000000000000000-mapping.dmp

Download
memory/4916-164-0x0000000000000000-mapping.dmp

Download
memory/4916-178-0x00007FF9CC240000-0x00007FF9CCC73000-memory.dmp

Filesize
10.2MB

Download
memory/5036-419-0x0000000000000000-mapping.dmp

Download
memory/5044-433-0x0000000002DD0000-0x0000000002E0E000-memory.dmp

Filesize
248KB

Download
memory/5044-432-0x00000000011A0000-0x00000000011B2000-memory.dmp

Filesize
72KB

Download
memory/5044-426-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/5044-420-0x0000000000000000-mapping.dmp

Download
memory/5068-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-184-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5068-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-187-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-168-0x0000000000401000-mapping.dmp

Download
memory/5068-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-232-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5068-186-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/5068-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download