xworm | 9367be61e6f18c4bc17567e4259607293eb60687920b7656728442df79c9fe03

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape.exe
Size

8.4MB
MD5

8afb546a821068f344d5e5481d57fd6a
SHA1

907c78ae51a9bef3612538c1205cb1458b591df6
SHA256

9367be61e6f18c4bc17567e4259607293eb60687920b7656728442df79c9fe03
SHA512

2c4123ada410cfb647f4e32039216e14f06ebdec910471ce9d9ae674191dbc96f915f0c8798672ba640d4a3ce9d176a5139f479c96d4bcde59dea9317a17438e
SSDEEP

196608:8okYHMUWsVqYGAwEFD8bJrxv8pL6x/rFdiX4virXL:KYHRWsVsAwEGbJrxIG1v84vir7

Score

10^/10

xworm evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/4dSAsSm4

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x00030000000228aa-7.dat	family_xworm
behavioral2/memory/8-22-0x0000000000680000-0x0000000000698000-memory.dmp	family_xworm
behavioral2/files/0x0006000000023220-87.dat	family_xworm
behavioral2/memory/5100-95-0x0000000000A90000-0x0000000000AA6000-memory.dmp	family_xworm
behavioral2/memory/2376-222-0x0000000005750000-0x0000000005760000-memory.dmp	family_xworm
behavioral2/memory/820-244-0x000002CE533B0000-0x000002CE533C0000-memory.dmp	family_xworm

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Documents\\Sub\\Client.exe"	svchost.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchosl.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	ms_host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Vape.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	sv_host.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe

Executes dropped EXE 23 IoCs

pid	Process
8	sv_host.exe
208	svchost.exe
5032	Built.exe
4516	Built.exe
2376	Installer.exe
5100	ms_host.exe
2280	svchosl.exe
3840	svchosl.exe
4412	svchosl.exe
4824	svchosl.exe
2412	svchosl.exe
3648	svchosl.exe
4352	svhost
2160	svchosl.exe
2736	svchosl.exe
3324	svchosl.exe
1684	svchosl.exe
3292	svchosl.exe
4804	svchosl.exe
4372	svhost
4440	svchosl.exe
728	svchosl.exe
4156	svchosl.exe

Loads dropped DLL 24 IoCs

pid	Process
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
4516	Built.exe
2280	svchosl.exe
2280	svchosl.exe
3292	Process not Found
4852	Process not Found
4296	timeout.exe
4352	svhost
4372	svhost

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002320d-98.dat	upx
behavioral2/files/0x0006000000023214-118.dat	upx
behavioral2/memory/4516-119-0x00007FFA68FA0000-0x00007FFA68FAF000-memory.dmp	upx
behavioral2/files/0x0006000000023213-117.dat	upx
behavioral2/files/0x0006000000023212-116.dat	upx
behavioral2/files/0x0006000000023211-115.dat	upx
behavioral2/memory/4516-122-0x00007FFA68180000-0x00007FFA681A3000-memory.dmp	upx
behavioral2/memory/2376-123-0x0000000005750000-0x0000000005760000-memory.dmp	upx
behavioral2/files/0x0006000000023210-114.dat	upx
behavioral2/files/0x000600000002320f-113.dat	upx
behavioral2/files/0x000600000002320e-112.dat	upx
behavioral2/files/0x000600000002320c-111.dat	upx
behavioral2/files/0x000600000002321f-110.dat	upx
behavioral2/memory/4516-136-0x00007FFA68710000-0x00007FFA68729000-memory.dmp	upx
behavioral2/memory/4516-137-0x00007FFA68040000-0x00007FFA68063000-memory.dmp	upx
behavioral2/memory/4516-140-0x00007FFA68030000-0x00007FFA6803D000-memory.dmp	upx
behavioral2/files/0x0006000000023219-143.dat	upx
behavioral2/memory/4516-146-0x00007FFA68160000-0x00007FFA68179000-memory.dmp	upx
behavioral2/memory/4516-147-0x00007FFA548E0000-0x00007FFA54E00000-memory.dmp	upx
behavioral2/memory/4516-150-0x00007FFA55000000-0x00007FFA550CD000-memory.dmp	upx
behavioral2/memory/4516-149-0x00007FFA5EF80000-0x00007FFA5EFB3000-memory.dmp	upx
behavioral2/files/0x000600000002321f-154.dat	upx
behavioral2/memory/4516-155-0x00007FFA68020000-0x00007FFA6802D000-memory.dmp	upx
behavioral2/memory/4516-156-0x00007FFA547C0000-0x00007FFA548DC000-memory.dmp	upx
behavioral2/memory/4516-157-0x00007FFA5F600000-0x00007FFA5F614000-memory.dmp	upx
behavioral2/files/0x0006000000023217-145.dat	upx
behavioral2/files/0x0006000000023217-144.dat	upx
behavioral2/memory/4516-142-0x00007FFA550D0000-0x00007FFA55247000-memory.dmp	upx
behavioral2/files/0x000600000002321d-139.dat	upx
behavioral2/files/0x000600000002321e-135.dat	upx
behavioral2/memory/4516-131-0x00007FFA68070000-0x00007FFA6809D000-memory.dmp	upx
behavioral2/memory/4516-174-0x00007FFA55250000-0x00007FFA55839000-memory.dmp	upx
behavioral2/memory/4516-186-0x00007FFA68180000-0x00007FFA681A3000-memory.dmp	upx
behavioral2/files/0x0006000000023217-104.dat	upx
behavioral2/memory/4516-187-0x00007FFA55250000-0x00007FFA55839000-memory.dmp	upx
behavioral2/memory/4516-188-0x00007FFA68180000-0x00007FFA681A3000-memory.dmp	upx
behavioral2/files/0x0006000000023218-101.dat	upx
behavioral2/memory/4516-189-0x00007FFA68FA0000-0x00007FFA68FAF000-memory.dmp	upx
behavioral2/memory/4516-190-0x00007FFA68070000-0x00007FFA6809D000-memory.dmp	upx
behavioral2/memory/4516-194-0x00007FFA68160000-0x00007FFA68179000-memory.dmp	upx
behavioral2/memory/4516-195-0x00007FFA68030000-0x00007FFA6803D000-memory.dmp	upx
behavioral2/memory/4516-193-0x00007FFA550D0000-0x00007FFA55247000-memory.dmp	upx
behavioral2/memory/4516-197-0x00007FFA55000000-0x00007FFA550CD000-memory.dmp	upx
behavioral2/memory/4516-196-0x00007FFA5EF80000-0x00007FFA5EFB3000-memory.dmp	upx
behavioral2/memory/4516-199-0x00007FFA5F600000-0x00007FFA5F614000-memory.dmp	upx
behavioral2/memory/4516-200-0x00007FFA68020000-0x00007FFA6802D000-memory.dmp	upx
behavioral2/memory/4516-198-0x00007FFA548E0000-0x00007FFA54E00000-memory.dmp	upx
behavioral2/memory/4516-201-0x00007FFA547C0000-0x00007FFA548DC000-memory.dmp	upx
behavioral2/memory/4516-192-0x00007FFA68040000-0x00007FFA68063000-memory.dmp	upx
behavioral2/memory/4516-191-0x00007FFA68710000-0x00007FFA68729000-memory.dmp	upx
behavioral2/memory/4516-93-0x00007FFA55250000-0x00007FFA55839000-memory.dmp	upx
behavioral2/files/0x000600000002321a-73.dat	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoftsoftware_sv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\microsoftsoftware_sv.exe"	ms_host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Sub\\WatchDog.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost"	sv_host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
22	pastebin.com
29	raw.githubusercontent.com
31	raw.githubusercontent.com
38	discord.com
39	discord.com
20	pastebin.com
21	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	icanhazip.com

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	svchosl.exe
File opened for modification	C:\autorun.inf	svchosl.exe
File created	D:\autorun.inf	svchosl.exe
File created	F:\autorun.inf	svchosl.exe
File opened for modification	F:\autorun.inf	svchosl.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2460	schtasks.exe
2024	schtasks.exe
2096	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1296	timeout.exe
3648	timeout.exe
4296	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2680	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
668	Vape.exe
3860	powershell.exe
3860	powershell.exe
3156	powershell.exe
3156	powershell.exe
3860	powershell.exe
3156	powershell.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
720	powershell.exe
720	powershell.exe
720	powershell.exe
820	CMD.exe
820	CMD.exe
820	CMD.exe
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
948	powershell.exe
948	powershell.exe
948	powershell.exe
2220	powershell.exe
2220	powershell.exe
2376	Installer.exe
2376	Installer.exe
2220	powershell.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe
2376	Installer.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	Vape.exe
Token: SeDebugPrivilege	8	sv_host.exe
Token: SeDebugPrivilege	208	svchost.exe
Token: SeDebugPrivilege	5100	ms_host.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe
Token: 35	2732	WMIC.exe
Token: 36	2732	WMIC.exe
Token: SeDebugPrivilege	2680	tasklist.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeIncreaseQuotaPrivilege	2732	WMIC.exe
Token: SeSecurityPrivilege	2732	WMIC.exe
Token: SeTakeOwnershipPrivilege	2732	WMIC.exe
Token: SeLoadDriverPrivilege	2732	WMIC.exe
Token: SeSystemProfilePrivilege	2732	WMIC.exe
Token: SeSystemtimePrivilege	2732	WMIC.exe
Token: SeProfSingleProcessPrivilege	2732	WMIC.exe
Token: SeIncBasePriorityPrivilege	2732	WMIC.exe
Token: SeCreatePagefilePrivilege	2732	WMIC.exe
Token: SeBackupPrivilege	2732	WMIC.exe
Token: SeRestorePrivilege	2732	WMIC.exe
Token: SeShutdownPrivilege	2732	WMIC.exe
Token: SeDebugPrivilege	2732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2732	WMIC.exe
Token: SeRemoteShutdownPrivilege	2732	WMIC.exe
Token: SeUndockPrivilege	2732	WMIC.exe
Token: SeManageVolumePrivilege	2732	WMIC.exe
Token: 33	2732	WMIC.exe
Token: 34	2732	WMIC.exe
Token: 35	2732	WMIC.exe
Token: 36	2732	WMIC.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	820	CMD.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2376	Installer.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	8	sv_host.exe
Token: SeDebugPrivilege	5100	ms_host.exe
Token: SeDebugPrivilege	2280	svchosl.exe
Token: SeDebugPrivilege	4352	svhost
Token: SeDebugPrivilege	4372	svhost

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 668 wrote to memory of 8	668	Vape.exe	86
PID 668 wrote to memory of 8	668	Vape.exe	86
PID 668 wrote to memory of 208	668	Vape.exe	88
PID 668 wrote to memory of 208	668	Vape.exe	88
PID 668 wrote to memory of 5032	668	Vape.exe	87
PID 668 wrote to memory of 5032	668	Vape.exe	87
PID 5032 wrote to memory of 4516	5032	Built.exe	117
PID 5032 wrote to memory of 4516	5032	Built.exe	117
PID 668 wrote to memory of 2376	668	Vape.exe	89
PID 668 wrote to memory of 2376	668	Vape.exe	89
PID 668 wrote to memory of 2376	668	Vape.exe	89
PID 668 wrote to memory of 5100	668	Vape.exe	90
PID 668 wrote to memory of 5100	668	Vape.exe	90
PID 668 wrote to memory of 4500	668	Vape.exe	115
PID 668 wrote to memory of 4500	668	Vape.exe	115
PID 4500 wrote to memory of 1296	4500	cmd.exe	109
PID 4500 wrote to memory of 1296	4500	cmd.exe	109
PID 4516 wrote to memory of 1020	4516	Built.exe	95
PID 4516 wrote to memory of 1020	4516	Built.exe	95
PID 4516 wrote to memory of 2188	4516	Built.exe	94
PID 4516 wrote to memory of 2188	4516	Built.exe	94
PID 4516 wrote to memory of 3900	4516	Built.exe	93
PID 4516 wrote to memory of 3900	4516	Built.exe	93
PID 4516 wrote to memory of 2436	4516	Built.exe	96
PID 4516 wrote to memory of 2436	4516	Built.exe	96
PID 4516 wrote to memory of 1980	4516	Built.exe	99
PID 4516 wrote to memory of 1980	4516	Built.exe	99
PID 2188 wrote to memory of 3860	2188	cmd.exe	101
PID 2188 wrote to memory of 3860	2188	cmd.exe	101
PID 2436 wrote to memory of 2680	2436	cmd.exe	108
PID 2436 wrote to memory of 2680	2436	cmd.exe	108
PID 1980 wrote to memory of 2732	1980	cmd.exe	107
PID 1980 wrote to memory of 2732	1980	cmd.exe	107
PID 1020 wrote to memory of 3156	1020	cmd.exe	106
PID 1020 wrote to memory of 3156	1020	cmd.exe	106
PID 3900 wrote to memory of 4404	3900	cmd.exe	110
PID 3900 wrote to memory of 4404	3900	cmd.exe	110
PID 8 wrote to memory of 3268	8	sv_host.exe	111
PID 8 wrote to memory of 3268	8	sv_host.exe	111
PID 5100 wrote to memory of 720	5100	ms_host.exe	114
PID 5100 wrote to memory of 720	5100	ms_host.exe	114
PID 8 wrote to memory of 820	8	sv_host.exe	147
PID 8 wrote to memory of 820	8	sv_host.exe	147
PID 5100 wrote to memory of 1412	5100	ms_host.exe	120
PID 5100 wrote to memory of 1412	5100	ms_host.exe	120
PID 8 wrote to memory of 948	8	sv_host.exe	123
PID 8 wrote to memory of 948	8	sv_host.exe	123
PID 5100 wrote to memory of 2220	5100	ms_host.exe	125
PID 5100 wrote to memory of 2220	5100	ms_host.exe	125
PID 2376 wrote to memory of 3144	2376	Installer.exe	126
PID 2376 wrote to memory of 3144	2376	Installer.exe	126
PID 2376 wrote to memory of 3144	2376	Installer.exe	126
PID 8 wrote to memory of 3292	8	sv_host.exe	129
PID 8 wrote to memory of 3292	8	sv_host.exe	129
PID 3144 wrote to memory of 1140	3144	cmd.exe	130
PID 3144 wrote to memory of 1140	3144	cmd.exe	130
PID 3144 wrote to memory of 1140	3144	cmd.exe	130
PID 3144 wrote to memory of 3648	3144	cmd.exe	131
PID 3144 wrote to memory of 3648	3144	cmd.exe	131
PID 3144 wrote to memory of 3648	3144	cmd.exe	131
PID 5100 wrote to memory of 4752	5100	ms_host.exe	133
PID 5100 wrote to memory of 4752	5100	ms_host.exe	133
PID 2376 wrote to memory of 2280	2376	Installer.exe	135
PID 2376 wrote to memory of 2280	2376	Installer.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Vape.exe
"C:\Users\Admin\AppData\Local\Temp\Vape.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668
- C:\Users\Admin\AppData\Local\Temp\sv_host.exe
  "C:\Users\Admin\AppData\Local\Temp\sv_host.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_host.exe'
    3⤵
    PID:820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Local\Temp\svhost"
    3⤵
    - Creates scheduled task(s)
    PID:2460
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe" & exit
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:820
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "svchost" /tr "C:\Users\Public\Documents\Sub\Client.exe"
      4⤵
      Creates scheduled task(s)
      PID:2096
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E5A.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:3648
- - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe"
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops autorun.inf file
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\watchdog.vbs.bat""
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:32
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\watchdog.vbs"
        5⤵
        
        PID:4928
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3840
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4412
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4824
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2412
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3648
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2160
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:2736
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3324
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:1684
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:3292
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4804
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4440
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:728
      - C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        
        C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe
        6⤵
        Executes dropped EXE
        
        PID:4156
- C:\Users\Admin\AppData\Local\Temp\ms_host.exe
  "C:\Users\Admin\AppData\Local\Temp\ms_host.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ms_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ms_host.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'microsoftsoftware_sv.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "microsoftsoftware_sv" /tr "C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2024
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "microsoftsoftware_sv"
    3⤵
    PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD66A.tmp.bat""
    3⤵
    PID:2788
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Loads dropped DLL
      Delays execution with timeout.exe
      PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp56AB.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Внимание! Была устранена попытка взлома вашего компьютера! Диспетчер задач временно заблокирован для вашей безопасности!', 0, 'Windows Defender', 32+16);close()""
1⤵
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Windows\system32\mshta.exe
  mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Внимание! Была устранена попытка взлома вашего компьютера! Диспетчер задач временно заблокирован для вашей безопасности!', 0, 'Windows Defender', 32+16);close()"
  2⤵
  PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\tasklist.exe
  tasklist /FO LIST
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:1296

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
128KB

MD5
4263b101867cc110a4641769d8cec755

SHA1
17af1c4f277f0a6ceed97a2be4b9bb93c0a7437a

SHA256
a047ae7f26c001aaa0d9493fcb55cf254f8e2a872c4663a2da0ca86f23b3d466

SHA512
0f787c67af878da0194104bded1351a079d0c889ec26040a7e8579db5ebdcb27ed5bf036969a2b825a52a03bd2213ecc8360e029f6dad0f9089dbd6199ac7b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
64KB

MD5
35561d533ee3daec295c08987867c8ab

SHA1
d2e9f540e02cd77b42844c71e449cdff85fd678e

SHA256
b167542f2000575703dd70c7894c4b162253bd8f8c17adcd8282d22101fd2509

SHA512
9bb451deeed4cf6137cd4c068d752d12678bde9c567981bc1403ec40ffa1cd2120befd0ea9551d22cee4aa717cbb0248eb5b3f80d4500587b164fa1c8c2e4e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
3.0MB

MD5
dd0910bf2ecb631066737a818251b98d

SHA1
48fbbf602de1207af6ffaa6675b36ae1dc9c723f

SHA256
1add04d78dea901b6adbbb357d79aa68c1eb8701149c194af6feaba10905ebfe

SHA512
431384db840051744e99c39d119bc608cab8f37465f832a2b3a5c183718e02c8fb4540179613e8b97ef135f12b8201d0da7d3aea18b518114e134c6cf9c10ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
1.4MB

MD5
aac40318a8f3e222fbfcc79224b12a1c

SHA1
aa3fae51ceb7bdf4952de4f124ce7097c9a19d3f

SHA256
82841ecf1cef6c44b29917631cc7de19b575485f23a9dd47cfecdc5065a6187d

SHA512
357177b57d5ff9bba059c5d64c3b6e3759fadae664cceec20dba4f0f9bc2fedf923ad4724b527420c85f1f2f828ac838a67cc1e42d984bfe002dd0e8f967b2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
2.4MB

MD5
68a116880728b77f51ab407eddd437ad

SHA1
421dbac9b6a10d283c390e4a70bd6e1bdbaa39ab

SHA256
2feeff13d9d3b5594411fe20b77986be8ce0cfd4286c70910c7aadb6714b348c

SHA512
95a495b5f7947e03565a048fc42237bd68912b8ee0f074159b9b26480e814344f42344cadf75a1d3bf2a85e2a9b34fba2f5f1475f576a816849beaa7af8ca5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
1.9MB

MD5
558b154503612cb21f9326f4aafa5315

SHA1
c78d4dbd17444eef5d3a350710f5e994ac109749

SHA256
6ab4db7c86b942691a4fdfc9c4095270ccbc14a3e1ad1550389d3ed7b9d17801

SHA512
ae21d353c2dd1d6ca3f19a3ece3f0095b9b23341b66245bea514b895282fc4b6928ede0d26cfe1af52b61adcad7c65544f6ef7a8087f2d6b6e7012106120bff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\blank.aes

Filesize
121KB

MD5
4e3e1d66c510b4330e1b3bc7772b973b

SHA1
280077f6dadc9319585b53991543bf883421571b

SHA256
31554d3b466fd69eaadbea7dea22162ed17a950cc4709470fb1b25eae8c44a95

SHA512
939613834da2ff14574f7bfdd84c48b81773e61f9ad6492470698feb137775fe06ef6d96033bafafe8f68764dda4f3d61863ba58c17bcaf3fb09f263ff550beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\blank.aes

Filesize
121KB

MD5
19be4a8c750cb99e7a8b358231c275e2

SHA1
4d4ae88f491d1d08e5f36afe3fa01de7aef8ea70

SHA256
b55a2fa6de422c1f9557b3637e83f688c885e4f3f5ae4be06d1d331c3df3bb16

SHA512
831e79d86fac100b52a49c0d4317677a69659a03b85e126aab8d35b79fe1781e6705b7993ac2b5d5be617631e6bb4a28e48b7cf87d9d104312e3ed8eb2ee7b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll

Filesize
1.1MB

MD5
b5e346688a8a4edeb99375284a46bb63

SHA1
7b9dfbe2e29a1a664fe1ec1e955bc5b6af65870b

SHA256
aa1226b576717cc6bb054f3071af0401687ffce63f8277b1355e1066caaaa05a

SHA512
ffb956bd92162d6ce81d96004bf1d5204b579aa494a37944d02fa3e737d40281d80ffbbc871154c66ce396fc467624051ef37450935cf36e50043bcc867de316

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libcrypto-3.dll

Filesize
1.2MB

MD5
c56ed49ffd4b6221b3f22867925978d6

SHA1
3eb182b9d0f47160caa6e65790fc9ca6b84f1781

SHA256
854a9c7eca4794b0f7b78a0e4e0dcd2f67ab49fba0562e0fd3dbf0124d25b8e5

SHA512
fcc01224a817ac2c75606a4819d5f60a374ad09db3735cbee1405ca2a1a69326506ee969cea2c05b5d3c276294b680c567720da276245dd0d0eef9d86bad6458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50322\unicodedata.pyd

Filesize
64KB

MD5
ad827891de18c3ad5f56b6fb0c067cc0

SHA1
f7798f744c0b9e2a0983b365d8189b59d69a0311

SHA256
b42fa9477a259ab0f3cc8df6756bc7fc0add25b4978c24bb827812e5f85aa919

SHA512
889dfee842ec115787e288ffcc1ec5bca97b30229271124231fd8ca34e03ffc47761778881a2239e3734a7a73f152641629c04352c40f3ba083e4cd2e6af7ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_de0moszw.yyi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms_host.exe

Filesize
60KB

MD5
d5a10d43ab7ebb2eb3994d838f28082c

SHA1
e14038fa3d5d9f87e5f58afe4299453764570c7e

SHA256
3d30447bf5ff5d6a9a4bcb0d10a1247d75f015e93b90cc4c5278100e4b7f8e94

SHA512
e814c1dfabe7ce1d7e7f986d2319332442b69bb20c8c6c323f828a61cbae35653f5bacc1b336b06b4c74c6ff156e1c91e78be12e6e3428fbec2084046d6f9add

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv_host.exe

Filesize
69KB

MD5
91d589dde2c5210749d269da8d49f9b2

SHA1
3c712db908c457dcf2fcfe76979128aa35db41f2

SHA256
8cbdd9f6000ae1b2e8092c0fc6e283da34271c83bfd564198e779c3a1f417635

SHA512
1913ff1143bdadbd90e6e4da5dc803b4d405cb6a6b767eda33ba58509cfbde6a9638be8582f7faaabacdbeae327086340b735eb0db078b0a28a05b01e7389c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
482KB

MD5
0a60ee6dcb73cbc87646712a6fa530f9

SHA1
a652471bd709eb7e02a42136504c73c410c67f65

SHA256
4e2b850c0d0b555b6150f6df73fe5fa4373359209f46249ac6c9160286dfb59e

SHA512
0e987182516167491bb8a66a94ab5b5586ab820b7df9929ed127cccd8a000e5284f5452116314d7d4e90ff4ddab369716718bbc5e93d4c4f2960e325b4761827

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
320KB

MD5
a46018c3020d486f8cbb46a49ca2397c

SHA1
f7a85c54b3c0b7b98a9f8aec0d9e8776ed41f2f7

SHA256
3e99d999ebb530347fd273ff010ba9ff2f9aa46a910a41a1e8deaafbbd8feab1

SHA512
b6afa527e0623c09600aeb0e1a96215b40e33b097ac5e17dec0366ce81c77741d0e5b1a303b8d98a15a184018e695d213ceecdec31970592c083fbfcb7ce2a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
384KB

MD5
af7449156bc4d26c39b7d8f56a720180

SHA1
51c17054b1ab2217bb6d6f2cf27053f0d0a63fd0

SHA256
7cf5297de3e170b21460b6064822897b07bf5140ffdbea1fa81663b5b0730e72

SHA512
909cecb86f67558578f577070acb8819e6f8047c453fbe44b268b493a5c52df76b33aa4fbba70c6864da71943376ba9a491bd4a60f7fb68890f51b118f49071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56AB.tmp.bat

Filesize
156B

MD5
9eca496ba753a1f21237aa8de68cabcf

SHA1
a28d39a932c42b4fe77c383b280144ef4abd8bdb

SHA256
75e97315b8d7ac04745a1b1fca288740d428f822204dc6590ee5662b0a09617c

SHA512
6df68fd49bac29f36a74f42310b5bc4741b276891937c03db28065fe2813926937fbf2f25657c6ad7a2b9a787b9bba850eef55bcd8a1c0e0ceaf90f8a2ae2020

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E5A.tmp.bat

Filesize
169B

MD5
b3188d230e24ebea984dfb273710de54

SHA1
35a8f1333f6d78b0c54448ac48daf1c4de9d9d13

SHA256
7cf8131808c0e603a7fc3938d2be115cb396471319e54a0f5dd5e635c0378364

SHA512
c9a5907c5ef4e64d47fe8ed65b90d550580dce7cff83992cd727b3efe445edf131f3a053779e15e522eae46a2524293e4f8b12cf58832f06f741bc4b3178a648

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
356KB

MD5
ff4174cac704f432f0ff42c248fcdf07

SHA1
773b0e896f38d7a1e1338f670604b3c1d4006bf4

SHA256
64e3ca07a19e542b198838f17e7835c632bf00801327b05e260ecd7e2f634b4a

SHA512
01f4a5f0722b770599a2ad7be9615225ce854eabedd912809d8cf6b06a02fa7d634ff0c3a75bcb6cb0f08c5b3f435a5909dee50508376b3c1b504ab5d94c8acc

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchosl.exe

Filesize
448KB

MD5
bdc0fc247189ee2c6a65667725ebbe2c

SHA1
a1e8719c0df3c5d31d04c1eed9aa3a7c262190be

SHA256
6a48a8618f8466bd223c2965387f8531155b7083833535aff8981e04fde9b44b

SHA512
79c52987f4e390dd49e2940a61848ba43ba930fbd136121db245b995c75ec05137284cb5e425342344a53ee26d1c024f4bdaf673b216067fe55944ce28ee12e5

Download Submit
memory/8-22-0x0000000000680000-0x0000000000698000-memory.dmp

Filesize
96KB

Download
memory/8-153-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/8-24-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/208-170-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/208-27-0x00000000003F0000-0x000000000048E000-memory.dmp

Filesize
632KB

Download
memory/208-38-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/668-96-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/668-0-0x0000000000640000-0x0000000000EB6000-memory.dmp

Filesize
8.5MB

Download
memory/668-1-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/668-3-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

Filesize
64KB

Download
memory/720-225-0x000001FC98730000-0x000001FC98740000-memory.dmp

Filesize
64KB

Download
memory/720-226-0x000001FC98730000-0x000001FC98740000-memory.dmp

Filesize
64KB

Download
memory/720-223-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/720-242-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/820-243-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/820-272-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/820-244-0x000002CE533B0000-0x000002CE533C0000-memory.dmp

Filesize
64KB

Download
memory/820-245-0x000002CE533B0000-0x000002CE533C0000-memory.dmp

Filesize
64KB

Download
memory/1412-257-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-268-0x0000022074FA0000-0x0000022074FB0000-memory.dmp

Filesize
64KB

Download
memory/1412-258-0x0000022074FA0000-0x0000022074FB0000-memory.dmp

Filesize
64KB

Download
memory/1412-251-0x0000022074FA0000-0x0000022074FB0000-memory.dmp

Filesize
64KB

Download
memory/2376-171-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-102-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/2376-125-0x0000000005810000-0x00000000058A2000-memory.dmp

Filesize
584KB

Download
memory/2376-120-0x0000000005720000-0x0000000005726000-memory.dmp

Filesize
24KB

Download
memory/2376-94-0x0000000000B60000-0x0000000000DC8000-memory.dmp

Filesize
2.4MB

Download
memory/2376-222-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/2376-124-0x000000000A290000-0x000000000A834000-memory.dmp

Filesize
5.6MB

Download
memory/2376-123-0x0000000005750000-0x0000000005760000-memory.dmp

Filesize
64KB

Download
memory/3156-173-0x0000013977330000-0x0000013977340000-memory.dmp

Filesize
64KB

Download
memory/3156-185-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/3156-172-0x0000013977330000-0x0000013977340000-memory.dmp

Filesize
64KB

Download
memory/3156-221-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-239-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-205-0x000002F1BCD90000-0x000002F1BCDA0000-memory.dmp

Filesize
64KB

Download
memory/3268-237-0x000002F1BCD90000-0x000002F1BCDA0000-memory.dmp

Filesize
64KB

Download
memory/3268-203-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-204-0x000002F1BCD90000-0x000002F1BCDA0000-memory.dmp

Filesize
64KB

Download
memory/3860-159-0x000002854E8B0000-0x000002854E8C0000-memory.dmp

Filesize
64KB

Download
memory/3860-169-0x000002854E880000-0x000002854E8A2000-memory.dmp

Filesize
136KB

Download
memory/3860-158-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/3860-224-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-194-0x00007FFA68160000-0x00007FFA68179000-memory.dmp

Filesize
100KB

Download
memory/4516-122-0x00007FFA68180000-0x00007FFA681A3000-memory.dmp

Filesize
140KB

Download
memory/4516-147-0x00007FFA548E0000-0x00007FFA54E00000-memory.dmp

Filesize
5.1MB

Download
memory/4516-199-0x00007FFA5F600000-0x00007FFA5F614000-memory.dmp

Filesize
80KB

Download
memory/4516-93-0x00007FFA55250000-0x00007FFA55839000-memory.dmp

Filesize
5.9MB

Download
memory/4516-146-0x00007FFA68160000-0x00007FFA68179000-memory.dmp

Filesize
100KB

Download
memory/4516-140-0x00007FFA68030000-0x00007FFA6803D000-memory.dmp

Filesize
52KB

Download
memory/4516-137-0x00007FFA68040000-0x00007FFA68063000-memory.dmp

Filesize
140KB

Download
memory/4516-136-0x00007FFA68710000-0x00007FFA68729000-memory.dmp

Filesize
100KB

Download
memory/4516-196-0x00007FFA5EF80000-0x00007FFA5EFB3000-memory.dmp

Filesize
204KB

Download
memory/4516-197-0x00007FFA55000000-0x00007FFA550CD000-memory.dmp

Filesize
820KB

Download
memory/4516-193-0x00007FFA550D0000-0x00007FFA55247000-memory.dmp

Filesize
1.5MB

Download
memory/4516-195-0x00007FFA68030000-0x00007FFA6803D000-memory.dmp

Filesize
52KB

Download
memory/4516-191-0x00007FFA68710000-0x00007FFA68729000-memory.dmp

Filesize
100KB

Download
memory/4516-200-0x00007FFA68020000-0x00007FFA6802D000-memory.dmp

Filesize
52KB

Download
memory/4516-190-0x00007FFA68070000-0x00007FFA6809D000-memory.dmp

Filesize
180KB

Download
memory/4516-189-0x00007FFA68FA0000-0x00007FFA68FAF000-memory.dmp

Filesize
60KB

Download
memory/4516-150-0x00007FFA55000000-0x00007FFA550CD000-memory.dmp

Filesize
820KB

Download
memory/4516-192-0x00007FFA68040000-0x00007FFA68063000-memory.dmp

Filesize
140KB

Download
memory/4516-201-0x00007FFA547C0000-0x00007FFA548DC000-memory.dmp

Filesize
1.1MB

Download
memory/4516-198-0x00007FFA548E0000-0x00007FFA54E00000-memory.dmp

Filesize
5.1MB

Download
memory/4516-148-0x0000026F6BBD0000-0x0000026F6C0F0000-memory.dmp

Filesize
5.1MB

Download
memory/4516-188-0x00007FFA68180000-0x00007FFA681A3000-memory.dmp

Filesize
140KB

Download
memory/4516-187-0x00007FFA55250000-0x00007FFA55839000-memory.dmp

Filesize
5.9MB

Download
memory/4516-149-0x00007FFA5EF80000-0x00007FFA5EFB3000-memory.dmp

Filesize
204KB

Download
memory/4516-155-0x00007FFA68020000-0x00007FFA6802D000-memory.dmp

Filesize
52KB

Download
memory/4516-156-0x00007FFA547C0000-0x00007FFA548DC000-memory.dmp

Filesize
1.1MB

Download
memory/4516-157-0x00007FFA5F600000-0x00007FFA5F614000-memory.dmp

Filesize
80KB

Download
memory/4516-119-0x00007FFA68FA0000-0x00007FFA68FAF000-memory.dmp

Filesize
60KB

Download
memory/4516-186-0x00007FFA68180000-0x00007FFA681A3000-memory.dmp

Filesize
140KB

Download
memory/4516-174-0x00007FFA55250000-0x00007FFA55839000-memory.dmp

Filesize
5.9MB

Download
memory/4516-131-0x00007FFA68070000-0x00007FFA6809D000-memory.dmp

Filesize
180KB

Download
memory/4516-142-0x00007FFA550D0000-0x00007FFA55247000-memory.dmp

Filesize
1.5MB

Download
memory/5100-202-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download
memory/5100-95-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/5100-121-0x00007FFA58CF0000-0x00007FFA597B1000-memory.dmp

Filesize
10.8MB

Download