xworm | 3e5aa6388c6a8c64c056dc8cbb0ebcc1caac6a486abebbcbe530ed8a026e8581

Analysis

max time kernel
1196s
max time network
1201s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VapeClient.exe
Size

7.3MB
MD5

9e2ffa3af2bf72a7cd5e9a95b249cc83
SHA1

5075c4740da04fac24a3c8a5de1d22712f0d221d
SHA256

3e5aa6388c6a8c64c056dc8cbb0ebcc1caac6a486abebbcbe530ed8a026e8581
SHA512

deefe184ebdb95d5dc5975d6599798e000c59177e0b8459540d29b7fd1a06af56f0a2ad7758d7ca4baa02d879fea5ca42616b89c1a67f398ad6be486ebc1223c
SSDEEP

196608:n88YX3g0lEYwY209wW75pVNOPRoJf7ENtCk:88YHg0l0Y20X75pVqqRET9

Score

10^/10

xworm persistence rat trojan upx

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Temp%
install_file
microsoftsoftware_sv.exe
pastebin_url
https://pastebin.com/raw/aj6A2kvb

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ms_host.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\sv_host.exe	family_xworm
behavioral1/memory/3244-40-0x0000000000240000-0x0000000000256000-memory.dmp	family_xworm
behavioral1/memory/4548-31-0x0000000000250000-0x0000000000268000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VapeClient.exems_host.exesv_host.exetzahzf.exehuii.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	VapeClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	ms_host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	sv_host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	tzahzf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	huii.exe

Drops startup file 4 IoCs

Processes:

ms_host.exesv_host.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoftsoftware_sv.lnk	ms_host.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv_host.exe

Executes dropped EXE 47 IoCs

Processes:

ms_host.exesv_host.exeBuilt.exeBuilt.exemicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhosttzahzf.exehuii.exehui.exemicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhost

pid	process
3244	ms_host.exe
4548	sv_host.exe
232	Built.exe
5232	Built.exe
5392	microsoftsoftware_sv.exe
2724	svhost
4580	microsoftsoftware_sv.exe
1244	svhost
6060	tzahzf.exe
2664	huii.exe
4836	hui.exe
1832	microsoftsoftware_sv.exe
2584	svhost
8	microsoftsoftware_sv.exe
2264	svhost
5608	microsoftsoftware_sv.exe
4976	svhost
6132	microsoftsoftware_sv.exe
5300	svhost
3828	microsoftsoftware_sv.exe
4284	svhost
2896	microsoftsoftware_sv.exe
4208	svhost
5568	microsoftsoftware_sv.exe
4116	svhost
1612	microsoftsoftware_sv.exe
5168	svhost
4764	microsoftsoftware_sv.exe
1580	svhost
3024	microsoftsoftware_sv.exe
1680	svhost
2132	microsoftsoftware_sv.exe
1468	svhost
2748	microsoftsoftware_sv.exe
5924	svhost
4868	microsoftsoftware_sv.exe
568	svhost
3284	microsoftsoftware_sv.exe
1076	svhost
2264	microsoftsoftware_sv.exe
3304	svhost
4652	microsoftsoftware_sv.exe
4524	svhost
4540	microsoftsoftware_sv.exe
5496	svhost
5888	microsoftsoftware_sv.exe
804	svhost

Loads dropped DLL 17 IoCs

Processes:

Built.exe

pid	process
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe
5232	Built.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI2322\python311.dll	upx
behavioral1/memory/5232-74-0x00007FFA6C350000-0x00007FFA6C939000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_sqlite3.pyd	upx
behavioral1/memory/5232-97-0x00007FFA84BC0000-0x00007FFA84BCF000-memory.dmp	upx
behavioral1/memory/5232-96-0x00007FFA7ED40000-0x00007FFA7ED63000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\libcrypto-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2322\libffi-8.dll	upx
behavioral1/memory/5232-103-0x00007FFA7E6A0000-0x00007FFA7E6CD000-memory.dmp	upx
behavioral1/memory/5232-107-0x00007FFA7ED00000-0x00007FFA7ED19000-memory.dmp	upx
behavioral1/memory/5232-108-0x00007FFA7E670000-0x00007FFA7E693000-memory.dmp	upx
behavioral1/memory/5232-111-0x00007FFA6CF70000-0x00007FFA6D0E7000-memory.dmp	upx
behavioral1/memory/5232-113-0x00007FFA7E650000-0x00007FFA7E669000-memory.dmp	upx
behavioral1/memory/5232-115-0x00007FFA7E610000-0x00007FFA7E643000-memory.dmp	upx
behavioral1/memory/5232-118-0x00007FFA7F3C0000-0x00007FFA7F3CD000-memory.dmp	upx
behavioral1/memory/5232-119-0x00007FFA6C280000-0x00007FFA6C34D000-memory.dmp	upx
behavioral1/memory/5232-125-0x00007FFA6BC40000-0x00007FFA6BD5C000-memory.dmp	upx
behavioral1/memory/5232-124-0x00007FFA7F010000-0x00007FFA7F01D000-memory.dmp	upx
behavioral1/memory/5232-126-0x00007FFA6BD60000-0x00007FFA6C280000-memory.dmp	upx
behavioral1/memory/5232-127-0x00007FFA7DE20000-0x00007FFA7DE34000-memory.dmp	upx
behavioral1/memory/5232-154-0x00007FFA6C350000-0x00007FFA6C939000-memory.dmp	upx
behavioral1/memory/5232-156-0x00007FFA84BC0000-0x00007FFA84BCF000-memory.dmp	upx
behavioral1/memory/5232-157-0x00007FFA7E6A0000-0x00007FFA7E6CD000-memory.dmp	upx
behavioral1/memory/5232-159-0x00007FFA7E670000-0x00007FFA7E693000-memory.dmp	upx
behavioral1/memory/5232-155-0x00007FFA7ED40000-0x00007FFA7ED63000-memory.dmp	upx
behavioral1/memory/5232-158-0x00007FFA7ED00000-0x00007FFA7ED19000-memory.dmp	upx
behavioral1/memory/5232-160-0x00007FFA6CF70000-0x00007FFA6D0E7000-memory.dmp	upx
behavioral1/memory/5232-161-0x00007FFA7E650000-0x00007FFA7E669000-memory.dmp	upx
behavioral1/memory/5232-162-0x00007FFA7F3C0000-0x00007FFA7F3CD000-memory.dmp	upx
behavioral1/memory/5232-164-0x00007FFA6C280000-0x00007FFA6C34D000-memory.dmp	upx
behavioral1/memory/5232-163-0x00007FFA7E610000-0x00007FFA7E643000-memory.dmp	upx
behavioral1/memory/5232-165-0x00007FFA6BD60000-0x00007FFA6C280000-memory.dmp	upx
behavioral1/memory/5232-168-0x00007FFA7DE20000-0x00007FFA7DE34000-memory.dmp	upx
behavioral1/memory/5232-174-0x00007FFA7F010000-0x00007FFA7F01D000-memory.dmp	upx
behavioral1/memory/5232-175-0x00007FFA6BC40000-0x00007FFA6BD5C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sv_host.exems_host.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost"	sv_host.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoftsoftware_sv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\microsoftsoftware_sv.exe"	ms_host.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

23 pastebin.com
24 pastebin.com
25 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4876 schtasks.exe
3728 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4264 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5540 PING.EXE

flow	ioc
23	pastebin.com
24	pastebin.com
25	pastebin.com

pid	process
4876	schtasks.exe
3728	schtasks.exe

pid	process
4264	tasklist.exe

pid	process
5540	PING.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

VapeClient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
3772	VapeClient.exe
1912	powershell.exe
1912	powershell.exe
5208	powershell.exe
5208	powershell.exe
5208	powershell.exe
1912	powershell.exe
5336	powershell.exe
2408	powershell.exe
5336	powershell.exe
2408	powershell.exe
5580	powershell.exe
5580	powershell.exe
1972	powershell.exe
1972	powershell.exe
4168	powershell.exe
4168	powershell.exe
5932	powershell.exe
5932	powershell.exe
4540	powershell.exe
4540	powershell.exe
2716	powershell.exe
2716	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VapeClient.exesv_host.exems_host.exetasklist.exeWMIC.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhostmicrosoftsoftware_sv.exesvhost

description	pid	process
Token: SeDebugPrivilege	3772	VapeClient.exe
Token: SeDebugPrivilege	4548	sv_host.exe
Token: SeDebugPrivilege	3244	ms_host.exe
Token: SeDebugPrivilege	4264	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3672	WMIC.exe
Token: SeSecurityPrivilege	3672	WMIC.exe
Token: SeTakeOwnershipPrivilege	3672	WMIC.exe
Token: SeLoadDriverPrivilege	3672	WMIC.exe
Token: SeSystemProfilePrivilege	3672	WMIC.exe
Token: SeSystemtimePrivilege	3672	WMIC.exe
Token: SeProfSingleProcessPrivilege	3672	WMIC.exe
Token: SeIncBasePriorityPrivilege	3672	WMIC.exe
Token: SeCreatePagefilePrivilege	3672	WMIC.exe
Token: SeBackupPrivilege	3672	WMIC.exe
Token: SeRestorePrivilege	3672	WMIC.exe
Token: SeShutdownPrivilege	3672	WMIC.exe
Token: SeDebugPrivilege	3672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3672	WMIC.exe
Token: SeRemoteShutdownPrivilege	3672	WMIC.exe
Token: SeUndockPrivilege	3672	WMIC.exe
Token: SeManageVolumePrivilege	3672	WMIC.exe
Token: 33	3672	WMIC.exe
Token: 34	3672	WMIC.exe
Token: 35	3672	WMIC.exe
Token: 36	3672	WMIC.exe
Token: SeDebugPrivilege	5208	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	3672	WMIC.exe
Token: SeSecurityPrivilege	3672	WMIC.exe
Token: SeTakeOwnershipPrivilege	3672	WMIC.exe
Token: SeLoadDriverPrivilege	3672	WMIC.exe
Token: SeSystemProfilePrivilege	3672	WMIC.exe
Token: SeSystemtimePrivilege	3672	WMIC.exe
Token: SeProfSingleProcessPrivilege	3672	WMIC.exe
Token: SeIncBasePriorityPrivilege	3672	WMIC.exe
Token: SeCreatePagefilePrivilege	3672	WMIC.exe
Token: SeBackupPrivilege	3672	WMIC.exe
Token: SeRestorePrivilege	3672	WMIC.exe
Token: SeShutdownPrivilege	3672	WMIC.exe
Token: SeDebugPrivilege	3672	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3672	WMIC.exe
Token: SeRemoteShutdownPrivilege	3672	WMIC.exe
Token: SeUndockPrivilege	3672	WMIC.exe
Token: SeManageVolumePrivilege	3672	WMIC.exe
Token: 33	3672	WMIC.exe
Token: 34	3672	WMIC.exe
Token: 35	3672	WMIC.exe
Token: 36	3672	WMIC.exe
Token: SeDebugPrivilege	5336	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	5580	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	5932	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	3244	ms_host.exe
Token: SeDebugPrivilege	4548	sv_host.exe
Token: SeDebugPrivilege	5392	microsoftsoftware_sv.exe
Token: SeDebugPrivilege	2724	svhost
Token: SeDebugPrivilege	4580	microsoftsoftware_sv.exe
Token: SeDebugPrivilege	1244	svhost
Token: SeDebugPrivilege	1832	microsoftsoftware_sv.exe
Token: SeDebugPrivilege	2584	svhost

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

VapeClient.exeBuilt.execmd.exeBuilt.execmd.execmd.execmd.execmd.exems_host.exesv_host.exetzahzf.exehuii.exe

description	pid	process	target process
PID 3772 wrote to memory of 3048	3772	VapeClient.exe	cmd.exe
PID 3772 wrote to memory of 3048	3772	VapeClient.exe	cmd.exe
PID 3772 wrote to memory of 3244	3772	VapeClient.exe	ms_host.exe
PID 3772 wrote to memory of 3244	3772	VapeClient.exe	ms_host.exe
PID 3772 wrote to memory of 4548	3772	VapeClient.exe	sv_host.exe
PID 3772 wrote to memory of 4548	3772	VapeClient.exe	sv_host.exe
PID 3772 wrote to memory of 232	3772	VapeClient.exe	Built.exe
PID 3772 wrote to memory of 232	3772	VapeClient.exe	Built.exe
PID 232 wrote to memory of 5232	232	Built.exe	Built.exe
PID 232 wrote to memory of 5232	232	Built.exe	Built.exe
PID 3048 wrote to memory of 5540	3048	cmd.exe	PING.EXE
PID 3048 wrote to memory of 5540	3048	cmd.exe	PING.EXE
PID 5232 wrote to memory of 2224	5232	Built.exe	cmd.exe
PID 5232 wrote to memory of 2224	5232	Built.exe	cmd.exe
PID 5232 wrote to memory of 5464	5232	Built.exe	cmd.exe
PID 5232 wrote to memory of 5464	5232	Built.exe	cmd.exe
PID 5232 wrote to memory of 1988	5232	Built.exe	cmd.exe
PID 5232 wrote to memory of 1988	5232	Built.exe	cmd.exe
PID 5232 wrote to memory of 2420	5232	Built.exe	cmd.exe
PID 5232 wrote to memory of 2420	5232	Built.exe	cmd.exe
PID 2224 wrote to memory of 1912	2224	cmd.exe	powershell.exe
PID 2224 wrote to memory of 1912	2224	cmd.exe	powershell.exe
PID 1988 wrote to memory of 4264	1988	cmd.exe	tasklist.exe
PID 1988 wrote to memory of 4264	1988	cmd.exe	tasklist.exe
PID 2420 wrote to memory of 3672	2420	cmd.exe	WMIC.exe
PID 2420 wrote to memory of 3672	2420	cmd.exe	WMIC.exe
PID 5464 wrote to memory of 5208	5464	cmd.exe	powershell.exe
PID 5464 wrote to memory of 5208	5464	cmd.exe	powershell.exe
PID 3244 wrote to memory of 5336	3244	ms_host.exe	powershell.exe
PID 3244 wrote to memory of 5336	3244	ms_host.exe	powershell.exe
PID 4548 wrote to memory of 2408	4548	sv_host.exe	powershell.exe
PID 4548 wrote to memory of 2408	4548	sv_host.exe	powershell.exe
PID 3244 wrote to memory of 5580	3244	ms_host.exe	powershell.exe
PID 3244 wrote to memory of 5580	3244	ms_host.exe	powershell.exe
PID 4548 wrote to memory of 1972	4548	sv_host.exe	powershell.exe
PID 4548 wrote to memory of 1972	4548	sv_host.exe	powershell.exe
PID 3244 wrote to memory of 4168	3244	ms_host.exe	powershell.exe
PID 3244 wrote to memory of 4168	3244	ms_host.exe	powershell.exe
PID 3048 wrote to memory of 1272	3048	cmd.exe	java.exe
PID 3048 wrote to memory of 1272	3048	cmd.exe	java.exe
PID 4548 wrote to memory of 5932	4548	sv_host.exe	powershell.exe
PID 4548 wrote to memory of 5932	4548	sv_host.exe	powershell.exe
PID 3244 wrote to memory of 4540	3244	ms_host.exe	powershell.exe
PID 3244 wrote to memory of 4540	3244	ms_host.exe	powershell.exe
PID 4548 wrote to memory of 2716	4548	sv_host.exe	powershell.exe
PID 4548 wrote to memory of 2716	4548	sv_host.exe	powershell.exe
PID 3244 wrote to memory of 4876	3244	ms_host.exe	schtasks.exe
PID 3244 wrote to memory of 4876	3244	ms_host.exe	schtasks.exe
PID 4548 wrote to memory of 3728	4548	sv_host.exe	schtasks.exe
PID 4548 wrote to memory of 3728	4548	sv_host.exe	schtasks.exe
PID 3244 wrote to memory of 6060	3244	ms_host.exe	tzahzf.exe
PID 3244 wrote to memory of 6060	3244	ms_host.exe	tzahzf.exe
PID 3244 wrote to memory of 6060	3244	ms_host.exe	tzahzf.exe
PID 6060 wrote to memory of 2664	6060	tzahzf.exe	huii.exe
PID 6060 wrote to memory of 2664	6060	tzahzf.exe	huii.exe
PID 6060 wrote to memory of 2664	6060	tzahzf.exe	huii.exe
PID 2664 wrote to memory of 4836	2664	huii.exe	hui.exe
PID 2664 wrote to memory of 4836	2664	huii.exe	hui.exe
PID 2664 wrote to memory of 4836	2664	huii.exe	hui.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VapeClient.exe
"C:\Users\Admin\AppData\Local\Temp\VapeClient.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VapeClient.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\PING.EXE
ping localhost -n 5.5
3⤵
- Runs ping.exe
PID:5540

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java --add-opens java.base/java.lang=ALL-UNNAMED -jar vape-loader.jar
3⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\ms_host.exe
"C:\Users\Admin\AppData\Local\Temp\ms_host.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ms_host.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ms_host.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'microsoftsoftware_sv.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "microsoftsoftware_sv" /tr "C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe"
3⤵
- Creates scheduled task(s)
PID:4876

C:\Users\Admin\AppData\Local\Temp\tzahzf.exe
"C:\Users\Admin\AppData\Local\Temp\tzahzf.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:6060

C:\Users\Admin\AppData\Local\Temp\huii.exe
"C:\Users\Admin\AppData\Local\Temp\huii.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe" xui2
5⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\AppData\Local\Temp\sv_host.exe
"C:\Users\Admin\AppData\Local\Temp\sv_host.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv_host.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv_host.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Local\Temp\svhost"
3⤵
- Creates scheduled task(s)
PID:3728

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
4⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
- Suspicious use of WriteProcessMemory
PID:5464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5208

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5392

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:5608

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:4976

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:6132

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:5300

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:3828

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:5568

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:4116

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:1612

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:5168

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:4764

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:5924

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:4868

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:568

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:1076

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:3304

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:4524

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:5496

C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
C:\Users\Admin\AppData\Local\Temp\microsoftsoftware_sv.exe
1⤵
- Executes dropped EXE
PID:5888

C:\Users\Admin\AppData\Local\Temp\svhost
C:\Users\Admin\AppData\Local\Temp\svhost
1⤵
- Executes dropped EXE
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\microsoftsoftware_sv.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a507763dc3ca96a10cb133ce59dbc38

SHA1
1da15e342087f1fbdddfb52b6d04c0a227b6814a

SHA256
b308b88b2fb7284ebde039c815bd6e7402427e1ac863e5dbd76802d04659fa0c

SHA512
6c03877a84d2a8b02534a674fda16115c5f39ff6f79fd4b330a9295a5f03f05dde85c0a42819765a8e334b257945fe7c0a49104d6df1a549b184fbb88c985a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
367da361d214538015b4dba19126ffab

SHA1
0f3b71fc77b6021c8a2523c283d773b5c275f000

SHA256
c26f0f8ae25a52931b7ca924e9e3fff5d0a63b96f78c178f2eebf864ec0e998b

SHA512
26a7c2ed414a5657d6464920854b88c1beec5f7d1b37b58e9fcc4145dd76d94f2bef642a64496f7ee011dfa52d9527caf4cf8a19d6e3acfb266f1101a06cb134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46b170302a5821687d8c622f10947f27

SHA1
47a91ea3e248bd99dc87211be7e2844dda0687df

SHA256
e3cdd1b49dca63bf255aead7a7535cc6fc085425ff5ac48975d62c37af6a689e

SHA512
e6f9e562876591cb959d5650cf9ef1eb2a87d5a154bd5f8c37f6697c7fd48d959014bcb2aab96b9c41498a465e9d0f114be276514e2be59dcb019334e3dfe7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
4.1MB

MD5
32c2a691330c5375c84daa34807fcec5

SHA1
2b460d660719a6af81dd5e19171c2bc7605346a4

SHA256
4bddfd7704658f97248717080d9192bc62cbdab93e12a5d5d937a20b05490fe1

SHA512
461fd52b8865e1c6dd78c82f217b326e6f7450a66e21a830e4cb355771e43e8d26116c40bf55813c42152cf0d933c8ab31b55880f3e97d765f8f981b2fda6a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
4.1MB

MD5
c6e6a4390e5cc243d93e8dd6ba3767b3

SHA1
158c7299b18238a5098e0612138eb95d6a1d97f1

SHA256
76279c8c60435f4462ad353789f21e75eb989b5ad38b158ba8417e4802a17f16

SHA512
6b5476fae9b3a502afb08232fd39511fd45c04dd6a8e36f02972dd02d9d56e7c06df95dc44b57d4d408e640fc8336c207fea7500fd54c7c14ff5c44dfa7d56d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
4.3MB

MD5
043e6b92143a4e63caaf0e420c920673

SHA1
2a6f1e0c6980a9ba8bdf25fdbdccb1b37c40188f

SHA256
08aac09a5d2f8eb06f40d9fa28b0d72d5f1b247554b05433db99a6b8e2d3e509

SHA512
18e1829f511ba45a155322ba3900fb65caa11170d40bd929d00975f76d58bd38daa65975c794700f55e94e4b021428ac95f047112fd1a0524647de8cd13dafaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
4.0MB

MD5
79312fb2011c76f52b897997eefc5949

SHA1
d1059027b981eb68612343fa0448f303a675f6dc

SHA256
3618e22c8cf5603c68ee443c2937d873c300e0587f06efb9c71ff65d9d838b37

SHA512
071772d3f58faf53acf336ba35a7083d55086e480c2734e30096274ada60de6dca34a1b1ad9c77ae794a36c67d79e49597672c654c45a0b75afd186258275555

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe

Filesize
5KB

MD5
17b935ed6066732a76bed69867702e4b

SHA1
23f28e3374f9d0e03d45843b28468aace138e71c

SHA256
e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0

SHA512
774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318

Download Submit
C:\Users\Admin\AppData\Local\Temp\VapeClient.bat

Filesize
201B

MD5
8e79b7f9fba6ef72cc74a0322fc1ff50

SHA1
413f78c527787758da64989573c28fb3e0decd23

SHA256
62a70d0bc3ac4e236cfbeb246c51900632dcacbf79e043c951b428c909f7315f

SHA512
379ff9a389044a519038ca36128c7fa4d766ded4c5377a9b506298c4a62b96657572ec6da2348d3742c1f8c3900f3ecc1195995586640bfe8fec2614e8c4aab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\blank.aes

Filesize
118KB

MD5
3238ab5479fed87a9656d851b9e91877

SHA1
e401f6ab140792e1086d92efa0c817256e661a6f

SHA256
1f52e6dc166bebc12cbb90a788fd7eecdb7ad7702a97cb0140cc029f8e5ddc76

SHA512
c5e7722530163ced1104c0abd16f071515fa449f07006083193f2a495c5f3b9d510a2917c3507a41d0653d6b7d23685d7d144c31d2d44daf084acdc7035b9776

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\blank.aes

Filesize
118KB

MD5
bf2c4564f2acb40712d8b0c3eb0a8d5e

SHA1
cd3ec3861e52c5b75a370d2f58321a46776b910f

SHA256
b673242d868856e55fdd579cfc578983b6caa78e196a87b4380634237add3a1d

SHA512
69d2916864f2cce1a094ee439467d357b10a695c9d3beab1bf951e6248cd960187fbc515bb9ab64d430b7914bc979e447a13c94f97aa0b6c8dd3e710d8ab996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2322\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjssb02b.z2w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\huii.exe

Filesize
313KB

MD5
c125391f5a989f964548e45decc7490e

SHA1
08906a336b65dbb61cfc0b95f11315f18a5301f8

SHA256
acc6fecd839b1de178b5d17525b3764fb7511e589ae04f6217666e869cacce91

SHA512
9a6b36c78b9016f662124f4761d4ad42965748259fba7f8fc59730d0fbd63b151ff34b650019645fe845659ea024e9a9f173c55427aced781b5e5a6938b8dd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ms_host.exe

Filesize
60KB

MD5
d5a10d43ab7ebb2eb3994d838f28082c

SHA1
e14038fa3d5d9f87e5f58afe4299453764570c7e

SHA256
3d30447bf5ff5d6a9a4bcb0d10a1247d75f015e93b90cc4c5278100e4b7f8e94

SHA512
e814c1dfabe7ce1d7e7f986d2319332442b69bb20c8c6c323f828a61cbae35653f5bacc1b336b06b4c74c6ff156e1c91e78be12e6e3428fbec2084046d6f9add

Download Submit
C:\Users\Admin\AppData\Local\Temp\sv_host.exe

Filesize
69KB

MD5
91d589dde2c5210749d269da8d49f9b2

SHA1
3c712db908c457dcf2fcfe76979128aa35db41f2

SHA256
8cbdd9f6000ae1b2e8092c0fc6e283da34271c83bfd564198e779c3a1f417635

SHA512
1913ff1143bdadbd90e6e4da5dc803b4d405cb6a6b767eda33ba58509cfbde6a9638be8582f7faaabacdbeae327086340b735eb0db078b0a28a05b01e7389c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzahzf.exe

Filesize
323KB

MD5
c76b0867436829232609a7f6c786c37c

SHA1
06d88a277a77db9494feca72c31a35af3f83a4f8

SHA256
3c399e4c4826de5f378e1da9a9e54c29bf8d557aae01f53d307c4bf565d03194

SHA512
9047a8ac3a2795c73e5650ce37d0595798532579ca4013f2498e9641796d9814aba1d138812ee28135edd4b48843f58063c278511c4279ee3afbd422a683359d

Download Submit
memory/1912-153-0x00000239F8490000-0x00000239F84A0000-memory.dmp

Filesize
64KB

Download
memory/1912-169-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-152-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/1912-136-0x00000239F8490000-0x00000239F84A0000-memory.dmp

Filesize
64KB

Download
memory/1972-229-0x000001CC75140000-0x000001CC75150000-memory.dmp

Filesize
64KB

Download
memory/1972-228-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/1972-231-0x000001CC75140000-0x000001CC75150000-memory.dmp

Filesize
64KB

Download
memory/1972-248-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/2408-199-0x0000017DB89E0000-0x0000017DB89F0000-memory.dmp

Filesize
64KB

Download
memory/2408-218-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/2408-201-0x0000017DB89E0000-0x0000017DB89F0000-memory.dmp

Filesize
64KB

Download
memory/2408-196-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/2716-294-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/2716-281-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-151-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-40-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/3244-39-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-1-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/3772-3-0x000000001C2F0000-0x000000001C300000-memory.dmp

Filesize
64KB

Download
memory/3772-0-0x0000000000D50000-0x000000000149E000-memory.dmp

Filesize
7.3MB

Download
memory/3772-53-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-242-0x0000029EF8F80000-0x0000029EF8F90000-memory.dmp

Filesize
64KB

Download
memory/4168-241-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-253-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-266-0x0000024A28EE0000-0x0000024A28EF0000-memory.dmp

Filesize
64KB

Download
memory/4540-265-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-282-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/4540-268-0x0000024A28EE0000-0x0000024A28EF0000-memory.dmp

Filesize
64KB

Download
memory/4548-41-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/4548-31-0x0000000000250000-0x0000000000268000-memory.dmp

Filesize
96KB

Download
memory/4548-198-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5208-130-0x000002AEB6910000-0x000002AEB6920000-memory.dmp

Filesize
64KB

Download
memory/5208-128-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5208-129-0x000002AEB6910000-0x000002AEB6920000-memory.dmp

Filesize
64KB

Download
memory/5208-173-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5208-141-0x000002AEB8B00000-0x000002AEB8B22000-memory.dmp

Filesize
136KB

Download
memory/5232-154-0x00007FFA6C350000-0x00007FFA6C939000-memory.dmp

Filesize
5.9MB

Download
memory/5232-111-0x00007FFA6CF70000-0x00007FFA6D0E7000-memory.dmp

Filesize
1.5MB

Download
memory/5232-103-0x00007FFA7E6A0000-0x00007FFA7E6CD000-memory.dmp

Filesize
180KB

Download
memory/5232-96-0x00007FFA7ED40000-0x00007FFA7ED63000-memory.dmp

Filesize
140KB

Download
memory/5232-174-0x00007FFA7F010000-0x00007FFA7F01D000-memory.dmp

Filesize
52KB

Download
memory/5232-113-0x00007FFA7E650000-0x00007FFA7E669000-memory.dmp

Filesize
100KB

Download
memory/5232-115-0x00007FFA7E610000-0x00007FFA7E643000-memory.dmp

Filesize
204KB

Download
memory/5232-107-0x00007FFA7ED00000-0x00007FFA7ED19000-memory.dmp

Filesize
100KB

Download
memory/5232-168-0x00007FFA7DE20000-0x00007FFA7DE34000-memory.dmp

Filesize
80KB

Download
memory/5232-165-0x00007FFA6BD60000-0x00007FFA6C280000-memory.dmp

Filesize
5.1MB

Download
memory/5232-118-0x00007FFA7F3C0000-0x00007FFA7F3CD000-memory.dmp

Filesize
52KB

Download
memory/5232-119-0x00007FFA6C280000-0x00007FFA6C34D000-memory.dmp

Filesize
820KB

Download
memory/5232-125-0x00007FFA6BC40000-0x00007FFA6BD5C000-memory.dmp

Filesize
1.1MB

Download
memory/5232-124-0x00007FFA7F010000-0x00007FFA7F01D000-memory.dmp

Filesize
52KB

Download
memory/5232-97-0x00007FFA84BC0000-0x00007FFA84BCF000-memory.dmp

Filesize
60KB

Download
memory/5232-163-0x00007FFA7E610000-0x00007FFA7E643000-memory.dmp

Filesize
204KB

Download
memory/5232-123-0x000001E5C7D50000-0x000001E5C8270000-memory.dmp

Filesize
5.1MB

Download
memory/5232-74-0x00007FFA6C350000-0x00007FFA6C939000-memory.dmp

Filesize
5.9MB

Download
memory/5232-126-0x00007FFA6BD60000-0x00007FFA6C280000-memory.dmp

Filesize
5.1MB

Download
memory/5232-164-0x00007FFA6C280000-0x00007FFA6C34D000-memory.dmp

Filesize
820KB

Download
memory/5232-162-0x00007FFA7F3C0000-0x00007FFA7F3CD000-memory.dmp

Filesize
52KB

Download
memory/5232-161-0x00007FFA7E650000-0x00007FFA7E669000-memory.dmp

Filesize
100KB

Download
memory/5232-160-0x00007FFA6CF70000-0x00007FFA6D0E7000-memory.dmp

Filesize
1.5MB

Download
memory/5232-158-0x00007FFA7ED00000-0x00007FFA7ED19000-memory.dmp

Filesize
100KB

Download
memory/5232-155-0x00007FFA7ED40000-0x00007FFA7ED63000-memory.dmp

Filesize
140KB

Download
memory/5232-127-0x00007FFA7DE20000-0x00007FFA7DE34000-memory.dmp

Filesize
80KB

Download
memory/5232-159-0x00007FFA7E670000-0x00007FFA7E693000-memory.dmp

Filesize
140KB

Download
memory/5232-108-0x00007FFA7E670000-0x00007FFA7E693000-memory.dmp

Filesize
140KB

Download
memory/5232-175-0x00007FFA6BC40000-0x00007FFA6BD5C000-memory.dmp

Filesize
1.1MB

Download
memory/5232-157-0x00007FFA7E6A0000-0x00007FFA7E6CD000-memory.dmp

Filesize
180KB

Download
memory/5232-156-0x00007FFA84BC0000-0x00007FFA84BCF000-memory.dmp

Filesize
60KB

Download
memory/5336-203-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5336-197-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5336-200-0x00000273605B0000-0x00000273605C0000-memory.dmp

Filesize
64KB

Download
memory/5580-206-0x0000028373C70000-0x0000028373C80000-memory.dmp

Filesize
64KB

Download
memory/5580-222-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5580-219-0x0000028373C70000-0x0000028373C80000-memory.dmp

Filesize
64KB

Download
memory/5580-205-0x0000028373C70000-0x0000028373C80000-memory.dmp

Filesize
64KB

Download
memory/5580-204-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5932-254-0x000002019ACB0000-0x000002019ACC0000-memory.dmp

Filesize
64KB

Download
memory/5932-249-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5932-269-0x00007FFA6FDF0000-0x00007FFA708B1000-memory.dmp

Filesize
10.8MB

Download
memory/5932-252-0x000002019ACB0000-0x000002019ACC0000-memory.dmp

Filesize
64KB

Download
memory/6060-334-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download