agenttesla | 6a9b62894ee77e4131d0fbf4f43fe634e10c0c8ae616012a8e62a5047ba8b7a5

Analysis

max time kernel
56s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EstrogenExecutor3.0.exe
Size

1.8MB
MD5

5e75df34a8c11bae2d273edc7b9044c7
SHA1

829867bd84371a5d6cd2c628eb2adee07a44a03a
SHA256

e898f8b48bddbf5dfe8e6eb3d9287c1a5164616b7e9977a4cda96c36bc967db8
SHA512

05690fab406761fea1b2f60589198ea1cfa453a51022d3f968cfc55cddab900d1e2d4db9dcdee376974e009209876e4d1bee9717ce023e06a8b282f07f9c411b
SSDEEP

24576:n3lzFXQHA6mjAafPoMmcdzhj8vQoyxzhQdnabbTbNH5se0A0Xk+l+4lk3HgCoIK2:3lRXGV2ocFkM4abDN6ezM+H

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral4/memory/4568-42-0x000000000DDB0000-0x000000000DFC4000-memory.dmp	family_agenttesla

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4400	attrib.exe
3948	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	EstrogenExecutor3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	AssetLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	sr2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	vr2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	$77svrhost.exe

Executes dropped EXE 8 IoCs

pid	Process
1944	AssetLoader.exe
1832	vr2.exe
1908	sr2.exe
1476	ug2.exe
3068	bg.exe
2016	bg.exe
1152	aids.exe
3056	$77svrhost.exe

Loads dropped DLL 18 IoCs

pid	Process
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe
2016	bg.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0007000000023229-163.dat	upx
behavioral4/memory/2016-168-0x00007FFAF2CF0000-0x00007FFAF32D8000-memory.dmp	upx
behavioral4/files/0x0007000000023228-219.dat	upx
behavioral4/memory/2016-221-0x00007FFB07510000-0x00007FFB0751F000-memory.dmp	upx
behavioral4/memory/2016-222-0x00007FFB07770000-0x00007FFB07794000-memory.dmp	upx
behavioral4/files/0x0007000000023226-218.dat	upx
behavioral4/memory/2016-250-0x00007FFAFE710000-0x00007FFAFE73D000-memory.dmp	upx
behavioral4/memory/2016-251-0x00007FFAF9000000-0x00007FFAF9023000-memory.dmp	upx
behavioral4/memory/2016-258-0x00007FFB02260000-0x00007FFB02279000-memory.dmp	upx
behavioral4/memory/2016-259-0x00007FFAF2410000-0x00007FFAF2583000-memory.dmp	upx
behavioral4/memory/2016-260-0x00007FFAFE6F0000-0x00007FFAFE709000-memory.dmp	upx
behavioral4/memory/2016-256-0x00007FFB07180000-0x00007FFB0718D000-memory.dmp	upx
behavioral4/memory/2016-261-0x00007FFB07220000-0x00007FFB0722D000-memory.dmp	upx
behavioral4/memory/2016-264-0x00007FFAF1E30000-0x00007FFAF1F4C000-memory.dmp	upx
behavioral4/memory/2016-263-0x00007FFAF7D30000-0x00007FFAF7D44000-memory.dmp	upx
behavioral4/memory/2016-262-0x00007FFAF8FD0000-0x00007FFAF8FFE000-memory.dmp	upx
behavioral4/memory/2016-254-0x00007FFAF1FD0000-0x00007FFAF2345000-memory.dmp	upx
behavioral4/memory/2016-253-0x00007FFAF2350000-0x00007FFAF2408000-memory.dmp	upx
behavioral4/memory/2016-315-0x00007FFB07510000-0x00007FFB0751F000-memory.dmp	upx
behavioral4/memory/2016-311-0x00007FFAF2CF0000-0x00007FFAF32D8000-memory.dmp	upx
behavioral4/memory/2016-313-0x00007FFB07770000-0x00007FFB07794000-memory.dmp	upx
behavioral4/memory/2016-316-0x00007FFAFE710000-0x00007FFAFE73D000-memory.dmp	upx
behavioral4/memory/2016-318-0x00007FFAF9000000-0x00007FFAF9023000-memory.dmp	upx
behavioral4/memory/2016-321-0x00007FFB07220000-0x00007FFB0722D000-memory.dmp	upx
behavioral4/memory/2016-324-0x00007FFAF2350000-0x00007FFAF2408000-memory.dmp	upx
behavioral4/memory/2016-326-0x00007FFAF7D30000-0x00007FFAF7D44000-memory.dmp	upx
behavioral4/memory/2016-328-0x00007FFAF1E30000-0x00007FFAF1F4C000-memory.dmp	upx
behavioral4/memory/2016-327-0x00007FFB07180000-0x00007FFB0718D000-memory.dmp	upx
behavioral4/memory/2016-325-0x00007FFAF1FD0000-0x00007FFAF2345000-memory.dmp	upx
behavioral4/memory/2016-323-0x00007FFAF8FD0000-0x00007FFAF8FFE000-memory.dmp	upx
behavioral4/memory/2016-320-0x00007FFAFE6F0000-0x00007FFAFE709000-memory.dmp	upx
behavioral4/memory/2016-319-0x00007FFAF2410000-0x00007FFAF2583000-memory.dmp	upx
behavioral4/memory/2016-317-0x00007FFB02260000-0x00007FFB02279000-memory.dmp	upx
behavioral4/files/0x0007000000023227-176.dat	upx
behavioral4/files/0x000b0000000231d1-174.dat	upx
behavioral4/files/0x0007000000023229-165.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\svrhost\\$77svrhost.exe\""	sr2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
112	discord.com
113	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4568	EstrogenExecutor3.0.exe
4568	EstrogenExecutor3.0.exe
1908	sr2.exe
1832	vr2.exe
1476	ug2.exe
1908	sr2.exe
1832	vr2.exe
1476	ug2.exe
1152	aids.exe
1152	aids.exe
3056	$77svrhost.exe
3056	$77svrhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\vr2.exe	AssetLoader.exe
File created	C:\Windows\sr2.exe	AssetLoader.exe
File created	C:\Windows\ug2.exe	AssetLoader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
448	schtasks.exe
4600	schtasks.exe
3700	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4436	timeout.exe
1784	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
880	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	EstrogenExecutor3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	EstrogenExecutor3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	EstrogenExecutor3.0.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	EstrogenExecutor3.0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
3936	powershell.exe
3936	powershell.exe
3228	powershell.exe
3228	powershell.exe
3936	powershell.exe
3228	powershell.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1908	sr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1832	vr2.exe
1152	aids.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1832	vr2.exe
Token: SeDebugPrivilege	1476	ug2.exe
Token: SeIncreaseQuotaPrivilege	1204	wmic.exe
Token: SeSecurityPrivilege	1204	wmic.exe
Token: SeTakeOwnershipPrivilege	1204	wmic.exe
Token: SeLoadDriverPrivilege	1204	wmic.exe
Token: SeSystemProfilePrivilege	1204	wmic.exe
Token: SeSystemtimePrivilege	1204	wmic.exe
Token: SeProfSingleProcessPrivilege	1204	wmic.exe
Token: SeIncBasePriorityPrivilege	1204	wmic.exe
Token: SeCreatePagefilePrivilege	1204	wmic.exe
Token: SeBackupPrivilege	1204	wmic.exe
Token: SeRestorePrivilege	1204	wmic.exe
Token: SeShutdownPrivilege	1204	wmic.exe
Token: SeDebugPrivilege	1204	wmic.exe
Token: SeSystemEnvironmentPrivilege	1204	wmic.exe
Token: SeRemoteShutdownPrivilege	1204	wmic.exe
Token: SeUndockPrivilege	1204	wmic.exe
Token: SeManageVolumePrivilege	1204	wmic.exe
Token: 33	1204	wmic.exe
Token: 34	1204	wmic.exe
Token: 35	1204	wmic.exe
Token: 36	1204	wmic.exe
Token: SeIncreaseQuotaPrivilege	3224	WMIC.exe
Token: SeSecurityPrivilege	3224	WMIC.exe
Token: SeTakeOwnershipPrivilege	3224	WMIC.exe
Token: SeLoadDriverPrivilege	3224	WMIC.exe
Token: SeSystemProfilePrivilege	3224	WMIC.exe
Token: SeSystemtimePrivilege	3224	WMIC.exe
Token: SeProfSingleProcessPrivilege	3224	WMIC.exe
Token: SeIncBasePriorityPrivilege	3224	WMIC.exe
Token: SeCreatePagefilePrivilege	3224	WMIC.exe
Token: SeBackupPrivilege	3224	WMIC.exe
Token: SeRestorePrivilege	3224	WMIC.exe
Token: SeShutdownPrivilege	3224	WMIC.exe
Token: SeDebugPrivilege	3224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3224	WMIC.exe
Token: SeRemoteShutdownPrivilege	3224	WMIC.exe
Token: SeUndockPrivilege	3224	WMIC.exe
Token: SeManageVolumePrivilege	3224	WMIC.exe
Token: 33	3224	WMIC.exe
Token: 34	3224	WMIC.exe
Token: 35	3224	WMIC.exe
Token: 36	3224	WMIC.exe
Token: SeDebugPrivilege	880	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1204	wmic.exe
Token: SeSecurityPrivilege	1204	wmic.exe
Token: SeTakeOwnershipPrivilege	1204	wmic.exe
Token: SeLoadDriverPrivilege	1204	wmic.exe
Token: SeSystemProfilePrivilege	1204	wmic.exe
Token: SeSystemtimePrivilege	1204	wmic.exe
Token: SeProfSingleProcessPrivilege	1204	wmic.exe
Token: SeIncBasePriorityPrivilege	1204	wmic.exe
Token: SeCreatePagefilePrivilege	1204	wmic.exe
Token: SeBackupPrivilege	1204	wmic.exe
Token: SeRestorePrivilege	1204	wmic.exe
Token: SeShutdownPrivilege	1204	wmic.exe
Token: SeDebugPrivilege	1204	wmic.exe
Token: SeSystemEnvironmentPrivilege	1204	wmic.exe
Token: SeRemoteShutdownPrivilege	1204	wmic.exe
Token: SeUndockPrivilege	1204	wmic.exe
Token: SeManageVolumePrivilege	1204	wmic.exe
Token: 33	1204	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1152	aids.exe
3056	$77svrhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 1944	4568	EstrogenExecutor3.0.exe	93
PID 4568 wrote to memory of 1944	4568	EstrogenExecutor3.0.exe	93
PID 4568 wrote to memory of 1944	4568	EstrogenExecutor3.0.exe	93
PID 1944 wrote to memory of 2044	1944	AssetLoader.exe	94
PID 1944 wrote to memory of 2044	1944	AssetLoader.exe	94
PID 1944 wrote to memory of 2044	1944	AssetLoader.exe	94
PID 1944 wrote to memory of 1832	1944	AssetLoader.exe	95
PID 1944 wrote to memory of 1832	1944	AssetLoader.exe	95
PID 1944 wrote to memory of 1908	1944	AssetLoader.exe	97
PID 1944 wrote to memory of 1908	1944	AssetLoader.exe	97
PID 1944 wrote to memory of 1476	1944	AssetLoader.exe	98
PID 1944 wrote to memory of 1476	1944	AssetLoader.exe	98
PID 1944 wrote to memory of 3068	1944	AssetLoader.exe	99
PID 1944 wrote to memory of 3068	1944	AssetLoader.exe	99
PID 3068 wrote to memory of 2016	3068	bg.exe	100
PID 3068 wrote to memory of 2016	3068	bg.exe	100
PID 1476 wrote to memory of 1204	1476	ug2.exe	101
PID 1476 wrote to memory of 1204	1476	ug2.exe	101
PID 2016 wrote to memory of 1744	2016	bg.exe	102
PID 2016 wrote to memory of 1744	2016	bg.exe	102
PID 2016 wrote to memory of 4152	2016	bg.exe	103
PID 2016 wrote to memory of 4152	2016	bg.exe	103
PID 2016 wrote to memory of 1152	2016	bg.exe	133
PID 2016 wrote to memory of 1152	2016	bg.exe	133
PID 2016 wrote to memory of 4016	2016	bg.exe	109
PID 2016 wrote to memory of 4016	2016	bg.exe	109
PID 4016 wrote to memory of 3224	4016	cmd.exe	111
PID 4016 wrote to memory of 3224	4016	cmd.exe	111
PID 1152 wrote to memory of 880	1152	cmd.exe	112
PID 1152 wrote to memory of 880	1152	cmd.exe	112
PID 1744 wrote to memory of 3228	1744	cmd.exe	113
PID 1744 wrote to memory of 3228	1744	cmd.exe	113
PID 4152 wrote to memory of 3936	4152	cmd.exe	114
PID 4152 wrote to memory of 3936	4152	cmd.exe	114
PID 1908 wrote to memory of 3948	1908	sr2.exe	120
PID 1908 wrote to memory of 3948	1908	sr2.exe	120
PID 1908 wrote to memory of 4400	1908	sr2.exe	122
PID 1908 wrote to memory of 4400	1908	sr2.exe	122
PID 1832 wrote to memory of 4332	1832	vr2.exe	124
PID 1832 wrote to memory of 4332	1832	vr2.exe	124
PID 1832 wrote to memory of 220	1832	vr2.exe	126
PID 1832 wrote to memory of 220	1832	vr2.exe	126
PID 220 wrote to memory of 4436	220	cmd.exe	128
PID 220 wrote to memory of 4436	220	cmd.exe	128
PID 4332 wrote to memory of 448	4332	cmd.exe	129
PID 4332 wrote to memory of 448	4332	cmd.exe	129
PID 220 wrote to memory of 1152	220	cmd.exe	133
PID 220 wrote to memory of 1152	220	cmd.exe	133
PID 1908 wrote to memory of 2756	1908	sr2.exe	140
PID 1908 wrote to memory of 2756	1908	sr2.exe	140
PID 2756 wrote to memory of 1784	2756	cmd.exe	142
PID 2756 wrote to memory of 1784	2756	cmd.exe	142
PID 2756 wrote to memory of 3056	2756	cmd.exe	143
PID 2756 wrote to memory of 3056	2756	cmd.exe	143
PID 3056 wrote to memory of 4740	3056	$77svrhost.exe	145
PID 3056 wrote to memory of 4740	3056	$77svrhost.exe	145
PID 3056 wrote to memory of 4600	3056	$77svrhost.exe	147
PID 3056 wrote to memory of 4600	3056	$77svrhost.exe	147
PID 3056 wrote to memory of 3536	3056	$77svrhost.exe	149
PID 3056 wrote to memory of 3536	3056	$77svrhost.exe	149
PID 3056 wrote to memory of 4376	3056	$77svrhost.exe	151
PID 3056 wrote to memory of 4376	3056	$77svrhost.exe	151
PID 3056 wrote to memory of 3700	3056	$77svrhost.exe	153
PID 3056 wrote to memory of 3700	3056	$77svrhost.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4400	attrib.exe
3948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\EstrogenExecutor3.0.exe
"C:\Users\Admin\AppData\Local\Temp\EstrogenExecutor3.0.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe
  "C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAagB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAZQBpACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\vr2.exe
    "C:\Windows\vr2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "aids" /tr '"C:\Users\Admin\AppData\Roaming\aids.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp597A.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4436
    - - C:\Users\Admin\AppData\Roaming\aids.exe
        
        "C:\Users\Admin\AppData\Roaming\aids.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1152
- - C:\Windows\sr2.exe
    "C:\Windows\sr2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3948
  - - C:\Windows\System32\attrib.exe
      "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\svrhost\$77svrhost.exe"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA681.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1784
    - - C:\Users\Admin\svrhost\$77svrhost.exe
        
        "C:\Users\Admin\svrhost\$77svrhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        6⤵
        
        PID:4740
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /Create /SC ONCE /TN "$77svrhost.exe" /TR "C:\Users\Admin\svrhost\$77svrhost.exe \"\$77svrhost.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4600
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks.exe" /query /TN $77svrhost.exe
        6⤵
        
        PID:3536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
        6⤵
        
        PID:4376
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "svrhost_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
        6⤵
        Creates scheduled task(s)
        
        PID:3700
- - C:\Windows\ug2.exe
    "C:\Windows\ug2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1204
- - C:\Users\Admin\AppData\Roaming\bg.exe
    "C:\Users\Admin\AppData\Roaming\bg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Roaming\bg.exe
      "C:\Users\Admin\AppData\Roaming\bg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bg.exe'"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bg.exe'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1152
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI30682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\_ctypes.pyd

Filesize
57KB

MD5
38fb83bd4febed211bd25e19e1cae555

SHA1
4541df6b69d0d52687edb12a878ae2cd44f82db6

SHA256
cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65

SHA512
f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
604f8220d6e9bbfe13cf30d90430eb5e

SHA1
d756339808307f2dde9a264a60064c12f929fe37

SHA256
08965604253d019b90cff21c35d98d6276561f213c0e373212fe994beadfe47f

SHA512
6f2394075e1b56eec4163cc42fa4f4882eb51959fe41e468f978a815814caa742f29e7d70683398105a4a8f9d06fa2a883b1c38625c7afd660961f8ca2175032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-datetime-l1-1-0.dll

Filesize
22KB

MD5
a08e9d074407ce657135583dd46b7ef8

SHA1
5566b9167679cea09a369464f82fd3450547eae2

SHA256
6a3a71ea739c19e3557529b084d627af8d5b654de391437c00cbb48fbf01e180

SHA512
a9f750c7a8c26fa7e3943be77ba0b10cf8418d7ae99e2e4ec0b28c45064fd7a2884c59149e9f19ffc5da77b996ec97b6db9b5cbb2dfcaf6dda37d73d33468b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
4bd922d8bd84b87909a14eff013b5fa2

SHA1
5d7ece4b82db230ef90e7f0b7f07d51259506380

SHA256
0c0632c396a53aac5bb8eef885c5ec745ec92a810925c8710590aff6eaf1817c

SHA512
a416e09d9607381d791249528abb96fb0112a555eb56ed9c80b74ea16926e26a68944256d4895705c78e65be4897ea514138f0480ea450d86588f99002e84e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
4d8fd1ff9959d8230270928301c58cdd

SHA1
1bc22a0917b0a2349419cc8fce5f357e2d9ba00a

SHA256
1c32d309a6c4f66ed5953d64c669d09e4efb6adf3d0aad8365ef855c1cb61894

SHA512
dc9c7fb2df20d09ed249414f9cafbce6ecd2025de7928ddb8dfde77e9a54c3451196f4a007530ca2f20e091b59bb09428b832f3ea7b46b3c426e208217b4f301

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
c935583504d1854a516eb336b60f1436

SHA1
8f7fe35214b991c8b37ae35bcfbb551e4f20184f

SHA256
de86f0cd5a813192164b7970a252d6287918202a786f014110399cfa5c9d4528

SHA512
b6323318bc5b57d2e9a43ee0064e221593b90073f57b1cc2d3bfd48c07a7454969ca26ad51b9b0d3503619d09f96ccb263509da37595ddebd74441c0eb0b5b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l1-1-0.dll

Filesize
26KB

MD5
1c54f3edf48d7d5cd20ae8083345c4eb

SHA1
977ffa32bc40b21052f3431572617377866a4552

SHA256
7a445bdc8b67741b583c32084bdaf8113e9edee6a15abdec325e1b879fa26e6f

SHA512
cf9770115d3a59e10d7628e9b660830f4aedd5dcce29e6e13c63a32ab928d7b4f8131332791e106d9229ffc90d299b61a9bc7e134c17d69f3b90266ddcd46fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
0d6d4654c98caa8ff93eebbc744bfb8b

SHA1
e4662e675a2ae93e66bddb0743fb81c0cf1e31d4

SHA256
1686b1b0a72655c89348bd5a2e5c88e6e5ca228f407c02f9700b43a045e60aab

SHA512
db3d59af607e9428b646b8993547b1129e92bb1aad12684cd69c0050517f6d8a1832393323c7f99d0b1dfa6ae801c8921234a3e470063b6715435e99e0b03ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-file-l2-1-0.dll

Filesize
21KB

MD5
7daa81e752613950b67903f4ea69a0da

SHA1
00f86240d69e15a9e319e4c79026b54edc3ea671

SHA256
e255d1b403a48dd600b58d2124e7ceaf2edc6ca0448096f4160d85dd3e38c6a3

SHA512
c1ae0b6537191cd175a6c072a17215c1efb1ed719a73a56cbf139da4928730cf2a3cfc6c0a1ac5ce00957777f5f32323fc171bed7849863ec3cb7184a08dec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
acb4339874ab6875e95d29ee973a3e1d

SHA1
d366b01b4ef71e5f7feb91aff4e278aa429cad16

SHA256
a001d1b8de3f16b1c1e251f885f8c3e17655ad5d26ab4ea8b7118b1959e46167

SHA512
6eb4d6d9307ab42ddd6d939cde89476ba13e811431da7bfdfa703ec06330b1a0f41632bd4e5ae8b0dc66dc4a36fba6a5ca1eefbd9ec641bf047c0945f619f284

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
3c8a82c2da4d77092a7d7e8d31de5316

SHA1
eaed6cebfcb28ae6bdb9ca8c14b4880237e3fbea

SHA256
e257e8b8b066e31ab4cf4d477832f7ab52cfdf69dc57358100511bd4d0cbcde0

SHA512
edfbfb32b94135af758e2e96c7f96a8206d1979a38bd41af98f35d594c69faf31eb2f64dfaa8d58ef56f26e95ef1c66474f667520ea0fa7e0ac8d0910d7a5be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
22KB

MD5
dca16cf472d657ff5902c43294b1058a

SHA1
bd41df1dd528a702b3c31db7315ee71dfd56ef3c

SHA256
10c26bedbb0af9caa7aaa8d360b9dfbae762e7fbb740522740c485e8d1ec1bb2

SHA512
3c2f985b31cea25aeacfecf080ec61e42071b4cfc6e59c5d4ca253aca16a15fa5abb03eac05995b3396a27a674d743eeddf9b730200876484eaad609911ad64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
75087673f5c6746effbd8d7129b9da9f

SHA1
197b3d9470bc1f086c218a1c825f1cdce26e6c11

SHA256
6f2f83b02d52e1a1f7d0f7b71e5de751aaf9a07c3c22ba9f73d7ef2e69a14e88

SHA512
0f36ffcf38c2d8b78f318fafc2524ea08e5b768500e2cae11f55f76d632d3383cece863431a6f659055400f7e0ddd635fcbb66182b927ee9fb0d203ba9bd2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
1bde33f0454eb6a02549107c97fab7d1

SHA1
7276a41d76780da4aecce0a9f0386274d5ae47cd

SHA256
25ea41b07fb34008ac9f4d28aadc0ff0c6f03b10c12b56c1a7e6b5e730f5d48b

SHA512
df836a5ea3008e5df9fc0194a2381ee9cd80f892f6b77af6f57f3aff72c99924b872fd9bd8a45c72b3787c381bc1c324346758d631fe780c0a8dc23381d43590

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-memory-l1-1-0.dll

Filesize
22KB

MD5
6863652f927502e713568ae4ab2c92d7

SHA1
1f0c6d8e1d4646d73beb20e3eed0a2db0e812015

SHA256
fc219b816f5fece68c8f39f322e13fed57048d22975a54ce322e852106af7723

SHA512
6277297cb704a112974e985935c83d880f4a3f7b97c5982874b0125ea3b4493016dcf58c140cfe3efdb8ce291deb67f84d720f6598d8cf97252325686ca54a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
22KB

MD5
e914429bec573b04e87a6b517360d5dc

SHA1
0c9f6e4668e803c5973c9124f6a452e2af5ba2d5

SHA256
6cec3ed29dbf5badfda3bf239b83cac370c52411907368c1b3c72a4a7a7ed0c2

SHA512
ff27c7f2286570bcfebab9a1115acc612f66a6a57fe33af97a0023c296b1db02d48196ea68d2bfe7ac9ee29a059d692277b3801a3750073a556ddaea704eba2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
22KB

MD5
8cbe0491989e48b4a9608771d53192e7

SHA1
0fe53d8c65fa76e5e47127d490882850225104ee

SHA256
57c499ac7b93959a0313557ceead2127bc07ee7dc7e19975072947e980f57cb4

SHA512
8d10734808620fac4c4e0d75ab60e56c3aa7e5efbbe82891d5a8b5a9d2bfe2e221ecd98437794dfcbfec464a51306ea14b828677b912845ddf21bcf209b2e204

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
22KB

MD5
fcbe8ebff7d2864c776417bde284e8b1

SHA1
73e5764b71990aabde38a017a6412b187cefba5c

SHA256
967e4c153e5160be1270635972cd7efdb12d6aa3dea41c6ba19cd76935ebdacd

SHA512
33d894746665dfc37a6fd38c71234f865f128cc11b6ac4166a9d6d3633efc966f943e654634bbf67baac1af567b4b8aea1e358674269176e9e30bcc56242cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
898964872c15b531ff4bce16ccb32f21

SHA1
6fe38ecd6e6e9f666418d42008f9baf7c5a9af64

SHA256
52f2c643e4e7e6a64441dfa6b00b7a53ba573e80357c752745c670d9382ec018

SHA512
d97268284e65cd15365d8ac21dbfdc9794391b0113d6f12b9f40ce9e1e31472437131911dae84e09c55bbe6c99593065f4d18e319b4a3abb6b89bb6e3e785cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
56049bc1c20a4f342102f3c3de2a45a2

SHA1
0087661d5190940a75ea075e899f4ca4d80568e6

SHA256
7ddc856328b04c54ae2135b71af327a3d3bdb4e584ed3f0ed26a24d55cecf9db

SHA512
dbe3515a3c0ed10571900c92ea7d7db69c8972513e2d8e0b0a749dfe01516a09ffcd86a1c58d52031b07f77114512744ab73f986d691eb0d408ec45ced6e2177

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
51d594c04bc2f4261074ea07e9e42e11

SHA1
0672f6ba1b3f11482ed134738a7d5746e2468f80

SHA256
6ed5672f683adcb904b09417a4d2c2d9e2742a485c1a70304e0c990cf13156a5

SHA512
dd424ad861e84ad036100f246a00d5aa5b185551d723d61f6a8e2362307628c709a0d4387b58ea6449a4d4c4e66d9c688ee0fa2255ee01f6e9cfa8be7745196b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
8c5658fc821d2774f5e2ab0a266ce06c

SHA1
271cd5bb58d16076fb5d60abd08ae79a34d0855d

SHA256
4291f2550afef90c8863f997afc468550accd44088d339bcd10fd77c945587bd

SHA512
2293c780bb78eed110dd73e90665cdde1bf63c8366e7cf9cca9e3a6d2d6aaa5810f14ba1d3693ac98cd951f237ef2a087c4b723139fcdeaa7e39138bad24c597

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
10d6f7b2b127c72aafe7191d3d10120d

SHA1
02f973c8e0edfe1e3297804f4363ef528a96f575

SHA256
1def33106d40fdf71da37d32362708939c8dd194a64401efc2888709c20769b5

SHA512
6baff8358b4f68cee69b5b0a8e341d205521152c2e0dfa5c28c5c4425bad6297534a5b288e08512fc17eb3523067f069fa7e94e25053b1b5b39e901b710c9be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
c1bc7949486d23606e3c141c40815a54

SHA1
7995fca3fbd9c8863948522d34cc06bc9f7fc6f5

SHA256
52f332f81fdd7daa3a59b55770d59b3c797c00d0f1b3e2d4cd186e2a17ae6eab

SHA512
c31488280c258bce488e4d52488a2b394aca4f361126d28fbcedd073c11574b534996cd9e6a90d25b555e713d815f0f129cfb26a6eedbd75959ee82f4e730322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
22KB

MD5
166278f0b5fe6416849bf2879a20e637

SHA1
efba51aac56e984005adb3db7ca11b5e5bdad6a3

SHA256
bc02c1002bba27b75d43939b9e605e7b3bcc4bf51f8f0c126e44c3ca40899701

SHA512
9c2d5432f489506cf8d0aef74f5de9e84db3df23654658692718b6ad84218c0567f34dd6fe8d2fd764b7c1cf5ad2e17fcfbb2732be48b9a1e302226fe08b10d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
2b3375caffd7eff2bffcd5336006a6ee

SHA1
8494cd20af1d86330558cc86cc2566adee00b594

SHA256
89970b77351d562b264f4e534feb80bcfbab98330fb4eb814ea4773953676b26

SHA512
f0525a19105eb8e0fdcbe8d16553fa9dfbc85742f923bd635637650068b437bc91790209000c1352d732397f0e68b5d96f1928fe98b1c59e001b733feb0fd61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-core-util-l1-1-0.dll

Filesize
22KB

MD5
b747c1683d992b060f7c707b89d64aa9

SHA1
a5ba3597e38f1655d7dc78e17cb9a378646bb763

SHA256
8fa485da56101cfd0aa1eaf510f2ca5848c48bb25e404765afc8fde9fc2018ae

SHA512
2d7cbb854c16955ff6553d1c20ea630f3689f0c65b64865956a9a8f4c2c369ff491fb5588aa0a0287bb0e2c3e11698a9aa76d304a5f5fc9f6011968c21351cd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
b7288a8c761f65dcb6b38689b59bf501

SHA1
981040d17afdd7fc9480804ee7da434fc2b5a1b9

SHA256
8d5927a40ee6d53a2c1fe5ccf5c6437b23b93318e3df6189cc5320b222066e9b

SHA512
5445ef29457ed3b719cc67fe8ba8ce6ec09c354ac454ce04f7a0600d804f6b7e51db267917f4f251787e5fc10184b614d3fbf4a7a8ca226692829c6833d00c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
2712aaecd8c1f9d095df63234e260b0a

SHA1
dd2a490c4698afd1aecf934470427643c7815446

SHA256
84a79b943e5b1580f075a4e08d9532e585db28075eb8d0e0aa3788b1197267a4

SHA512
74354b0a3495a6b991d49ef63eb98916f1abf94803a780928defaeead3da863c8492cd47bb561a375c64052302bc64c0b4253a92251196df8b271f61eca373a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
331f0ca66f2d8c68b3747ff7df01e037

SHA1
c122f80337b48bfca04f970cf81ada4a01c84f14

SHA256
43cc8b87929b9f53cec4e92e399aaef872a49c439949cc2f83b4c810ee9ec0ac

SHA512
4fa796627afba9a8e412fdb3f2e39b9458df1e56bac15fb063d45002bb292833aac141c13d28d85bd7b9070689f4f8335ac4c8a0a34e49452a28ba42f9a124a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
2699ece87417935a5392ba337a199095

SHA1
9e82452ced8268a4df01a81827784d67e0dd6e14

SHA256
6939173b4df6481aebc026f94de6492b88517b560c9a3057d7614c06d64cd7fd

SHA512
059c56037aa702d6149fce9c27ecd2df964d3269b31efe935319285b5d20bc42891f142cd0d4d17f94ea8b13a62da14c670d12fa6c4c9e46dd6fd9ca28228702

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
6d071f59463282558c729c81a85c69d9

SHA1
a2515e5cbc85ad5a02faad9c89030470cd902429

SHA256
280b94ac39c9133233803673f40154f90aa47c2ad463f97e92f101d362db7f17

SHA512
5f54650e384108ae31b035ed91e7c84c41ca42cab75dc2f98b5258be3e850156eff0f36014bc30821919f62dec1237adc6040b327f0615cfdc9d4187e03a6e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-locale-l1-1-0.dll

Filesize
22KB

MD5
8a0b59645f107e55f67e0fb6dc910559

SHA1
eab840f58844bc68b1eb96c6f800f6e79be79c6c

SHA256
88e1b39336323b3129b06e265cdc39e79aefe4a510291992c0efd2c8b13f6990

SHA512
e55d29236d3818dce8598dfd35f889e0a3c48a608f940dce0694d6e0d862b30c69ab0f7c1d52536618f29557c91fb796363b6a8432ee7b1d468b0f5304bd97e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
479e72ccba9738e351ea269157d3b2a2

SHA1
d9ea5d73c531a8aad3fb570f299517252d2dc47c

SHA256
777ec1778341b4a81c44c2341c156e4da95946cfba626c5b8120e652a78c660d

SHA512
38146f281c466f121376d17feef9966f06f12999d50e405320faae93929b7c21f0cfb895dea204096d21e0ac668a9dae9eb03f738a1d0bd1c91c27f77f7ae27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
94d68ad4b8f13fb23e1c381d1b7646ce

SHA1
dc4a512c7381611e7055d03d2c82aab77632455e

SHA256
1ba883cbdc1c26100451873d73cffb28f63ac82eb6a876b50881b8ff4122197a

SHA512
d96e1c76b78f2b459d855acda0253bd9655b9faf12271aefafd962e16d93849ba96f4694e99a2562e5466a4bd604481043fc3e27a5318f87a159f1c0999235ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
98220d1ad0a8afffc62fe529cc3777d4

SHA1
c89da1bc807f9be193cf3049dddc0e7454c1abe7

SHA256
abe34a465fd95111fba129b42ec0f36bfc2fbe81817a9f6eec868a8e19b98d3a

SHA512
b20f3f5106ba01f43ead38ffe5cf024a4d87aa2a192bd22ef1e9a7b48baf8c06724c11835fc4ae1131ecb7bac64cc2dfb02d75fa088d2b452ad00be61c2248f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
896e976a51465393fce4f7339af675b9

SHA1
0647178d50402d100a0de95051744c58c26d1f3a

SHA256
8478d9804665bebf881c9dc35a4b81961aaab0de458cdca71900ea2c4123497d

SHA512
d9e96479df37cdeb4f346cab5a709e42072328dfab0c6f1bad153eacaa106c01097edd1f519edf368cdb94dd1eb0899ec82335ea2b7878aa90992bb59a7de9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-string-l1-1-0.dll

Filesize
26KB

MD5
11f20ea0b01117d4bc9f7ffa7b26ed89

SHA1
9ef8e544e6ed2807783854d8707f7b00c4adf3a7

SHA256
0632cccfb615f08a810be36e4596e22c6b20c0285d72111caaea56c31bd7fad7

SHA512
28c48a00a668e65cfeb674f04d3ba1bced607e31e895579e335f708c301d5f2107b334615fc5d688c6efe2b13baff4116943da2a276d1a9f3c260c26c38c238a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
76a5c4aa99b39bde32eb954aa7953013

SHA1
f3b039de125479ec2d500d17b692661cf581c39e

SHA256
c9321197b071438e0c9a1f353e42971a36d85a657fafa8f8e215161febf7ca2a

SHA512
614a36b6701e8f7dcd672bb86e3f9378fb24860d5e39d1dd9cd33e7daa5b63b1bc3adc426d27654b775548f65233f480562b010961cdbc289f0e7d22cb065e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
30d282be56e6ddb9850ad1ef386799cf

SHA1
791b1b96c6171a379360567e3bcfb8b41c47b80c

SHA256
1ba01ed92469eac60a3b0a1caad1d737222c1cacb931f51d6cab65ce3d939659

SHA512
c4a1432974147492af64272314667b262b5a281b2ce047b49a876253be958e7ed5d12d963bbcc6703218fba901446016368dd353c8f4cd8b2bacede98c21bf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\base_library.zip

Filesize
438KB

MD5
7ca6eb0359667352b5e9071ab7db0cb2

SHA1
9ce4d6ab1b9106989c706850e7102d6615e826c9

SHA256
0f4a062189b49b594ed3f1c4d887d52acc6512bbb9582b7f3223f5c0f8f99ee0

SHA512
b06a7aa70242f550be9a449bdf3e04cd35934c571ce9f790b9a2160cc783b543e1ea3efa1605cf1720dbbc5af20ba94132481f4fa11f034c79aa75b76c5069f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\blank.aes

Filesize
118KB

MD5
18885c1eeac6a9fe9dada1cdf1cc30d4

SHA1
86d7128a9899158730534aa1d0a373a57bd802cf

SHA256
e63e46c839e2970ecf09f1ed2f3f3a916a70234c550f6063153146c98063a760

SHA512
fb9e68d929c1f0f672175fcc404bc4102bba819dc5b8bd98689fdb052b00aac62c26f9fca7c4d3654c2f7be4030ffc20c3e5ca55caba25f6415fd4da9c02b3ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\libcrypto-1_1.dll

Filesize
354KB

MD5
c8a6e6a936231eee5ad6537a8fe79541

SHA1
c23470050daadcb8f449b481d5d393d8109ed14c

SHA256
c0c1b28136c239fe36cb378d5365db91ee897aa6eabc9693f69d1135c6270d5f

SHA512
1a3aa81579434b878761446a25d670cefcf0a45b69179a8f4939883a8e9c916b0ce33bdf6fa1ca7ae68963a2b1a340efcfa697c06e58b2a6b4fc7f33fb812dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\libffi-8.dll

Filesize
24KB

MD5
90a6b0264a81bb8436419517c9c232fa

SHA1
17b1047158287eb6471416c5df262b50d6fe1aed

SHA256
5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79

SHA512
1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\python311.dll

Filesize
574KB

MD5
7ebb4f2013ef87a8777ca83f823b6845

SHA1
ab0e1d48aae3dbe3e0bd0adc95a73c5976a2465d

SHA256
61244c241918b30a7a877cdfe9eb51e1bec765a01b99c2e9d22a5aada3ce5d96

SHA512
3aee57714d759dadcb7c06a5ee6b110ce500af0495982e1e4c5b8dfb16ea1e0882e3131f48973931b76d92b65200f5a967a40e06b2f1383e6461a9607c897544

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\ucrtbase.dll

Filesize
574KB

MD5
c1f6690f7b455af5996e7481ba0c4901

SHA1
5a518a95a1be670a4cba38153cfd4a79a49d0ed0

SHA256
08e059d927f862100be3a95932612881ebc95430dc28a5dddbb192daaf84daa8

SHA512
3b54f79da302d1dfca72670f337363b5860e21836fc72e131bbc2995f30bb49010b4dc827c76f01988e5d292da8baf8c78a12c6a9a60ffc95e877df1f5f80f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30682\ucrtbase.dll

Filesize
1.1MB

MD5
337b243eda185e326d5f972fcbeba07b

SHA1
5c8ec0fe64cb88911509703570775a626444cb99

SHA256
41225f978be3cbb7ce05c0666de8f88909e9973bed0df45fcb4e94b76761b208

SHA512
4111a269483217aa856daeef9fb3d561ca736e7789a46d758e20a3a56773bbcdacacbbbfef9dc7d2a2ea3a5b36d7cc29ee731b22c2bda2c0f2f6a9fd3d2282b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_id3z0neh.uaq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe

Filesize
940KB

MD5
e4bde8822b5561ce26332d2cc8fb81f3

SHA1
710873b2fd6ad5492d2fea56e9af47b65028b252

SHA256
9a86ca06ce3f6db13b1851d81ffadb6a95fc8450f26aefae4a4562340808ad12

SHA512
6be7d3b1949a329065dbc5d211b8645af388e0e5d6b0a3a0a9ef0ef08c35ac194f76045f619b92ea9d8447af951dd9b3f8ece6edd96e7e1f1cd81578c5f1af4d

Download Submit
C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe

Filesize
751KB

MD5
df41594c639ef660f03ee06a9c9fb538

SHA1
e89df5e612ff3d62c9925d953b59b82f631f7d30

SHA256
5a74e72099d2c1da4dd92f485dbb7f8993ffb6397a6b46222ba0d14ab774205a

SHA512
4af7c960545179d4a851665d2491f1ed9a760e0049e38c7d7ca6d0c6d4095a38298bac6373c47b985f23d1c110cede53894a9151cec632cf20a43f37c196f523

Download Submit
C:\Users\Admin\AppData\Roaming\EstrogenExecutor\AssetLoader.exe

Filesize
817KB

MD5
53b0dc7821ab99367bb3645d4529857e

SHA1
3a0daecbad44316ef99f10606dad2f8a9f2bc118

SHA256
583093179d27f33f84e3edbfd9597a5ccd7f48c4b165c6814fee974551ae0168

SHA512
ffd2ed0bfa51f29bebad039f785697bb8f688b8beaffbe4f9d924031acb8f7e224e4d6cc0c874a9ced6da4e1f0a5a05cd4435377debbfafb9169f17ac487e6de

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
505KB

MD5
98999b5fa6a265dfd0862b4edf7686a6

SHA1
3bc262826a17fcab5a5a3fec47285e0bc52fbbc1

SHA256
93624eafd870792a7dd7c297d70173e15891058807261abeb35e68659993ed3e

SHA512
6462e85b56b071dcca05b812438f9103557d6f148e2383e5eb2dfe95ec7875585515db1034242a8d71e4705708ea26f0a0b03204232680940580252a59520d84

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
287KB

MD5
0f65fee3744b7886859cd059d81d39c1

SHA1
38bf4c1f4ce27229cd4f23752e8bd3e729796109

SHA256
c6487cba0787a9d39819b67ad09f2cc3c9760d56e52fe78484746eea6e597ca8

SHA512
bd19d1eceff89c1874c3f24f8ef6d399c7893943c1848870b82019b3e8df2a212b1b3bdfb0b5f346d38d968000cec8e2e899399f87bcf91caa8bb271b3c67c4d

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
3.3MB

MD5
36cc7fd5fd581c15e6b6d0f52593df5e

SHA1
2bebcb0ca8cbd88d5173f167d28193d85d809e8f

SHA256
9bf3679f56b4946a4c0d22014c21ab0ec2939049ed14ce05a63ed4458a57edda

SHA512
9bb97fcdf0b92e3893ca6e82d71fd822c1c86c137897f0ef52e26c679d770c4c8bd307fe6e705801eaa686be4deb5f09e4174363f8765661b87d8bcf16ac1b49

Download Submit
C:\Users\Admin\AppData\Roaming\bg.exe

Filesize
3.2MB

MD5
2234f59e003cb9622caf06344d04f626

SHA1
0102c119332e1b41f388a83d5c31c74710f8af96

SHA256
b15f1d678b659fc2d1d384e6a63f79f15e28f9285665ee73319aaa3fbf3499a1

SHA512
fd5bb89b7b8849f711c434f00b426d79e738f2f684c4f0eba5c0137252730f6b88d6ca8e3738d4889567abaaf4f07e94b4fd4513f0f0b52c9782d0df85fe1b50

Download Submit
C:\Windows\sr2.exe

Filesize
465KB

MD5
3612aafe99f7c5bd7657821bd61ab3f7

SHA1
e766cf16e04105323fa92fdbeebcbc3cdf0ae9e0

SHA256
78ebd2f96fa47fdd6b221dee7acd9b634287584acf109bd16abb2d1940cdfb9b

SHA512
1e953ae58a9e86ef4d1dbfdefa991db160dc063835cc9a4dc955c4e74274b0493dc99ff4ea32c7ae314fe0e89e7ca4e41e5dead04b7f4e2bd405767290f6fce0

Download Submit
C:\Windows\sr2.exe

Filesize
318KB

MD5
3314869995a46e06d7167e4e86e026d6

SHA1
f5180885b9ef43f9a0c4f05c4768709d59085423

SHA256
29ba18695dd7e4fe5ab6e5c61fa2749e90ea00f5f28abeb3df46612a8f4b1087

SHA512
5a0e5f147f7234cbc4208d09051ab5ba45e6154991fc55cceb54786c32bea9ef074c6d7122ae26a5d9c25d8eb55a1ce26e7d2c5aed11893f01105404dd311bec

Download Submit
C:\Windows\ug2.exe

Filesize
548KB

MD5
f58b972ab43d35a082060e6d87e4826a

SHA1
b0f3c8bc145105ae4eef5addbe01989ab7424d72

SHA256
3b0db2d23fe8cf15f32a5b6eb8952e5bb3a506eed4938052d64347dea68c7f2f

SHA512
ba8370c60f1623e65233d9582db2ead8619b530f688a2fb0fd75ff4e209e661aa2e05ee64aff83cf0fc4efc023fc4182132dfaddb52f20ab1f4f710dcc9f322c

Download Submit
C:\Windows\ug2.exe

Filesize
245KB

MD5
0728b1fe5d69daf7c4b87609a87bc01e

SHA1
0de6f7e521ed67ac33abab61676b26f2af730d85

SHA256
68fcce20062a50798b749641116c5e7a01db2f3bce509af3ed1b5fb44e26151c

SHA512
645b3e635a2316c9d6e63371a62c46e8abc34db4b2962b879f5268b8c13f723a96dc6b5f88434f881d05bbcf7a1958840c8dcefb54c7b6a05c9982318db96425

Download Submit
C:\Windows\ug2.exe

Filesize
290KB

MD5
a70a7cca2ca1af7ffce1f33008be1909

SHA1
d851943d49bb5d23212856f079e1ed17aa358c15

SHA256
fe1f2a25955d569eac65218a8ffda13b222feb5a4caf16cac08c9c63d38b469b

SHA512
7157590e9b0edd41cef82541be8096dc62c611613e97ee11ec87670f934be4439b43d35810fa808857f9767d63a39dad0dd234a20fe19fbae6b60ad3d1d85684

Download Submit
C:\Windows\vr2.exe

Filesize
513KB

MD5
c1c586bc3ad60e1aeb4bfd31fd0cef7d

SHA1
7e181e7527da0f33b2829f2686908a79503a2353

SHA256
2465d701e8daa9b24a062ef3714e51f7085e369675606b1e59115eeaff8017e5

SHA512
eaa23844e507bad95440f2aa0bef21beb97392071fae4a8b95c606e35551415919dc47620e197c5864e1a5c1465aac0fefaf29f370b002d396309229578c4157

Download Submit
C:\Windows\vr2.exe

Filesize
525KB

MD5
580515ffee63af73ff50115767e4befd

SHA1
c616ad338a1c4d602b3c8c483258d27fbc1ea87e

SHA256
990117ee841d6897cc9790552abe248d200e46feb0d80609788df61d66271d1a

SHA512
56e9c3572bf3fd6eaac2d63bfd1a952f4ea52cee98f6aa44cebca39d5a62f4eaeb378c7bcfded70a44d19b2de2325508cfb2f7beb74ab8aa915daf696c90fafc

Download Submit
C:\Windows\vr2.exe

Filesize
392KB

MD5
66f55a3d4354129f1ef373bcf3e8bef8

SHA1
a178f567a9bd7abaaa2a23b252914decbe359cbc

SHA256
a85a7977aea9a51a9017819a3f6919aae0faead303c7660cd91e850e48793d5b

SHA512
7d60efbc2b6a77cd406a84d2d3aed4ed9c2cfdc59244f3f3e22ae8555339a2eb7dd1122e3f5beed0afaf69d10d3e63fae0ac9b2cc496afe1721a4bfedda64f4d

Download Submit
memory/1476-243-0x000001A733E30000-0x000001A733E40000-memory.dmp

Filesize
64KB

Download
memory/1476-237-0x000001A733F40000-0x000001A733F90000-memory.dmp

Filesize
320KB

Download
memory/1476-77-0x000001A719880000-0x000001A7199DC000-memory.dmp

Filesize
1.4MB

Download
memory/1476-170-0x000001A733E30000-0x000001A733E40000-memory.dmp

Filesize
64KB

Download
memory/1476-130-0x00007FFAF6C40000-0x00007FFAF7701000-memory.dmp

Filesize
10.8MB

Download
memory/1476-252-0x00007FFAF6C40000-0x00007FFAF7701000-memory.dmp

Filesize
10.8MB

Download
memory/1476-235-0x000001A719E00000-0x000001A719E0A000-memory.dmp

Filesize
40KB

Download
memory/1476-244-0x000001A733E30000-0x000001A733E40000-memory.dmp

Filesize
64KB

Download
memory/1476-242-0x000001A733E30000-0x000001A733E40000-memory.dmp

Filesize
64KB

Download
memory/1832-171-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1832-266-0x00007FFAF6C40000-0x00007FFAF7701000-memory.dmp

Filesize
10.8MB

Download
memory/1832-234-0x000000001B9C0000-0x000000001BA36000-memory.dmp

Filesize
472KB

Download
memory/1832-78-0x00007FFAF6C40000-0x00007FFAF7701000-memory.dmp

Filesize
10.8MB

Download
memory/1832-76-0x0000000000B70000-0x0000000000C4A000-memory.dmp

Filesize
872KB

Download
memory/1832-239-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/1908-363-0x000000001DFA0000-0x000000001E1AC000-memory.dmp

Filesize
2.0MB

Download
memory/1908-357-0x000000001DFA0000-0x000000001E1AC000-memory.dmp

Filesize
2.0MB

Download
memory/1908-90-0x0000000001830000-0x0000000001831000-memory.dmp

Filesize
4KB

Download
memory/1908-293-0x00007FFAF6C40000-0x00007FFAF7701000-memory.dmp

Filesize
10.8MB

Download
memory/1908-89-0x00007FFAF6C40000-0x00007FFAF7701000-memory.dmp

Filesize
10.8MB

Download
memory/1908-367-0x000000001DFA0000-0x000000001E1AC000-memory.dmp

Filesize
2.0MB

Download
memory/1908-72-0x0000000000DE0000-0x0000000000E9E000-memory.dmp

Filesize
760KB

Download
memory/2016-222-0x00007FFB07770000-0x00007FFB07794000-memory.dmp

Filesize
144KB

Download
memory/2016-261-0x00007FFB07220000-0x00007FFB0722D000-memory.dmp

Filesize
52KB

Download
memory/2016-316-0x00007FFAFE710000-0x00007FFAFE73D000-memory.dmp

Filesize
180KB

Download
memory/2016-318-0x00007FFAF9000000-0x00007FFAF9023000-memory.dmp

Filesize
140KB

Download
memory/2016-321-0x00007FFB07220000-0x00007FFB0722D000-memory.dmp

Filesize
52KB

Download
memory/2016-324-0x00007FFAF2350000-0x00007FFAF2408000-memory.dmp

Filesize
736KB

Download
memory/2016-326-0x00007FFAF7D30000-0x00007FFAF7D44000-memory.dmp

Filesize
80KB

Download
memory/2016-328-0x00007FFAF1E30000-0x00007FFAF1F4C000-memory.dmp

Filesize
1.1MB

Download
memory/2016-327-0x00007FFB07180000-0x00007FFB0718D000-memory.dmp

Filesize
52KB

Download
memory/2016-325-0x00007FFAF1FD0000-0x00007FFAF2345000-memory.dmp

Filesize
3.5MB

Download
memory/2016-323-0x00007FFAF8FD0000-0x00007FFAF8FFE000-memory.dmp

Filesize
184KB

Download
memory/2016-320-0x00007FFAFE6F0000-0x00007FFAFE709000-memory.dmp

Filesize
100KB

Download
memory/2016-319-0x00007FFAF2410000-0x00007FFAF2583000-memory.dmp

Filesize
1.4MB

Download
memory/2016-317-0x00007FFB02260000-0x00007FFB02279000-memory.dmp

Filesize
100KB

Download
memory/2016-311-0x00007FFAF2CF0000-0x00007FFAF32D8000-memory.dmp

Filesize
5.9MB

Download
memory/2016-315-0x00007FFB07510000-0x00007FFB0751F000-memory.dmp

Filesize
60KB

Download
memory/2016-168-0x00007FFAF2CF0000-0x00007FFAF32D8000-memory.dmp

Filesize
5.9MB

Download
memory/2016-313-0x00007FFB07770000-0x00007FFB07794000-memory.dmp

Filesize
144KB

Download
memory/2016-221-0x00007FFB07510000-0x00007FFB0751F000-memory.dmp

Filesize
60KB

Download
memory/2016-250-0x00007FFAFE710000-0x00007FFAFE73D000-memory.dmp

Filesize
180KB

Download
memory/2016-251-0x00007FFAF9000000-0x00007FFAF9023000-memory.dmp

Filesize
140KB

Download
memory/2016-258-0x00007FFB02260000-0x00007FFB02279000-memory.dmp

Filesize
100KB

Download
memory/2016-253-0x00007FFAF2350000-0x00007FFAF2408000-memory.dmp

Filesize
736KB

Download
memory/2016-259-0x00007FFAF2410000-0x00007FFAF2583000-memory.dmp

Filesize
1.4MB

Download
memory/2016-260-0x00007FFAFE6F0000-0x00007FFAFE709000-memory.dmp

Filesize
100KB

Download
memory/2016-256-0x00007FFB07180000-0x00007FFB0718D000-memory.dmp

Filesize
52KB

Download
memory/2016-254-0x00007FFAF1FD0000-0x00007FFAF2345000-memory.dmp

Filesize
3.5MB

Download
memory/2016-255-0x000001C1EF140000-0x000001C1EF4B5000-memory.dmp

Filesize
3.5MB

Download
memory/2016-262-0x00007FFAF8FD0000-0x00007FFAF8FFE000-memory.dmp

Filesize
184KB

Download
memory/2016-263-0x00007FFAF7D30000-0x00007FFAF7D44000-memory.dmp

Filesize
80KB

Download
memory/2016-264-0x00007FFAF1E30000-0x00007FFAF1F4C000-memory.dmp

Filesize
1.1MB

Download
memory/2044-177-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2044-292-0x0000000007760000-0x000000000777E000-memory.dmp

Filesize
120KB

Download
memory/2044-164-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/2044-169-0x0000000005750000-0x0000000005D78000-memory.dmp

Filesize
6.2MB

Download
memory/2044-280-0x0000000007780000-0x00000000077B2000-memory.dmp

Filesize
200KB

Download
memory/2044-281-0x000000006E300000-0x000000006E34C000-memory.dmp

Filesize
304KB

Download
memory/2044-131-0x0000000005050000-0x0000000005086000-memory.dmp

Filesize
216KB

Download
memory/2044-156-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2044-249-0x00000000066B0000-0x00000000066FC000-memory.dmp

Filesize
304KB

Download
memory/2044-241-0x0000000006600000-0x000000000661E000-memory.dmp

Filesize
120KB

Download
memory/2044-233-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/2044-240-0x0000000006170000-0x00000000064C4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-236-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/2044-228-0x0000000005E80000-0x0000000005EA2000-memory.dmp

Filesize
136KB

Download
memory/3056-389-0x000000001E540000-0x000000001E575000-memory.dmp

Filesize
212KB

Download
memory/3056-390-0x000000001E580000-0x000000001E596000-memory.dmp

Filesize
88KB

Download
memory/3228-279-0x000002303CE80000-0x000002303CE90000-memory.dmp

Filesize
64KB

Download
memory/3228-268-0x000002303CE80000-0x000002303CE90000-memory.dmp

Filesize
64KB

Download
memory/3936-282-0x000002406E2B0000-0x000002406E2C0000-memory.dmp

Filesize
64KB

Download
memory/3936-278-0x000002406E210000-0x000002406E232000-memory.dmp

Filesize
136KB

Download
memory/3936-267-0x00007FFAF6C40000-0x00007FFAF7701000-memory.dmp

Filesize
10.8MB

Download
memory/4568-220-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4568-155-0x000000000EBA0000-0x000000000EC78000-memory.dmp

Filesize
864KB

Download
memory/4568-265-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4568-39-0x000000000DAD0000-0x000000000DADA000-memory.dmp

Filesize
40KB

Download
memory/4568-4-0x000000000A6C0000-0x000000000AC64000-memory.dmp

Filesize
5.6MB

Download
memory/4568-5-0x000000000A1B0000-0x000000000A242000-memory.dmp

Filesize
584KB

Download
memory/4568-42-0x000000000DDB0000-0x000000000DFC4000-memory.dmp

Filesize
2.1MB

Download
memory/4568-3-0x00000000033C0000-0x00000000033D0000-memory.dmp

Filesize
64KB

Download
memory/4568-2-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/4568-0-0x0000000000CE0000-0x000000000108E000-memory.dmp

Filesize
3.7MB

Download
memory/4568-1-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4568-257-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download