9da29ec36ba8d2cbe02e488b6279b8196b7108b2fadc05911b4eb7c2bd8a263f

Analysis

max time kernel
121s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CollapseLoader_85fdbf8.exe
Size

11.0MB
MD5

58330dc95cf48db43bf6c73bcee2cd18
SHA1

f22f28f8cb29e279b38956252ec473e53ae72ae7
SHA256

9da29ec36ba8d2cbe02e488b6279b8196b7108b2fadc05911b4eb7c2bd8a263f
SHA512

728fbd03a02680c6000c198e9431cc76af6405c81fb3edb2f8dc6587927b01bbfa33248284446e7fba4ccf224391281c3841a9b074b6943d7bbcd8788f92f828
SSDEEP

196608:zn40eofXnxurErvI9pWjl1D1DEzx7sKbSEncvAkj0WllGO3zYUcTupNFnELKId:HjfBurEUWjP5EhydIKZyupvYZd

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unregmp2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

java.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation java.exe
Executes dropped EXE 1 IoCs

Processes:

java.exe

pid process

2012 java.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	java.exe

pid	process
2012	java.exe

Loads dropped DLL 41 IoCs

Processes:

CollapseLoader_85fdbf8.exejava.exe

pid	process
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2732	CollapseLoader_85fdbf8.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe
2012	java.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI20402\python312.dll	upx
behavioral2/memory/2732-69-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_overlapped.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI20402\libcrypto-3.dll	upx
behavioral2/memory/2732-76-0x00007FFD45F40000-0x00007FFD45F4F000-memory.dmp	upx
behavioral2/memory/2732-75-0x00007FFD438A0000-0x00007FFD438C5000-memory.dmp	upx
behavioral2/memory/2732-133-0x00007FFD43810000-0x00007FFD4383D000-memory.dmp	upx
behavioral2/memory/2732-132-0x00007FFD43840000-0x00007FFD43859000-memory.dmp	upx
behavioral2/memory/2732-131-0x00007FFD45F30000-0x00007FFD45F3D000-memory.dmp	upx
behavioral2/memory/2732-130-0x00007FFD45CA0000-0x00007FFD45CB9000-memory.dmp	upx
behavioral2/memory/2732-134-0x00007FFD439B0000-0x00007FFD439BD000-memory.dmp	upx
behavioral2/memory/2732-135-0x00007FFD3FD20000-0x00007FFD3FD63000-memory.dmp	upx
behavioral2/memory/2732-136-0x00007FFD3FCE0000-0x00007FFD3FD13000-memory.dmp	upx
behavioral2/memory/2732-137-0x00007FFD3F1C0000-0x00007FFD3F28D000-memory.dmp	upx
behavioral2/memory/2732-138-0x00007FFD30350000-0x00007FFD30879000-memory.dmp	upx
behavioral2/memory/2732-140-0x00007FFD3FCC0000-0x00007FFD3FCD4000-memory.dmp	upx
behavioral2/memory/2732-146-0x00007FFD438A0000-0x00007FFD438C5000-memory.dmp	upx
behavioral2/memory/2732-145-0x00007FFD30230000-0x00007FFD3034B000-memory.dmp	upx
behavioral2/memory/2732-144-0x00007FFD3F910000-0x00007FFD3F937000-memory.dmp	upx
behavioral2/memory/2732-143-0x00007FFD3FAD0000-0x00007FFD3FADB000-memory.dmp	upx
behavioral2/memory/2732-142-0x00007FFD43800000-0x00007FFD4380D000-memory.dmp	upx
behavioral2/memory/2732-141-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp	upx
behavioral2/memory/2732-147-0x00007FFD3FAB0000-0x00007FFD3FAC6000-memory.dmp	upx
behavioral2/memory/2732-148-0x00007FFD43810000-0x00007FFD4383D000-memory.dmp	upx
behavioral2/memory/2732-149-0x00007FFD38AE0000-0x00007FFD38AF2000-memory.dmp	upx
behavioral2/memory/2732-153-0x00007FFD439B0000-0x00007FFD439BD000-memory.dmp	upx
behavioral2/memory/2732-154-0x00007FFD3FCE0000-0x00007FFD3FD13000-memory.dmp	upx
behavioral2/memory/2732-155-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp	upx
behavioral2/memory/2732-174-0x00007FFD3F1C0000-0x00007FFD3F28D000-memory.dmp	upx
behavioral2/memory/2732-172-0x00007FFD3FAB0000-0x00007FFD3FAC6000-memory.dmp	upx
behavioral2/memory/2732-166-0x00007FFD30350000-0x00007FFD30879000-memory.dmp	upx
behavioral2/memory/2732-195-0x00007FFD3B740000-0x00007FFD3B74E000-memory.dmp	upx
behavioral2/memory/2732-198-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

Processes:

unregmp2.exe

description ioc process

File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe

Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe
Drops file in Program Files directory 1 IoCs

Processes:

unregmp2.exe

description ioc process

File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe

description	ioc	process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Drops file in Windows directory 59 IoCs

Processes:

mmc.exesvchost.exe

description	ioc	process
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exemmc.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

java.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	java.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	java.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 64 IoCs

Processes:

unregmp2.exejava.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\discord-1054570317726617711	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\discord-1054570317726617711\ = "URL:Run game 1054570317726617711 protocol"	java.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\discord-1054570317726617711\DefaultIcon	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\discord-1054570317726617711\shell\open	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\discord-1054570317726617711\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\jre-21.0.2\\bin\\java.exe"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\discord-1054570317726617711\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\data\\jre-21.0.2\\bin\\java.exe"	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\discord-1054570317726617711\shell\open\command	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler"	unregmp2.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

vlc.exevlc.exe

pid process

3452 vlc.exe
2548 vlc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

taskmgr.exetaskmgr.exe

pid	process
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vlc.exemmc.exe

pid process

3452 vlc.exe
5044 mmc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

unregmp2.exewmplayer.exetaskmgr.execontrol.exemmc.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	5056	unregmp2.exe
Token: SeCreatePagefilePrivilege	5056	unregmp2.exe
Token: SeShutdownPrivilege	216	wmplayer.exe
Token: SeCreatePagefilePrivilege	216	wmplayer.exe
Token: SeDebugPrivilege	3188	taskmgr.exe
Token: SeSystemProfilePrivilege	3188	taskmgr.exe
Token: SeCreateGlobalPrivilege	3188	taskmgr.exe
Token: 33	3188	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3188	taskmgr.exe
Token: SeShutdownPrivilege	2056	control.exe
Token: SeCreatePagefilePrivilege	2056	control.exe
Token: 33	5044	mmc.exe
Token: SeIncBasePriorityPrivilege	5044	mmc.exe
Token: 33	5044	mmc.exe
Token: SeIncBasePriorityPrivilege	5044	mmc.exe
Token: SeDebugPrivilege	4784	taskmgr.exe
Token: SeSystemProfilePrivilege	4784	taskmgr.exe
Token: SeCreateGlobalPrivilege	4784	taskmgr.exe
Token: 33	4784	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4784	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

wmplayer.exevlc.exevlc.exetaskmgr.exetaskmgr.exe

pid	process
216	wmplayer.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

vlc.exevlc.exetaskmgr.exetaskmgr.exe

pid	process
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
3452	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
2548	vlc.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
3188	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe
4784	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vlc.exevlc.exemmc.exe

pid process

3452 vlc.exe
2548 vlc.exe
5044 mmc.exe
5044 mmc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

CollapseLoader_85fdbf8.exewmplayer.exeunregmp2.exesetup_wm.exeunregmp2.exeCollapseLoader_85fdbf8.execontrol.exe

description	pid	process	target process
PID 2040 wrote to memory of 2732	2040	CollapseLoader_85fdbf8.exe	CollapseLoader_85fdbf8.exe
PID 2040 wrote to memory of 2732	2040	CollapseLoader_85fdbf8.exe	CollapseLoader_85fdbf8.exe
PID 4568 wrote to memory of 2884	4568	wmplayer.exe	setup_wm.exe
PID 4568 wrote to memory of 2884	4568	wmplayer.exe	setup_wm.exe
PID 4568 wrote to memory of 2884	4568	wmplayer.exe	setup_wm.exe
PID 4568 wrote to memory of 3232	4568	wmplayer.exe	unregmp2.exe
PID 4568 wrote to memory of 3232	4568	wmplayer.exe	unregmp2.exe
PID 4568 wrote to memory of 3232	4568	wmplayer.exe	unregmp2.exe
PID 3232 wrote to memory of 5056	3232	unregmp2.exe	unregmp2.exe
PID 3232 wrote to memory of 5056	3232	unregmp2.exe	unregmp2.exe
PID 2884 wrote to memory of 2316	2884	setup_wm.exe	unregmp2.exe
PID 2884 wrote to memory of 2316	2884	setup_wm.exe	unregmp2.exe
PID 2884 wrote to memory of 2316	2884	setup_wm.exe	unregmp2.exe
PID 2316 wrote to memory of 1860	2316	unregmp2.exe	unregmp2.exe
PID 2316 wrote to memory of 1860	2316	unregmp2.exe	unregmp2.exe
PID 2884 wrote to memory of 216	2884	setup_wm.exe	wmplayer.exe
PID 2884 wrote to memory of 216	2884	setup_wm.exe	wmplayer.exe
PID 2884 wrote to memory of 216	2884	setup_wm.exe	wmplayer.exe
PID 2732 wrote to memory of 2012	2732	CollapseLoader_85fdbf8.exe	java.exe
PID 2732 wrote to memory of 2012	2732	CollapseLoader_85fdbf8.exe	java.exe
PID 2056 wrote to memory of 5044	2056	control.exe	mmc.exe
PID 2056 wrote to memory of 5044	2056	control.exe	mmc.exe

C:\Users\Admin\AppData\Local\Temp\CollapseLoader_85fdbf8.exe
"C:\Users\Admin\AppData\Local\Temp\CollapseLoader_85fdbf8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\CollapseLoader_85fdbf8.exe
"C:\Users\Admin\AppData\Local\Temp\CollapseLoader_85fdbf8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Local\Temp\data\jre-21.0.2\bin\java.exe
..\jre-21.0.2\bin\java.exe -Xverify:none -Xmx2048M -Djava.library.path=..\natives-1.12; -cp ..\libraries-1.12\*;.\Vegaline.jar net.minecraft.client.main.Main --username Collapse7265 --gameDir .\ --assetsDir ..\assets --assetIndex 1.12 --uuid N/A --accessToken 0 --userType legacy --version 1.12
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
PID:2012

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\unregmp2.exe
C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
3⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:1860

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\MoveMount.wm
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:216

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3640

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchInstall.mov"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SearchInstall.mov"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3188

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_asyncio.pyd
Filesize
37KB

MD5
903d6e21494dff27b52ad277116d47dc

SHA1
127b111023212dd58c2a92e063a9215e300addec

SHA256
ef50d13e0d5add93912c0d56ffbee45f282f1138150662cf093ef406eb9dfaf1

SHA512
0088f4865ec31d7c141c6cdc81468a07939f1c0959660c83851845356854e70bcc38ca5494bce4e3b0556ef0fae2b1252e1718ee6e32957c4d8e06aaa836c75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_bz2.pyd
Filesize
48KB

MD5
60094641f4b17ee6386712ad6e851ae8

SHA1
5ffc23b6dbcac0c0c921060bf9cfc6d45a3fcb7a

SHA256
460e98ecb5b367812358712b62e2b6e35d29879932dea94ede221ce14543a6b2

SHA512
c3d7c80883dd36f195248aa674b4626a95cb5fe7eff7e2c0b39524b3d0c291b121b7473cb4c705b84e991ba0d7b96b42e94f98d349452ebdcca19c5cfaf047e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_ctypes.pyd
Filesize
59KB

MD5
198a370f07d31ad40b301df5a1d24377

SHA1
db1501b2f13fdd73954a23d1e1d184c1c41e1ac4

SHA256
78c6fb67d637be081d72d1da32d75336efd973ba1b4e6ca42a7df6b37e343a28

SHA512
0fbb0c4b82b0c886ea21e4c90e4bb0d82e98a55e01b6c4257477378a2cf9355a7a496cf8dc8abb9eb3a941eacef6fe5ff385e4d249f6b21343ecad6ebfc7ddbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_decimal.pyd
Filesize
105KB

MD5
54b4815fe3acc67aacbfd33a8992908c

SHA1
ea479c765a50b5b7f2d0766176f555b01fddff28

SHA256
8908ed833be3d4aa5f4e9227248b1661672afbf96d0b5eb4e56485447f3f5993

SHA512
e02415909443b431b1d510a686cd267d63cd1767464725793040b7af7f536f40231c48ea8d20a46a542e9059e617aa992151b0607afaf8228d0de7b295b536af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_hashlib.pyd
Filesize
35KB

MD5
a6ba77793273904ec4a8ed44d8bc9c79

SHA1
f18d4fe31d50ef3393aaf131588d2b712c2ee0a8

SHA256
7257ad7ad7e768c45ccfdc87fd68108e1bc6b7afb289b4440c4cff515b280596

SHA512
03f596570c4d9c3177143bbf9c9eca09cb76017c829bcbb465ffba5241ff828728d942c4d505d3dca664a9c40b20161a70056e99b54cc8a622d9e57d9c56d1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_lzma.pyd
Filesize
86KB

MD5
3a5979717fe4aad3e98586c4e59c91dc

SHA1
a2f6dc447708619ed164c324822b8bcb4b088981

SHA256
faa8f4c6982d92438c9085a5fa914af0669277be7395564ef295f6eff6d8771b

SHA512
3954b074b78c73cfb20c14f2e916d367e1208dac49c4978f5b69ac650fad3fc72ee619eb7e4ea028c517bda93103cc300df14c4497393796ee4440d13026ff90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_multiprocessing.pyd
Filesize
27KB

MD5
e6d092d738375704281c5cdd11254b60

SHA1
79c803de74c44f5e7b39eefd9fd18e440e52eebb

SHA256
72daee8279e7a412d7d82ec6582dc69e5cc0f6e4b73ab348c463c5cc835fb0bf

SHA512
d3f480ccbe329319d5bb6cd390b8303ed4abb90e64d566c0f84821a1973003700871ff654313f792514de62e15d1f3b8e123abcca6199feaba3d2ca99bafe5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_overlapped.pyd
Filesize
33KB

MD5
a1f2d1d5174e557cf17258484ea0c666

SHA1
16290115f744feb9018e30c60721211c15b9aecf

SHA256
f8625a4e0b8415050a152878d74351bd13071edf6f47261e4b614ca857018da3

SHA512
79519d59ed1b2b5d5c5dcb1673044df6cb6f544783ba5fb37f17e6d1c3fcfc5b5d7008042bfa06f02e39f130d5838e5ff39caa09117baeb6db2f4449307feb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_queue.pyd
Filesize
26KB

MD5
091014c7fa1e2c0f8e2e6b31de22fa6c

SHA1
bce793238cf039938933097d35a75d298f20f06d

SHA256
0695be59bf49c7963c2e24b184f71320d61439291f345ef7ff557c016577bf0b

SHA512
8414d5c9768bbf1b04dfc61348cd17e4529dcb6ab48618254c424212cb35b7695b045c4bc671563f661f52cb73512498af25e4cbe8e10da82c129ac89e12f5d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_socket.pyd
Filesize
44KB

MD5
60c9ee3032e6e54b40cd41de85a776c7

SHA1
0f503570f99b83f79861260700f7e95d61e3a6ee

SHA256
466bdebd099e4f67f22d8ac27b7ec241c00bba5e15cc708deb39c577cac7453a

SHA512
4544d711e0a00a9350bdf0e77a2930ce161ca77c3dba054275b1f06da28ba5c96a5822fbeeecdd73275d392baa00ed80a54daba93afac343249831b7c499700d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\_ssl.pyd
Filesize
65KB

MD5
e2b396bb9c74455b78d5bcf790446397

SHA1
de7f2abf7cce4498172a74a5aa5319a4e2ca3a37

SHA256
2b2ad952a4062f523aea700a52a1901b876a3a9884dcea8793d9de0580e104ac

SHA512
20e0f94c40736a2b2a4204fb3327783c1813693b4de5338a9953339d29b21de369ac1174b309706c781ff99a15f112ee0378988d4bbbc0162eac88e3f5535167

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-console-l1-1-0.dll
Filesize
13KB

MD5
feb41d426bf3cdfcc7d21464c26aed53

SHA1
97a56392ec04e202d59978dc6670d5e76a2be6c1

SHA256
299bf8705f61598548975e0b122debedf5dc928fc874801d8988d64b7d623da1

SHA512
2b962112bad1a754e2cbd3f3f29538dcf1132fa59e298bfa18d1b706d967735e02c524c3a993a2040a9ae94e387ede394c7f67d348e50e0ef40815ce67630866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-datetime-l1-1-0.dll
Filesize
13KB

MD5
faecbfdacc6dc01b0455ea7b4576de99

SHA1
62fe4962a5900ffb94a05e6577dc5d63d90b3000

SHA256
2b2ed0fe1be4713b33d150828ec0813fd4ecdcac8021a39e37fd8fe64bd21157

SHA512
68dca96b1cf711e5fa283c355183a3f8f2db84081f07fd534d36dc68b4ea6e32e58b9be38fd51d743212d2d698ae656474b30c85a86321d58d1c0947911602e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-debug-l1-1-0.dll
Filesize
13KB

MD5
9936abac26b97057e61a5a8346bc26c9

SHA1
16f37a510ecc2a9119e99797e99c4d2468eb39f6

SHA256
d4de4b05b001028456087425ff66044b62bfda3076bff084f9be7843f517c584

SHA512
7404c4a2f884c952a9d0bca9dde757d05db9a74892823d239e70afa40360220896e22853dad19f6d3e8a130ef6a936ded1d53af99d0afd7fd23babd2e0b0842a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
13KB

MD5
da9189023a6b7872de881052f3b990f9

SHA1
55bcebcfd6805ee5bdad78a425ac5e123ab7e807

SHA256
f38193429c05622df65bfa1428895197b851d981875737c55f1cfe04a88664ef

SHA512
b9d60a5588d835fd7eea7b9bec6564377505b53169db281bf80fc994657e5a3dc506d58fdcdec5b6f79346fd7c172546b59315d276fa691d2b7b495ecc23c2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-file-l1-1-0.dll
Filesize
16KB

MD5
8b03d7c248a3b8d5a3ad1029af37c889

SHA1
868a0dde330fdcbf6d0d23900f2c65720ddf9a90

SHA256
4358b538205e9637e8ded05e8490dc0b673e0f756803da451e933411b0e0cb9e

SHA512
76d7e1ea0762a51cd5597e06e98dbd6af17124af57d1729e71ac994ffe7bbbf8be02e57dde31f76a5ea5e7194cceb24185d14fe378780dd1f1afd228fc012d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-file-l1-2-0.dll
Filesize
13KB

MD5
fa6953700659b11c2d82fb521d2e8664

SHA1
07c7d14fdfd1686a424820f77733d1d4f3c75e31

SHA256
4dcc72554ffaa121decaf6e5bd3081198f017d735a07cc6d23d8a56b1383a61e

SHA512
1300c6ab6377e717dfac9e2f78c1218dee91e8fde25454f65ab32095a949c1be5b67aa3ed1c1d9f78d0c8bc9830f5c1dc0e6e01e91effec20ead6cdd9a3f639f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-file-l2-1-0.dll
Filesize
13KB

MD5
621a34a36c202e4c4e59a6077c22cb5e

SHA1
ec696fd4e8e5935a722e88a551593593a12e882e

SHA256
746cde47f460ab4ef45a3158cbc038b166c86b03114c259ea5c759001692c079

SHA512
04e94784a70a576235d5bec58c57b8b3cfc01d7b292287f299deaf52523cef51c2790874116e666e5bc672453beafe173cf1afbe49a5f3076b83344298643ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-handle-l1-1-0.dll
Filesize
13KB

MD5
7141a2a1640ac67e686778130ad8dd7d

SHA1
8f4ba743bc5df04b3075535507983cede7ed249d

SHA256
4a2265e71cd5c9b85f5c705755c23323c1c33aecd9ff72b6ba1b425b8170cf08

SHA512
6906bcdf8474e1fc9f69457cbae6635b18ddda69e3e42ac3b2eaa26aadd717e11b4fcd14e6ed6b5c4e318705c203498d77af8717becf94fd159075093f431440

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-heap-l1-1-0.dll
Filesize
13KB

MD5
df603cd6cb0fe53fd77c065f2766b5e8

SHA1
0698b7b97a6f5174cdca0849bec001127f9f0b16

SHA256
e488e688b75b9f95451ad9c65586783e37c32b9952cb48286572c90b150ebbdd

SHA512
929f4868015306e5b84a1e2f341c12a792fe98d82cbcfabbbe79f932f80d81b98f1b6543da7d23e9153a68b00a3768fa9cd112382092104bd4810e3071723933

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
13KB

MD5
f438ac3307c0de580adf6fb3d4ef57f8

SHA1
5d10ea60e004e583940a082b9157e801aa3c4674

SHA256
03ccd250ed3ef09013114094068dd08c96f0763778e94523e020241f7b16312b

SHA512
c323aae5bb8ce58f92fb8beceb5c60f1bec12f5aaac0c1a435e38de9a10226bdb92808bb2f4e7bf069aec435cb4aade6182d541de2174b8007f8a69a8aa0d264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
14KB

MD5
06ec6d562b0609529e615e795f093512

SHA1
db7c78e4b3f8a0eb4b392c9eef5774a571719f15

SHA256
b120d94a585170f84230d2a6826e3f02d0eb7bde37f965c1fdaf2ba52c5d82bc

SHA512
10773d831d4096130305ee10d611fb28caec213dfe5dd109115c86f7c26df34d7daaea0e6b2eb9eac8f4d59421485e90d6e722c78a55132c25d7b3c7c7222ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-localization-l1-2-0.dll
Filesize
15KB

MD5
2395f675152f25bdc501c1b698b3f70a

SHA1
829eb4dee9604330072c124b9bddf4a4e96a7c98

SHA256
4173e50962540ec0708930d7c456164d4e0fa96d49efb034621eb06e67ac0563

SHA512
7c0125e248387d268a337fa2a0090e6b8713e6205d22fb23a4ce9635fb0f5b79a0e3d28aab3050cc0445ef065632052c23341b1ac22dbd947ac4262fd63a1b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-memory-l1-1-0.dll
Filesize
13KB

MD5
a241d82577b25ed4aa54ab02da7d82c9

SHA1
6cbc888c22a104109af2f084678b15576edbe465

SHA256
1b72a9b95e7d62c923f6b791c4251b63e6331660caf0f44385e6eb1901a9933e

SHA512
e51c246b80b56ea3912e849e18dbe7ff40a4a3e189475c96c570e71e05acdf89e97ffc533810a65172fc05f742b39ee9ef90e3fa0e4c9488f839c4c82fbc8560

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
13KB

MD5
83d560d0c8844cd047ea818414ee43ab

SHA1
11fd30a76f3e0a0af294a4da15890a55a0de3528

SHA256
93d08d10dc60968fe6df4257ad79911045aabce0d6babd9d0714abb104ac1309

SHA512
06a293264dca9bf12309fbc56c3d5a0f62c3bc7a04986e55c8553b778c491d78f27f9bfbd22ad2ee6317bc985b41066db6e9cbc25b93d5137ae5da012afb55c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
14KB

MD5
cb39b789091823bbe8ea7c9a84343dcb

SHA1
4d0f56a3833abb4a52e9af6d8631ea443a407b3e

SHA256
3f5a60c6772417f286c89cc45fe97eeae69d1705fa65445230b71b53a0a1eee8

SHA512
23d393de9f9d7092f7eb79dd4aa45bca386b454caa9e91d1f09699a79b3382adc0a7b7d972fb9dc41e1e082adde8640edcef7cf444f50e4f14df93b89c823ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
15KB

MD5
4039d2c04c32fa423cc6ce766f0532d9

SHA1
a8d0cac1bcfdc94289b2073c2a14422d929df62f

SHA256
979c28aab88b3a45eed546e2a857e1e9eb41cb035d78446ee668feb918227238

SHA512
c1a0f9920ce28d4a15e5543458f68cc64125dd1b24e7c9caad3eed2b13b8c903ca9f76c0ab82f5a688843626150d321c4353fab81697eae604acbfb920b464e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
13KB

MD5
81a255549e9b3467276810f94a67512d

SHA1
c3bf694f5d030d5a29ebb9ae70010be4571cec17

SHA256
8447c3c56f83e5a9407bf446cfc037d149b945611f03798f731e49145fca81c2

SHA512
05e6d83baa20b38d8710ed06c62ef8603c37d70fd0f6036f54a50ad041575d52f23c56bcebb12df8bf7cd9327c46522e59bcda47e2fcabfb0e5c11247708afa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-profile-l1-1-0.dll
Filesize
12KB

MD5
d3291c9be1092f7d29018e7e45eb41c8

SHA1
8140fa723f59675ea8292b273edbc8892cb4b5bb

SHA256
edf1d0a1c9175c0392be3f15a6ed0be753b6df2b303876117becf47563db6f7f

SHA512
bc4626df89df4aad7e2524bf515934ab3b8bd7bba50853b8c6faec65967222feadce56a2f333758cea1b7b3a93eddde2865feab453c5f3bb9bdcc5a0cd3105f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize
13KB

MD5
d3167bbc7d02d30bf9e5d60abd7bb05f

SHA1
33a5e59103d2049140f35945b377e6ee07e06b64

SHA256
2c2851d20158b0023eda056c477a57853b6d648053d4d57cad49e5ed574843b4

SHA512
243c55b57eab36bb468a187a973e1cbbc430ad29f5ed627d3f127817885704df57a3e9865b5e28c3811bada14e1942e5293b4ff8b382ea2ba242aec82c6c51c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-string-l1-1-0.dll
Filesize
13KB

MD5
d5cc0ab1fe05976d71ae09911cef5a67

SHA1
16c7af053e6b6d128a5d9c14479b398537e1e1b0

SHA256
689c682fc9030ce9e228c8dea5fc981956bf78229ee8f30c5f63b2b9df813766

SHA512
843634364539a861eb38c5516c8c18ee00173cff5f24ad567a17430b1b53132db06a4ccd18f041972b11956a85dbdefc18ad11c9a9b3a2954e2c93113099877b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-synch-l1-1-0.dll
Filesize
15KB

MD5
de86a7505497ecf1be8c7aa6e8b1cb8d

SHA1
66220266ccf36a03b36f57b1f63f2e446349fbbd

SHA256
493072a7a15b11c5382394e98fa0007004f90aa533373e64f109273808d5251c

SHA512
07e323ad892304e4052fc46f2384c94dab4bb462ac9a5a2a7b6f8a411d98639324bd06146338d66cb295e4afd30942b5bd138bcb225496774b920d51572117dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-synch-l1-2-0.dll
Filesize
13KB

MD5
c64289ca3db488fd15f25a8762221633

SHA1
b61c550bbe975b3841d8f201a967c8c227512ce4

SHA256
726155c1d1e1f1778bca4d3952f54ab50035b65750d69e3bdf73cf9c52213c22

SHA512
81f7866185b3a7971ef4cf7c98dc6326c17191c36df753b57174c6766fe0b4a49d7ab7954f08d472d0bc9dcbb3329b6309475ec092cf4a174f0b8958847aaf3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize
14KB

MD5
c7368f2e472ca3e428ce9793d69fa3cd

SHA1
8064438a9d36f6b4bae2931ffaacb512c9e52e82

SHA256
c5a070567d238a43818fcabe6f0a99c470f03ec54042b3c95e91a548be20bf38

SHA512
0303c632b61b2b51950a45df7c0de6c215e950f7845dde6b58cb0f6a9af2b74cc77d49bcf79615e9a4a15ee2b2a4fa43a4a3a0adb2005b89ab16ab00e3717e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-timezone-l1-1-0.dll
Filesize
13KB

MD5
59f3aeb2eda80ffc000b99f27ec99d14

SHA1
2961c514b480424b3512d424dcd7d295477b243a

SHA256
e1c41c6525ed510aa75ec671f86d22a005ffd9a856a74dcf09bf3256e301a8ab

SHA512
ff1980c859c7a23ded484a51e596fd591df855e0266961c4620373d42190152f92df83683779a79561d46bd5d238d7d178cfa2952dee316a742a72835be44992

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-core-util-l1-1-0.dll
Filesize
13KB

MD5
fa11fa74380735a5b8d4b309de4854be

SHA1
328959db39043cf7591cb18faec351957695f788

SHA256
167e6e08e570e1ce34854781463c218bf14124a4112216b5f93d38d3c204e62a

SHA512
a82f457868374c92322f7508f2ed98504e62b670621ba17ad636044a8198f5be56be46b25426bec1b85dd79b3de7c2a00bec33bd9246bc136a208a6d6e5f335f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-conio-l1-1-0.dll
Filesize
14KB

MD5
218334da1ed369d2b694d3dff42da6ce

SHA1
afcb936ebfc7a2d6cd3b0c7f25a3fb125bcb8a8a

SHA256
b6ff4feabbe5f1fdc56f2e4e440dd8258702c3fc2a314440100319a62304baff

SHA512
9f2d009935b0847f89639b80c79dbe0fdfd08aa0c958ff67665a90971d3b304edf0e87b99112ca3ce988c2065147a41b63f47cd107d3a02e1a164ceb9bc4c13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-convert-l1-1-0.dll
Filesize
17KB

MD5
d360a829d5376ff0961f62bbe5ac9e06

SHA1
7965077b47bf9949570656df5160f55d27eed1a4

SHA256
6db47157030960e7106cec7825601ce7a33ea58ece603c90ecd9532ece1d1afe

SHA512
aaeed59b187bb277239a07e539e34520e8bc321e4f398e44ee396751e76c189c0180171202380974f12c1c302e77b533b7a93898dd8ddfd5c524143a22b3b748

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-environment-l1-1-0.dll
Filesize
13KB

MD5
0ed33abfad3cedf07f538e2152443683

SHA1
78eed147eb33efd14f03d8e2fbe0ec0f41ae4056

SHA256
f76d2547bfc429e14b49d030679fdefa12383c1f3a8e09fa69b760a89f469e9a

SHA512
42b9417b464f6ddd45294e85b3f9143e5c76f512ca70214d1fc302f0cd28c8b7c29d9e213c78861d10ef4316aa02c14ecec2d9bc5a8021880f4186798eb4e317

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-filesystem-l1-1-0.dll
Filesize
15KB

MD5
442a686b00c22cc9affcecb15a569267

SHA1
10f02b15493737d30aacebad19ecadb8bab81817

SHA256
cb0be4a28ff15650353aa3ea778e7b4076f77d394b6c406b2d288a8ccdf88a05

SHA512
3d1da7ce726a435629d492ee2191e9818ddc975fc686835d61f1259fbb123de522f419a4571fb24c2c5227a2d12a83db2815aca6b7360a75a4b0671ea212acbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-heap-l1-1-0.dll
Filesize
14KB

MD5
dd79fe03815d8d96a70955257b85d025

SHA1
d98f5a2d2d52fc361064427fdecffbe1620b1d68

SHA256
505b61565d51d0c95d9bc77337d063cd18c97a575f5e318cc5a0458d10ef4638

SHA512
3fa3d9a9cddb493786c557f0738c6fad181a862749447c8172093709c4e931708cce12c9d177dbc4f9a0de0f950ebeaf02271e7cbc2b1f177e9c7f838b9ad7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-locale-l1-1-0.dll
Filesize
13KB

MD5
ed7e63157d241abb713998265b3987d1

SHA1
00d80cfe269434a4bbc7b2266e0e3d7f7ff72f2f

SHA256
3afe87a1dd2463fc3a9b5ba0bfc97fb3689764ac10d2c408f5a7b7d6caf06657

SHA512
3e89d1c1c3fca451a3d693873ebf58cceb73720c4c56d7449a96192fd240ac285a3da4e200ec289bfd5cfcfbdac4d83671059ed672739ca83deef9c891d84165

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-math-l1-1-0.dll
Filesize
22KB

MD5
0d517e23b98b6e465214a25b0e73a49b

SHA1
8900d523d919a42ef4750eee7ce87cfb835fa455

SHA256
90d5f4615e9aadf8f38f98a8443ca3cdcee6f082d07ee2abd1a74204dbefe73a

SHA512
d850881bd7b042051fecee9e2fb4be105184e678c82d25095f88dc3c4e6ca9eb4ef818eee36443a62a1f54225a5213363b5a058d3a70baa29dd83f44dc9a1eb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-process-l1-1-0.dll
Filesize
14KB

MD5
e9208bf204cc2f705533328fa24f3a8b

SHA1
d2d6549d7a85dfb4d5877c59f3ba110985a202c9

SHA256
c679988b7dac986ec8d92b994d92b9979e565f6adbfd356b66a920f20e9caa86

SHA512
fb648540545c25d15a19cb9605fd78cbb5a214ff4d91d925400632aca85b59611493db71c65182cc189529fe767bcee114ac7e6c7980afa64875ca622ff1b038

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-runtime-l1-1-0.dll
Filesize
17KB

MD5
9206d6bb749266ac31da559029003fbb

SHA1
496d3051b66d93951253686b73023b64350b521b

SHA256
19da9d0027faed99ef3685a706da4256a24bc705e1f3c0dfcb89df0508620814

SHA512
cd316a52b289e223f607a88033efe1de085a1fba3228a55900ef5908bd90c6342930bdfb73a1ae995c5e496977336186bb3c4e1a0f4f3de52a6465014ee917bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-stdio-l1-1-0.dll
Filesize
19KB

MD5
7f21f2ae857b6ed53ba086feca60e4d9

SHA1
abf957cf28b85c48a86ae255c36a978b4f1e0744

SHA256
479e452662de08c4f65572d78ad553d8a9ce0612e39e3b2aa274b77b40b398f2

SHA512
1a2d46806b48cf91beb7dcc9219af80f02d622b1aa9af7785e6b92dca138781a04a3c1bcc15f166fff96ee6bf3be19ae63e32b74a57d0f281acc1685fbca8148

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-string-l1-1-0.dll
Filesize
19KB

MD5
017cd4317c9ff229fe723b4cef459e06

SHA1
d4355b4257d2efd5b1fc1a8b1ec8fbcde2260c75

SHA256
9800d19f55385efdb4bb215d7de0773fb9574fd5ce2773f0217973c780bb8ccf

SHA512
513e20936e54e179772669a5c097e61369e6b9e62b7a8c246e4bb518a190078968b6aa8c434418eae739b2081421faec4e396ae21803d383e853c77c8b914dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-time-l1-1-0.dll
Filesize
15KB

MD5
7e767ac571d63bcaeb64e243b2600b8d

SHA1
995ce687f655ff937fdf80c1ac7bae043e23e45a

SHA256
c7643c68c3a33a2f67edca02d713749cafeb200daf1f3db7bd2eb168809132ab

SHA512
10b0f0c4844b4beef38d9bd51bbde19ff83caa8e9ac2673528056535872b07e48515c973c50dea9da0ac335cf1a98374d31f52cb04bb0e95eb0e5e6337eee95e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\api-ms-win-crt-utility-l1-1-0.dll
Filesize
13KB

MD5
3138b144c99759b77dbd488dc91134ae

SHA1
664718852f84ad49623ffd401fac7959eda57704

SHA256
3f78ca473da2335c8f26e32ac5a12ab6a76e4c415d923a930abbc0ef5630c835

SHA512
4e5c519facb1580eca906821d0956b750c63f8882acd5dd0be1531ee2ee45e8b0fb10de6db0f1cd254844131680e19206942d7be24e976bd34cf1ebfa434b16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\base_library.zip
Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\libcrypto-3.dll
Filesize
1.6MB

MD5
8fed6a2bbb718bb44240a84662c79b53

SHA1
2cd169a573922b3a0e35d0f9f252b55638a16bca

SHA256
f8de79a5dd7eeb4b2a053315ab4c719cd48fe90b0533949f94b6a291e6bc70fd

SHA512
87787593e6a7d0556a4d05f07a276ffdbef551802eb2e4b07104362cb5af0b32bffd911fd9237799e10e0c8685e9e7a7345c3bce2ad966843c269b4c9bd83e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\libffi-8.dll
Filesize
29KB

MD5
013a0b2653aa0eb6075419217a1ed6bd

SHA1
1b58ff8e160b29a43397499801cf8ab0344371e7

SHA256
e9d8eb01bb9b02ce3859ba4527938a71b4668f98897d46f29e94b27014036523

SHA512
0bd13fa1d55133ee2a96387e0756f48133987bacd99d1f58bab3be7bffdf868092060c17ab792dcfbb4680f984f40d3f7cc24abdd657b756496aa8884b8f6099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\libssl-3.dll
Filesize
222KB

MD5
37c7f14cd439a0c40d496421343f96d5

SHA1
1b6d68159e566f3011087befdcf64f6ee176085c

SHA256
b9c8276a3122cacba65cfa78217fef8a6d4f0204548fcacce66018cb91cb1b2a

SHA512
f446fd4bd351d391006d82198f7f679718a6e17f14ca5400ba23886275ed5363739bfd5bc01ca07cb2af19668dd8ab0b403bcae139d81a245db2b775770953ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\pyexpat.pyd
Filesize
87KB

MD5
c2bcf69fffdbc2eaa663341a3d947937

SHA1
3626eb41c3d5251b0f0f085b78506e4a9ce5c781

SHA256
f5da5a243c6bfc4a643e6915e0790e20cee96bff9cb49b22ff1a56c11a5d66f4

SHA512
9a6f795e0b4f48029f89c5579e6f357274a1b7b86cbf7b5851afad19e154539b30919e9e4f2e39a2ef73dea3e031c8c2996ef13d3ffea9d6b5effb058680c2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\python312.dll
Filesize
1.8MB

MD5
f8a73b023a10c10a060bea2b1134050d

SHA1
58ccd5d0f26bc52f4ea5ba2df035661da7d980b4

SHA256
c905061019b513e576ad98585c71f876c4cebd1da51906c6123980e3b33ab5e2

SHA512
fab9a6be342fcbec07093552d59101ef1f0536c87114297154455ff73afb95de30318fd3d33906fffbaa8f3964aa443a8b386cbc7b586d91f1ca05567db98453

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\select.pyd
Filesize
25KB

MD5
0504532def25e5e222317bd2d4c90646

SHA1
ac5ef465a7cdadbb01a7b2da31abb941bea55273

SHA256
c276ec49fe7b0d938ef574fd7a7709db7b1e9418ba9e18c330c782b8cc73f9a6

SHA512
1a066851f44ce745da3e3a7c6c410063c1256e4a92460840bd4ca6d3a88d9af2e1b455be01d557569a016a402bc76b9ca82a9aaeccea7b5a5d191c4c8fef835a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\ucrtbase.dll
Filesize
987KB

MD5
637c17ad8bccc838b0cf83ffb8e2c7fd

SHA1
b2dd2890668e589badb2ba61a27c1da503d73c39

SHA256
be7368df484688493fb49fb0c4ad641485070190db62a2c071c9c50612e43fed

SHA512
f6b727c319ca2e85a9b5c5e0b9d8b9023f0cf4193fab983cfa26060923374c6abd6d11db1da2e524a8b04622a4e13beb4c48dc23f98886d4abb33eb09f3a0776

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20402\unicodedata.pyd
Filesize
295KB

MD5
4f30f329d3f4b501febf16f12e376988

SHA1
1fcf01b68df3542543e557bc1124d424c6c0ea01

SHA256
f340150a4bd9170fa7ccfefffdf80d6e2aa16793687c26631d0a59612c6d4fc5

SHA512
1b0638f4cc083893f7724057bb14f4a43724bce11a15012abd833f46bce593023e008610d4e7a0324b6aa495d4394c2ea086eb9409994ca2e6e62914664ff496

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\jre-21.0.2\legal\java.logging\ADDITIONAL_LICENSE_INFO
Filesize
49B

MD5
19c9d1d2aad61ce9cb8fb7f20ef1ca98

SHA1
2db86ab706d9b73feeb51a904be03b63bee92baf

SHA256
ebf9777bd307ed789ceabf282a9aca168c391c7f48e15a60939352efb3ea33f9

SHA512
7ec63b59d8f87a42689f544c2e8e7700da5d8720b37b41216cbd1372c47b1bc3b892020f0dd3a44a05f2a7c07471ff484e4165427f1a9cad0d2393840cd94e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\jre-21.0.2\legal\java.logging\ASSEMBLY_EXCEPTION
Filesize
44B

MD5
7caf4cdbb99569deb047c20f1aad47c4

SHA1
24e7497426d27fe3c17774242883ccbed8f54b4d

SHA256
b998cda101e5a1ebcfb5ff9cddd76ed43a2f2169676592d428b7c0d780665f2a

SHA512
a1435e6f1e4e9285476a0e7bc3b4f645bbafb01b41798a2450390e16b18b242531f346373e01d568f6cc052932a3256e491a65e8b94b118069853f2b0c8cd619

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\jre-21.0.2\legal\java.logging\LICENSE
Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Local\Temp\discord-rpc\discord-rpc.dll
Filesize
390KB

MD5
5882c37b79bae47a0d090006564edb22

SHA1
ac7bbbdb1d34eb763d8db4ef7875a50f700e9d48

SHA256
5cc2e504800cf4ed2f4781364f661ea22349658ddc391b5d54195e573109d87b

SHA512
d4a6a1a36842dd1c8b2162168807b990e0d491a908e11b52ebf11174a67f818b131607c2122dbb484f5d946418a05a1a84d42e1468bef5c98ec3fcff7d225ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna13258940014558146880.dll
Filesize
240KB

MD5
68bf293ed84fec43a17dbc830b6001c1

SHA1
e2841508e29f91c168c0a620c57cec387f681a6c

SHA256
19e394e5d7a64f1e5063043f6f8d23243db22ff87d67e9e930bd13f8b12bf275

SHA512
31679b608c01138c97dd0cb6692a00359e398623097650b72a8f4f2701955232657431df41dc3b1f5681de0c30ae6357d1d8343c6124532f2a067210bd1c9fb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize
1KB

MD5
7e0e837683caa682966eb6e1a2b1f48d

SHA1
e6b7aa41250d105bc82e70b4081095fe43ff1f13

SHA256
fce050fe95ec372480d53a1abcc8b86e4e5ba3cf978b94c702ecc081fbb6a3c7

SHA512
b3d2aca92a1e73545fd1b1778e7077cb2d4d90b23b5be4da2dc5b8698551fe61c0b1b95b9822bc74a34aa0a43fa1ffc045db0abadfc27830ffeee7da0fadad7d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize
3KB

MD5
ece69202d0ef5ac8b3c1c9d6fd548e78

SHA1
78065815cd8d8046c33d24d036d8f935ed70098b

SHA256
7a1145936687327de5f8e8028cf60992d77b0a1ac96909949f0f1dbfcfc73ad7

SHA512
ce3b35ec6349b2e10ce7828d1e40a689f0b29fbffed0a0f1b0552e364230fbfc9dd2a5caad84ada3d3002ff14da992871a892aab19d4850710afee2bfd69ef17

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp2548
Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
Filesize
573B

MD5
63d4aee908f521a6a8fbb5bc894fe89f

SHA1
56d41836e2ca3163b0d2091dd0dc20ce4e8e77e5

SHA256
09c0f52c4eb359b3228b155ee169160e83ee5a899d1437b18b791e3b40d6656e

SHA512
93fad52fdb6662b55736334a60db5308de7d9dc5e8d624d311a1b68dd54866b0c25b05153d3f8eb34d5c69de47d611acc831667cc64ed97915e9a08316b5535c

Download Submit
memory/2732-143-0x00007FFD3FAD0000-0x00007FFD3FADB000-memory.dmp

Filesize
44KB

Download
memory/2732-174-0x00007FFD3F1C0000-0x00007FFD3F28D000-memory.dmp

Filesize
820KB

Download
memory/2732-140-0x00007FFD3FCC0000-0x00007FFD3FCD4000-memory.dmp

Filesize
80KB

Download
memory/2732-146-0x00007FFD438A0000-0x00007FFD438C5000-memory.dmp

Filesize
148KB

Download
memory/2732-145-0x00007FFD30230000-0x00007FFD3034B000-memory.dmp

Filesize
1.1MB

Download
memory/2732-144-0x00007FFD3F910000-0x00007FFD3F937000-memory.dmp

Filesize
156KB

Download
memory/2732-138-0x00007FFD30350000-0x00007FFD30879000-memory.dmp

Filesize
5.2MB

Download
memory/2732-142-0x00007FFD43800000-0x00007FFD4380D000-memory.dmp

Filesize
52KB

Download
memory/2732-141-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp

Filesize
6.8MB

Download
memory/2732-147-0x00007FFD3FAB0000-0x00007FFD3FAC6000-memory.dmp

Filesize
88KB

Download
memory/2732-148-0x00007FFD43810000-0x00007FFD4383D000-memory.dmp

Filesize
180KB

Download
memory/2732-149-0x00007FFD38AE0000-0x00007FFD38AF2000-memory.dmp

Filesize
72KB

Download
memory/2732-153-0x00007FFD439B0000-0x00007FFD439BD000-memory.dmp

Filesize
52KB

Download
memory/2732-154-0x00007FFD3FCE0000-0x00007FFD3FD13000-memory.dmp

Filesize
204KB

Download
memory/2732-155-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp

Filesize
6.8MB

Download
memory/2732-139-0x00000190A0E20000-0x00000190A1349000-memory.dmp

Filesize
5.2MB

Download
memory/2732-172-0x00007FFD3FAB0000-0x00007FFD3FAC6000-memory.dmp

Filesize
88KB

Download
memory/2732-166-0x00007FFD30350000-0x00007FFD30879000-memory.dmp

Filesize
5.2MB

Download
memory/2732-175-0x00000190A0E20000-0x00000190A1349000-memory.dmp

Filesize
5.2MB

Download
memory/2732-195-0x00007FFD3B740000-0x00007FFD3B74E000-memory.dmp

Filesize
56KB

Download
memory/2732-198-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp

Filesize
6.8MB

Download
memory/2732-137-0x00007FFD3F1C0000-0x00007FFD3F28D000-memory.dmp

Filesize
820KB

Download
memory/2732-136-0x00007FFD3FCE0000-0x00007FFD3FD13000-memory.dmp

Filesize
204KB

Download
memory/2732-135-0x00007FFD3FD20000-0x00007FFD3FD63000-memory.dmp

Filesize
268KB

Download
memory/2732-69-0x00007FFD30A80000-0x00007FFD31159000-memory.dmp

Filesize
6.8MB

Download
memory/2732-134-0x00007FFD439B0000-0x00007FFD439BD000-memory.dmp

Filesize
52KB

Download
memory/2732-130-0x00007FFD45CA0000-0x00007FFD45CB9000-memory.dmp

Filesize
100KB

Download
memory/2732-131-0x00007FFD45F30000-0x00007FFD45F3D000-memory.dmp

Filesize
52KB

Download
memory/2732-132-0x00007FFD43840000-0x00007FFD43859000-memory.dmp

Filesize
100KB

Download
memory/2732-133-0x00007FFD43810000-0x00007FFD4383D000-memory.dmp

Filesize
180KB

Download
memory/2732-75-0x00007FFD438A0000-0x00007FFD438C5000-memory.dmp

Filesize
148KB

Download
memory/2732-76-0x00007FFD45F40000-0x00007FFD45F4F000-memory.dmp

Filesize
60KB

Download