xworm | f6eb39b9b49c6ad5904d067c4845dfdd96cdccd4b979fad40af44cdc26992546

Analysis

max time kernel
89s
max time network
114s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
09/07/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MetaScalpSetup.exe
Size

129.8MB
MD5

385b5b76e12c76c169bf7e3f6fa2c317
SHA1

ea281a577b99a5f29d290aca30f4ca67945d7fcc
SHA256

f6eb39b9b49c6ad5904d067c4845dfdd96cdccd4b979fad40af44cdc26992546
SHA512

9c99ca240732a95d4f1d373731179318d839b15286b41945eb465bc6b1c64f502c488811fff91b71137b59a64bcb503a87be93085a7f0509fe95bd77fcaf719c
SSDEEP

3145728:fOdRmy1fMkZCiZQr8iTps95xUJO5wUti1BEn6b8CQQ:2dQECiZQr8Ss94Mxi1gz7

Score

10^/10

xworm discovery execution persistence rat trojan upx

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1016-10047-0x0000000009D30000-0x0000000009D3E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1016-5959-0x0000000000800000-0x000000000082E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
124	powershell.exe
2816	powershell.exe
1204	powershell.exe
3104	powershell.exe
2080	powershell.exe
4104	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MetaScalpSetup.exe	MetaScalpSetup.exe

Executes dropped EXE 8 IoCs

pid	Process
2960	Chrome.exe
4924	MetaScalpSetup.exe
772	squ3C0A.tmp.exe
616	MetaScalp.exe
1016	Chrome.exe
3680	MetaScalp.exe
2976	luxwrc.exe
3724	idkpne.exe

Loads dropped DLL 64 IoCs

pid	Process
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
2740	MetaScalpSetup.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe
616	MetaScalp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002aadb-125.dat	upx
behavioral1/memory/2740-129-0x00007FFD327D0000-0x00007FFD32C3E000-memory.dmp	upx
behavioral1/files/0x000100000002aa9f-131.dat	upx
behavioral1/files/0x000100000002aad8-133.dat	upx
behavioral1/memory/2740-137-0x00007FFD4DDB0000-0x00007FFD4DDBF000-memory.dmp	upx
behavioral1/files/0x000100000002aaa2-140.dat	upx
behavioral1/files/0x000100000002aaa0-189.dat	upx
behavioral1/memory/2740-191-0x00007FFD48010000-0x00007FFD4803D000-memory.dmp	upx
behavioral1/memory/2740-190-0x00007FFD49D20000-0x00007FFD49D39000-memory.dmp	upx
behavioral1/files/0x000100000002aa9e-188.dat	upx
behavioral1/files/0x000100000002aa9c-187.dat	upx
behavioral1/files/0x000400000002aa51-185.dat	upx
behavioral1/files/0x000100000002aadf-184.dat	upx
behavioral1/files/0x000100000002aada-183.dat	upx
behavioral1/files/0x000100000002aad9-181.dat	upx
behavioral1/files/0x000100000002aad7-180.dat	upx
behavioral1/files/0x000100000002aa9d-138.dat	upx
behavioral1/memory/2740-136-0x00007FFD48040000-0x00007FFD48064000-memory.dmp	upx
behavioral1/memory/2740-192-0x00007FFD44B40000-0x00007FFD44B59000-memory.dmp	upx
behavioral1/memory/2740-193-0x00007FFD48870000-0x00007FFD4887D000-memory.dmp	upx
behavioral1/memory/2740-194-0x00007FFD44040000-0x00007FFD44074000-memory.dmp	upx
behavioral1/memory/2740-195-0x00007FFD449B0000-0x00007FFD449BD000-memory.dmp	upx
behavioral1/memory/2740-196-0x00007FFD44010000-0x00007FFD4403E000-memory.dmp	upx
behavioral1/memory/2740-197-0x00007FFD38C80000-0x00007FFD38D3C000-memory.dmp	upx
behavioral1/memory/2740-198-0x00007FFD43FE0000-0x00007FFD4400B000-memory.dmp	upx
behavioral1/memory/2740-200-0x00007FFD48070000-0x00007FFD4809E000-memory.dmp	upx
behavioral1/memory/2740-199-0x00007FFD327D0000-0x00007FFD32C3E000-memory.dmp	upx
behavioral1/memory/2740-203-0x00007FFD444F0000-0x00007FFD445A8000-memory.dmp	upx
behavioral1/memory/2740-202-0x00007FFD32D80000-0x00007FFD330F5000-memory.dmp	upx
behavioral1/memory/2740-204-0x00007FFD44690000-0x00007FFD446A5000-memory.dmp	upx
behavioral1/memory/2740-205-0x00007FFD44B40000-0x00007FFD44B59000-memory.dmp	upx
behavioral1/memory/2740-206-0x00007FFD4DEE0000-0x00007FFD4DEF0000-memory.dmp	upx
behavioral1/memory/2740-207-0x00007FFD444D0000-0x00007FFD444E4000-memory.dmp	upx
behavioral1/memory/2740-210-0x00007FFD32C60000-0x00007FFD32D78000-memory.dmp	upx
behavioral1/memory/2740-209-0x00007FFD444A0000-0x00007FFD444C6000-memory.dmp	upx
behavioral1/memory/2740-208-0x00007FFD44990000-0x00007FFD4499B000-memory.dmp	upx
behavioral1/memory/2740-211-0x00007FFD44460000-0x00007FFD44498000-memory.dmp	upx
behavioral1/memory/2740-220-0x00007FFD38C80000-0x00007FFD38D3C000-memory.dmp	upx
behavioral1/memory/2740-221-0x00007FFD44400000-0x00007FFD4440C000-memory.dmp	upx
behavioral1/memory/2740-233-0x00007FFD43E00000-0x00007FFD43E12000-memory.dmp	upx
behavioral1/memory/2740-231-0x00007FFD443E0000-0x00007FFD443EC000-memory.dmp	upx
behavioral1/memory/2740-229-0x00007FFD443F0000-0x00007FFD443FE000-memory.dmp	upx
behavioral1/memory/2740-228-0x00007FFD43FC0000-0x00007FFD43FCC000-memory.dmp	upx
behavioral1/memory/2740-226-0x00007FFD43FD0000-0x00007FFD43FDD000-memory.dmp	upx
behavioral1/memory/2740-225-0x00007FFD443A0000-0x00007FFD443AC000-memory.dmp	upx
behavioral1/memory/2740-224-0x00007FFD443B0000-0x00007FFD443BC000-memory.dmp	upx
behavioral1/memory/2740-223-0x00007FFD443C0000-0x00007FFD443CB000-memory.dmp	upx
behavioral1/memory/2740-222-0x00007FFD443D0000-0x00007FFD443DB000-memory.dmp	upx
behavioral1/memory/2740-219-0x00007FFD44410000-0x00007FFD4441C000-memory.dmp	upx
behavioral1/memory/2740-218-0x00007FFD44420000-0x00007FFD4442B000-memory.dmp	upx
behavioral1/memory/2740-217-0x00007FFD44430000-0x00007FFD4443C000-memory.dmp	upx
behavioral1/memory/2740-216-0x00007FFD44440000-0x00007FFD4444B000-memory.dmp	upx
behavioral1/memory/2740-215-0x00007FFD44450000-0x00007FFD4445C000-memory.dmp	upx
behavioral1/memory/2740-214-0x00007FFD44660000-0x00007FFD4466B000-memory.dmp	upx
behavioral1/memory/2740-213-0x00007FFD44900000-0x00007FFD4490B000-memory.dmp	upx
behavioral1/memory/2740-212-0x00007FFD44010000-0x00007FFD4403E000-memory.dmp	upx
behavioral1/memory/2740-254-0x00007FFD48070000-0x00007FFD4809E000-memory.dmp	upx
behavioral1/memory/2740-256-0x00007FFD32D80000-0x00007FFD330F5000-memory.dmp	upx
behavioral1/memory/2740-284-0x00007FFD444F0000-0x00007FFD445A8000-memory.dmp	upx
behavioral1/memory/2740-286-0x00007FFD48040000-0x00007FFD48064000-memory.dmp	upx
behavioral1/memory/2740-315-0x00007FFD44690000-0x00007FFD446A5000-memory.dmp	upx
behavioral1/memory/2740-306-0x00007FFD44460000-0x00007FFD44498000-memory.dmp	upx
behavioral1/memory/2740-299-0x00007FFD32D80000-0x00007FFD330F5000-memory.dmp	upx
behavioral1/memory/2740-297-0x00007FFD48070000-0x00007FFD4809E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeInstaller = "C:\\Users\\Admin\\AppData\\Roaming\\ChromeInstaller.exe"	Chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
9	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 1016	2960	Chrome.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3768	tasklist.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2608496357-2693146533-2740208290-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4104	powershell.exe
4104	powershell.exe
2816	powershell.exe
2816	powershell.exe
1204	powershell.exe
1204	powershell.exe
3104	powershell.exe
3104	powershell.exe
2080	powershell.exe
2080	powershell.exe
772	squ3C0A.tmp.exe
772	squ3C0A.tmp.exe
1016	Chrome.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	tasklist.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2960	Chrome.exe
Token: SeDebugPrivilege	772	squ3C0A.tmp.exe
Token: SeDebugPrivilege	2960	Chrome.exe
Token: SeDebugPrivilege	616	MetaScalp.exe
Token: SeDebugPrivilege	1016	Chrome.exe
Token: SeDebugPrivilege	3680	MetaScalp.exe
Token: SeDebugPrivilege	1016	Chrome.exe
Token: SeDebugPrivilege	2976	luxwrc.exe
Token: SeDebugPrivilege	3724	idkpne.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1016	Chrome.exe
1756	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2740	2684	MetaScalpSetup.exe	79
PID 2684 wrote to memory of 2740	2684	MetaScalpSetup.exe	79
PID 2740 wrote to memory of 3660	2740	MetaScalpSetup.exe	80
PID 2740 wrote to memory of 3660	2740	MetaScalpSetup.exe	80
PID 2740 wrote to memory of 760	2740	MetaScalpSetup.exe	83
PID 2740 wrote to memory of 760	2740	MetaScalpSetup.exe	83
PID 760 wrote to memory of 4624	760	cmd.exe	85
PID 760 wrote to memory of 4624	760	cmd.exe	85
PID 2740 wrote to memory of 2788	2740	MetaScalpSetup.exe	86
PID 2740 wrote to memory of 2788	2740	MetaScalpSetup.exe	86
PID 2788 wrote to memory of 3000	2788	cmd.exe	88
PID 2788 wrote to memory of 3000	2788	cmd.exe	88
PID 2740 wrote to memory of 4344	2740	MetaScalpSetup.exe	89
PID 2740 wrote to memory of 4344	2740	MetaScalpSetup.exe	89
PID 4344 wrote to memory of 3768	4344	cmd.exe	91
PID 4344 wrote to memory of 3768	4344	cmd.exe	91
PID 4344 wrote to memory of 804	4344	cmd.exe	92
PID 4344 wrote to memory of 804	4344	cmd.exe	92
PID 4344 wrote to memory of 3100	4344	cmd.exe	93
PID 4344 wrote to memory of 3100	4344	cmd.exe	93
PID 2740 wrote to memory of 4104	2740	MetaScalpSetup.exe	94
PID 2740 wrote to memory of 4104	2740	MetaScalpSetup.exe	94
PID 2740 wrote to memory of 2816	2740	MetaScalpSetup.exe	96
PID 2740 wrote to memory of 2816	2740	MetaScalpSetup.exe	96
PID 2740 wrote to memory of 1204	2740	MetaScalpSetup.exe	98
PID 2740 wrote to memory of 1204	2740	MetaScalpSetup.exe	98
PID 2740 wrote to memory of 3104	2740	MetaScalpSetup.exe	100
PID 2740 wrote to memory of 3104	2740	MetaScalpSetup.exe	100
PID 2740 wrote to memory of 2080	2740	MetaScalpSetup.exe	102
PID 2740 wrote to memory of 2080	2740	MetaScalpSetup.exe	102
PID 2740 wrote to memory of 1080	2740	MetaScalpSetup.exe	104
PID 2740 wrote to memory of 1080	2740	MetaScalpSetup.exe	104
PID 1080 wrote to memory of 2960	1080	cmd.exe	106
PID 1080 wrote to memory of 2960	1080	cmd.exe	106
PID 1080 wrote to memory of 2960	1080	cmd.exe	106
PID 2740 wrote to memory of 3496	2740	MetaScalpSetup.exe	107
PID 2740 wrote to memory of 3496	2740	MetaScalpSetup.exe	107
PID 3496 wrote to memory of 4924	3496	cmd.exe	109
PID 3496 wrote to memory of 4924	3496	cmd.exe	109
PID 3496 wrote to memory of 4924	3496	cmd.exe	109
PID 4924 wrote to memory of 772	4924	MetaScalpSetup.exe	110
PID 4924 wrote to memory of 772	4924	MetaScalpSetup.exe	110
PID 4924 wrote to memory of 772	4924	MetaScalpSetup.exe	110
PID 772 wrote to memory of 616	772	squ3C0A.tmp.exe	111
PID 772 wrote to memory of 616	772	squ3C0A.tmp.exe	111
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 2960 wrote to memory of 1016	2960	Chrome.exe	112
PID 772 wrote to memory of 3680	772	squ3C0A.tmp.exe	113
PID 772 wrote to memory of 3680	772	squ3C0A.tmp.exe	113
PID 1016 wrote to memory of 2976	1016	Chrome.exe	116
PID 1016 wrote to memory of 2976	1016	Chrome.exe	116
PID 1016 wrote to memory of 3724	1016	Chrome.exe	117
PID 1016 wrote to memory of 3724	1016	Chrome.exe	117
PID 1016 wrote to memory of 3724	1016	Chrome.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MetaScalpSetup.exe
"C:\Users\Admin\AppData\Local\Temp\MetaScalpSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\MetaScalpSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\MetaScalpSetup.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\DriverDesc
      4⤵
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\ProviderName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\ProviderName
      4⤵
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "TASKLIST /FI "STATUS eq RUNNING" | find /V "Image Name" | find /V "=""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\system32\tasklist.exe
      TASKLIST /FI "STATUS eq RUNNING"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3768
  - - C:\Windows\system32\find.exe
      find /V "Image Name"
      4⤵
      PID:804
  - - C:\Windows\system32\find.exe
      find /V "="
      4⤵
      PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Local\Temp\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"C:\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath \"F:\""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\ProgramData\Chrome.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\ProgramData\Chrome.exe
      C:\ProgramData\Chrome.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\ProgramData\Chrome.exe
        
        "C:\ProgramData\Chrome.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Users\Admin\AppData\Local\Temp\luxwrc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\luxwrc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\idkpne.exe
        
        "C:\Users\Admin\AppData\Local\Temp\idkpne.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\ProgramData\MetaScalpSetup.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\ProgramData\MetaScalpSetup.exe
      C:\ProgramData\MetaScalpSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4924
    - - C:\Users\Admin\AppData\Local\Temp\squ3C0A.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\squ3C0A.tmp.exe" --setup "C:\Users\Admin\AppData\Local\Temp\squ3C0B.tmp.nupkg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Users\Admin\AppData\Local\MetaScalp\app-1.0.104\MetaScalp.exe
        
        "C:\Users\Admin\AppData\Local\MetaScalp\app-1.0.104\MetaScalp.exe" --squirrel-install 1.0.104
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
      - C:\Users\Admin\AppData\Local\MetaScalp\app-1.0.104\MetaScalp.exe
        
        "C:\Users\Admin\AppData\Local\MetaScalp\app-1.0.104\MetaScalp.exe" --squirrel-firstrun
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASQBzAEkAbgB2AGEAbABpAGQAXABIAGEAcwBDAHUAcgByAGUAbgB0AC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwASQBzAEkAbgB2AGEAbABpAGQAXABIAGEAcwBDAHUAcgByAGUAbgB0AC4AZQB4AGUA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MetaScalp\app-1.0.104\Squirrel.exe

Filesize
12.0MB

MD5
900740780eb77093c8b462e53b235e59

SHA1
8314dece8ca41c4742eae11e3be21f2a1c21d7df

SHA256
26a2d9a2d7608fc8f3d9e5b6694940e87fb8105278d03a0f3d34e3cf5805fde5

SHA512
f766d94e66825dce2b58a4be0068f652d2e5ed731194e229ecdfb2d5bf97d1d2c1d1179cdd15f2045118cfa8da98dc5bb0b07e644611d21ea28e71b054120bbd

Download Submit
C:\Users\Admin\AppData\Local\MetaScalp\app-1.0.104\createdump.exe

Filesize
64KB

MD5
bc0da4f9f4e505187f48bd70949682a3

SHA1
cd26492d5c6b1217a4f8f17d3255ecc4a42113e8

SHA256
59b50a303d17488ab65351a971c60d3b156b9dd385ce1ac8aa218c057dfc67fa

SHA512
8d0eb9c21b16b5fac76f29db0bba8719a1fae5e1d2286e706fa9e408d1b6cdc82e5e691f60c3e1055ba812db05532b2a645ab4fbb2719b513a717d0696d24ec2

Download Submit
C:\Users\Admin\AppData\Local\MetaScalp\packages\RELEASES

Filesize
82B

MD5
7b82948137eca06fe7366379d0f346e8

SHA1
b181f6f59888c106ffd96376f5ec6efbf030277e

SHA256
474fde588f7868b6ad953fe5d72e68e4c8cda6291515b5f5a7468ff7e73a6e06

SHA512
d7630a5fd8cdd689679f5c0c2d59fd608cc44722686a89a2179298c951404807495f6606e132b71818f71439109682eae893f8e6ae67bb770c04cd62e6dc5357

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c9136832f6961b5392a61f6767b2c28d

SHA1
b9a853fe6a50b7c2f15214b69b1b193192f48b23

SHA256
67a0a4f493d34a21b724c3399650fddcefcb02307abda91cd0e29b5643336ddb

SHA512
efb891ef4a7ce85619a8a6857878183c7960d73f8ad712f646c277de518135a62229cc79e9812b734798c7749be918a05224ca184a39864af9af286e73518c47

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ac55d032b92d4a1ca8191b0dd701a4f7

SHA1
78857d35760449e810c51aeb569a408a7667dfc3

SHA256
b27cdcee84f96c7fe998941906cb8f8c1ca934fc180e431af0a166541931815a

SHA512
725a80515a3bd50237c4f223e59f4b0b5f10afa92ea06e560e665dc5691c788b6981e7021e47927fb43342ec3fb5ab561b489bbd87b71eb30afa0af5612c65c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\_asyncio.pyd

Filesize
34KB

MD5
5d3333d2ebae9a0bcfab22654b653c6a

SHA1
fe30c68b118688475dc4d4f2fc933afa4b4c8706

SHA256
c14c88a4a9dbb66353797162d1f842b937ab86ddfe9f10b13d0c7e6a6cef58f9

SHA512
55e37a0186ac7abdb1173678b7f4781028e9a681b493e9db8d7a9d506c9337308b64b8043a57bff041896810b19ca8b1fdd21aa8579a2420bdb9944cbbbbb371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\_bz2.pyd

Filesize
46KB

MD5
3de2a6972c547eb1ad430d736ce4d26c

SHA1
636dc9219fa7f607de9c2205605388ea6d8e3777

SHA256
0e742b91ed48a6cc2396aa815dbb553a6b595eb874011cedbc95143b88e849be

SHA512
e4c5cc8eeb7f2f4b947a06b47109f92aa36490a345d64d7fedda636afc1a0110b7568573da7b8cccb800a79106247f900b5db8ab229c3a20577660dea9b48515

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
641e49ce0c4fa963d347fbf915aabdbe

SHA1
1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10

SHA256
1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906

SHA512
766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\_ctypes.pyd

Filesize
56KB

MD5
a1c9c44594415cad55940a8c99dea0ab

SHA1
ee8002598e3f4b41894d9be108e84e57f522b328

SHA256
615123838c81fcbccf62b8fcecf1af17229389fe43af06ff2847f0d90f6e8058

SHA512
3c012e43e3ba92bfea4cda87510ff2f227c4873a0caf6d29ba770cedc2462fcb82352b63fbf7e6272f6ce6e21374d21383f9fc1cf916f79f530293bb418d7339

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\_decimal.pyd

Filesize
103KB

MD5
a084a8bb2b8705c293db879fe63ee235

SHA1
1b8563f4f7d3c1293c9cda7d3ba354cf7bf2cd55

SHA256
487c1b2821d690a110a507f49966fc2907e28505f9b660f40b5f8fa9cc12539a

SHA512
d2df2d23480f4290255b5c68fd77b5170c0c0001e9e489cb0a6be5fd4a4a630ce29188daf3a9dca9bd7264347ac8464c4b62c8eea34dbbd613cc45463d7ac7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\_lzma.pyd

Filesize
84KB

MD5
7062eb5e09e60938faa667e77e57da11

SHA1
a1ab0e5d7b63051a9d2f85990dc59163eb4c3c12

SHA256
48ad62e3ffab0fa09c3fba9962ad0123684c17b626fff9860d9bc116e4f47733

SHA512
ee200f8066eba0aaf895945e73512e4778497979f75fb5292f6a10523dccc0e6659fdb71925c4a88e43cbc2081d22d541c26709a0b3020bdf8cb16c8de684668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
65d560ef64229755a440752ecfe685ec

SHA1
1333713f7f0bc9c882222cbb7ece206a50795324

SHA256
e995951f7c69f9e3fbfc9eb83e7c869ee732da81885a691bf2b77cd0f377d9ae

SHA512
11f3c40732551611bb0778e42ee0a17bcd1a851a001c7d442c0a6d47589457bdc3107cac8e8f321c6b268577703c9e1f00992093f3db16c895bfe8ff86af5edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
a1dde4316ccf4ba95fb839546481ad38

SHA1
a0aa9ea0463d23ea1b457cd3afd8ed7c327b2a1f

SHA256
bbedd6a5338ecca437080d6e344836a5c833e250dbcd2beffb4d3fb2eaba4b88

SHA512
a0408e69146aa5f51de0db61d871308a343714e236feadb6f77421860adb67d58ce0d5c15f3050c711c3d9900e16e9fdc8e92c4a95f5ec85f4d702b1f242ef88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
0176e2f43c9b74559092e790e971cd6d

SHA1
a4bb34f3289e2e434a5658d08423fb84669de3fe

SHA256
d06d4fa8afae5d5670a73c99879588a28c9612f25d97d3a716067aa55aedb7e1

SHA512
af06dc759754356e94c9a2af8b384daf54a0043d30381da77bab30fa7a3e8d09cec1fc786c238825f1707787206a6d88ee1d751242d25db61fd68bb339e4605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
47521e0bce11bcda26687a2a7ad925d8

SHA1
11fd0034bf670ba2f139d8d88eb06ff41c6e320f

SHA256
235fba3ca6fb9dd58a7733d5578f1203d7973b4d2308ad63a07f8e4311b92a38

SHA512
29cf8dc5a4055e9234f02510785cb9db0b02914aa4ed376d9c85a0b0af1df8e90c47b6d8f9d2c45173ffaa3a4abcee3b47061b56a4c1e76c9db8da92456f9f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
28c2e42a0b3ccae924d47ade467d27be

SHA1
f8555f27c3c4b8e5ee24c790fe8e475770ffbb36

SHA256
253bd5a1b70131a4b436645e70dc8a9e51e3a7d1321114bd231eb317b1111d6a

SHA512
a4bb35308c745d3acff72285de1c061091798cadb8072428b24034f395774677ea8c66a28ba632ce3205f4e55ee5c6c08757ed766199999542c7cacf85d083ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
765a243d3a24dc86b832edf0cb5bf6e1

SHA1
86dbf2de0617d9589cd7f2f2507fbdab7c5c922a

SHA256
76c6d607491705e6fdff250c7ca1e7ce1709565786895dc1fb0b28f4782e5dec

SHA512
0e9b401b22fe5e0757789971ef1f47c1ecab173011ab065330beff5c6b91d5ab29afed984f5ff115ce0605e537281a23ac501454a9a46fae625a8eda8c11d6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
be64a8905c905581884c987c60f02de0

SHA1
204330902966b5b19552d058c228163a0e425d64

SHA256
fcd3b845010c0caddfa78722c95570bfdccff7770b48c2caa0f4872bfdff6bb1

SHA512
de15220bb4f62e3cd3490b06cf1e52be7a675ebc7f1a5e6b3f3ebe3e069e0b19f1a3fa3fe51c17eee7752abeebf923faec59c2343fd7dfe0da86754caea09d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
33c88dfbb48d42f2b88760938cd1c691

SHA1
085206825e624e18716e9c80b8ef5584f3ac43d6

SHA256
b071ecef6ddbb75c1880ee5c5c63c688ed8f941f8c407813c655709abbf0a389

SHA512
6d3f01790a8bec1c67a3a2d2ffe90262bc4ec9803c9509373e1c2ee2315d6d0217254ba28fda5844d39e3cfa38a0a9e29c910f2e91e43bc678057fbb41c6ffa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-heap-l1-1-0.dll

Filesize
12KB

MD5
47ab39c89762d245c1558d68f9ac6862

SHA1
893008130dacd4a3c056968507037b03c2ae529d

SHA256
d25c167e9a27942a746d42282f30f6a9b2bebe8c61aec56bdf406e925c923bcf

SHA512
94d37050d2e98f5269423a9e0cb55c3a3801a5aee5f33cae292fc40139f397bc833f72a565cd50de9b1ea6e0e2c3978360da4ac2add8ba63001462c8d0cb848e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
253b9eaac8520b3c4fe18b1a87af69d9

SHA1
3a17a79dec0343bc2e8e1485134be17eb2189ace

SHA256
4e70bef1550d4f7df37d8b6c86cf450f0b7d8c2a1b604b4063a6f3dc813c21c6

SHA512
8e6808219e67154696aa4f7b99e8cfe2803a61c97cc8bd447cf1a6429ade24967c4c26d00433015fbd466774d8a9e8351e1899307e5405dc3cd0d8cfa0542ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
607250d5a7ee7bde9a6db712282980d6

SHA1
1926463e5e26fb6e8e4e249e407da7831c4b7c78

SHA256
38c3a997857b0d87e27213af52643ddb31857847a9e3aadcaacf5bc5a64c7f33

SHA512
e6398027fff6dfdc1dfb07d8fe1a87318e7c8bbc1b4c324a99bb713187f9f5e417ba09fbed2f214252cefa3008c01e01469699c109aa80d8e89058ec697f85dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
5e5b3246910237da716c8b189dc740fd

SHA1
acd1b12a7a5463f2212ba50a1af563073f3eb7aa

SHA256
ca3adc575bc0dd928b5e2b84a254783dbd36a5f18e8b42034407543fbacc2a52

SHA512
e92ebad3b2b39ce04e983cbe4f75d2b6dd26f6f8288cf5c57e24bcbb5fa2e4b59a6dccfaf3c3510b9d1f9e45f430bfdc7994b67c4a2f46211d0e6531fdc34a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-memory-l1-1-0.dll

Filesize
12KB

MD5
0a19703e77d8b4bd542beef430022c1f

SHA1
051ab7284640b37be287a28d6d15fedcb2b44291

SHA256
b9b91f56c8bd09d230cc6895088978638f57d3a7b379661ac1cc88b82d4819de

SHA512
cded7d27149d39e912875ce056511fafd56919e21e3d52404ed294e650d93a318eb5a3017b3b41026061100cc4404210f62fbc2685bd4cd92116bb72eb12bb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
79db1cfe9b49b43b3da526fb52c44b4f

SHA1
e337ede1917460e9892f98254debc2c9b368bc39

SHA256
487cb8b98ffc9913ddc351606e3a9d371ce8ac85df94d3f68a9ee297a67a2aa9

SHA512
75e8f2a173ddde674a045ce6f60da6262de19adf6cafa9f5b70476159e3f8ac334bb540892f207efb982a7a0db81ad32283c50d7bf62376e94c88fbe15f6fcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
e6531089823195de4a824e0b0f198313

SHA1
08783daa376afd97d09e4c7f5d2a161e97cbf288

SHA256
cb8c03e53b2f36dbc898799219a5f8bc4e4f906f58802ff190a0415e5f07c840

SHA512
91bb5975be92a6b95079364a2273636fb9c843bf2eaacb81337190a5d810d3853a740c3c6b685e0fc22774a47b02aef41c0873a267a0a9e1db9d41ddda917708

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
150420d09ffbf973444f9878feb887e0

SHA1
cc77c7500b0f4b426d9a6d26fb64203feac6e24b

SHA256
27b881f112c79e6ba7dcd8dae34f2129071dbb83ee918d80e2827f791c365f83

SHA512
ecad140a9fceb7ab2d3ff103fea137d95235a7574534c96cbcfc83e3c1efd7e57b48ab48440f775e52cc81111c7ac09acd468e959840d85b9bf0f0697f913398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
9e7441ef965b380b75b82a1c9cd3884e

SHA1
274bcfe166f2bd0e62fb3d8f64b7adfa04963f5f

SHA256
8ea398785960e5fa143b97a333e60f9466b4f7f94f5dd173c02a2aa628d00c2f

SHA512
efe08a8211e0e9381bc8749bd2d20558431495ba82685ed91b65deebda10ad8d455014ccc762d94361cc2f801315d46b9da31aba7fea87503f95db4a09112e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
a33bf3177c9e2b0db7a55e830146f1ff

SHA1
c3ac80075d0a65a613661a9e790bebc8c1608c9a

SHA256
25cc487fe36fad0f2b6ab2685427124627c63e7961c5faf1267f0e2dd04b334b

SHA512
ce4ea63ba7f10f8b9a573ffc9e9b31ca1050f6e2d653159589b945ad9ff216dce3cc3752292651ca9da1fc4502e1266792e40b92876b217c14130b10e6c7de51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
12KB

MD5
a262219291d89c96a2401a4c73de15c2

SHA1
098398144841db678083d8a0bd5bc9d1827caa18

SHA256
97400329139b9b4a95e52d56e5c01f55ba9f6cd4e20e6bed1a391ae52c1d1eb6

SHA512
546af45c031b58d8c506a0df488772dcc7f74f588598d61d00692b07e2d280fd2e21077bf4c89e8b764991e7fa9337d9c8d477cf5fd6c1e8dc8f28009f55af89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
39e0e424d7d75f00820055317c74453d

SHA1
6a3afa6995f63a7608d3f480ab400cc17c1841f2

SHA256
926d2ae2555068f2f12a9ff953d0a7c988288ec99ce2648d640d4076d3181ea4

SHA512
95dd9f21b5a3a053ba6084f833d25f49cdef1e16670ccc9837d04b957bc882293c127e70ec615330f853cd1a870131203102d520c4ccda0b29b49e22ff9a76c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
82e644644f2b463aa0f066713d8b0e80

SHA1
fdbf3e440202cc226cfbb3377039f33292b8f0fb

SHA256
7f6b69f1ff8463ea8cc6b542c2c69d97710de6c9d614c7d2e36378b07f24e45e

SHA512
0016092a8cfad99d82857e9093f0b2ab129fa77ba557cfc00262add333f5ea4598a39b012c80113713a456eea87f41355720ddf3ddae064d8136cd22f42e1eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
f113a4eaef7336c3ac1e870bd355b0b7

SHA1
01ca597ac5f20bdda64d3a472164fe4fdde540ea

SHA256
e32713a9fbb0a39bcab35a419ad0f53e7b6c5594ad14f375360218a671238321

SHA512
799aa7f57eaf3ba7fb3827938bb1fe2fb24c5192ae493bdff9ad35dfa0051b220e75d5b93f5bba7075c7684322fcdf7c647408839a6ecc95b52659fa19960779

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
669a04138caa00c8ab8257757033d58f

SHA1
7285267e56fb31ab57ec837093b86ca02651c6ee

SHA256
cf7e57617882f13190d0449cef2584fe8e205e607840a189a901ad308585783e

SHA512
da2cf57003f7e67d3ab37ae4d0958061514ec2178bc9509538dfc9842b27b7fff5e89b47a571f6dc6dc7077205eadbcf45f52b939be980733827d8cc62e404a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
b83d28b1babea99ee95d5e81ea61fb1c

SHA1
f4d492ece484e75b5cdcf680f8c8280b1ae52118

SHA256
baca05368d3adc7769be8687280a45ac3d72141cfd3d7e67453749ca70320e1e

SHA512
dfaf105ac537337e7ad00931c5fc44994f45537b5bacb9036c95a555b879de9d63ea19d19987b262413d205244fafa5e09d7db9568af5796eb9eb6f54421e0a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
5fc7cacb5fba2dc17b6ddcc14aa1837f

SHA1
2e7497f0201a1af6e4e3794efe88f407f8e8bd59

SHA256
4383df6e06d9d72e4078db5d2df366837d2dc29ad45bf550f7dbdc7ac1aa17dd

SHA512
71e98e1491b4c974fca0a0ae32af4f028407e7fc2eae773d09c140d2d4fa9296e75a76b87f055e35f577d9874fd024bf08fd6176afc80afd35466cf08ae022a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
5bf7a5fbcbfc77c84f09ae0946040d7d

SHA1
c948aaf1cb0a88ba54f3309a8bb21643d3cfd905

SHA256
bc9aa7bf5fa7f0751e97f5497e3799cf4a1b86e158df47488f189edd628dcc5b

SHA512
2ff3d0d7a415f8962095a25e66a0e75e9efa375d273a3f5a9ec637156c9454c371791578e16332ac402f54fa6bb1cd738e611f074e7b87f1b016b0daed966fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
778d1feb2b9009e214a07b252dd891d7

SHA1
791dee1f212e27a014c3b887e94d804fc5718517

SHA256
d8ea79ea76f1e053f3e137c411b4d2a26e2e091ad0e641197e27c852751171c5

SHA512
a14c6e80942ecfbe105def6ae497dc3d8073c6b2ec2cb80ced992c46ac050beb50c05e2fdcb38f85d0f921ff4ca6d2a6d3e07bf52bfafd3a4dccccf2155faa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-environment-l1-1-0.dll

Filesize
12KB

MD5
3dfc2cb973f6fdf15a22b20a84d75bd1

SHA1
b88841498fc5d3a04fdb5f18ca105ebab1daf7cf

SHA256
dbab28e2d1576d57e667fae5463019a5b652dec3c26e5831117812fffd6c5d28

SHA512
5b736542a10cb4ae5fe9b84a2cafbd9df77e660ceea2cab31eb4b3263fde9dc0284becf598741f3ea3f052671c33079b7d44e3a00593cc5be258c01b5fcd7414

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
d6107e2b4ddff0a76c70905c92a83e09

SHA1
d6ad3a3d267f9acfc9ad2fb48a9a356829d6a40b

SHA256
b2f1f3888c5b735327742cf211ba50a27b55aba6d66a245591f99d68b1177f54

SHA512
592170e96e150056c43b53674197cc2f391b05a322cb362353b5bbe98028d4ec054c6d1e1b6584c76f0723dc0d28cf8e57df2fb956beb9290d78b1d3d56e3573

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
e179b8af28653b9f2a2817c4de4e17e3

SHA1
7d42cf9e369a22f4e17cf509781811b6abddc4dd

SHA256
9b6a5bb469fc1506673ffe5d35019e33c4a297b04674a11b7b3bd63b358bf06a

SHA512
6f5df48b7dca5c001fd02b41dcfcc74af69a89446a8372ab81cecc9767ab35be4a95f02d7523c41adb911f9ab997cba7f9be1d7b30e53438ff044f28d8d43ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
e9bd616c5a0889dae98b5c1a52eb55dc

SHA1
08f38484d24a89e6287cbfce815fcc565574bf9d

SHA256
ace4a3060f36a1fd56ded100142046e04d019e42724ff2ab3b7a3274c595c873

SHA512
5c14acdd2cb9df4b951a3e0ad3f81854a62426f9731fc47d036be14e6ee06eed7abdbd00bafa41bfde4b2ea5f1e60d99352e376446cae73f799eadcb84787488

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
438c6d8a2769a48f744de80d0107a000

SHA1
7ab7b64ba54b9d1e54488a14aa94e1f37650d932

SHA256
8c1a84335b97b8e174e3758e0b6f4899056fb4b2b915c33d26abc305f41107aa

SHA512
1f4039656c35566b9fb1fb06bf30690c81f66a0c9e35772156d3f333c1cdb833eb618965b96244452c3fd2791eaca140ebbcfa7f8df989487bd4f79710164d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
19KB

MD5
2172eeb4e6f7c08dc963ce8ae80f98ce

SHA1
8882208394647e790dd63c813adeb5af72f2cb1d

SHA256
83b39c7a1b065c4fa082e2b14213582e33b20f3c9b7aeb2ded8f773e647bce36

SHA512
7967d78b042d1b0cdad72af7012878d5543aeb055e27ffe3206f918f826fdd317028ee2fe620529c58ef3bcd04cc7457642f1d696c9998da40d31dd71534b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
f0087fb8acf73e0a777781e054283315

SHA1
5ecc79ad2e9084a346fd9edd63d35a317416e9e1

SHA256
e58aafd6526238b41d16658f6e919eedba742e8e7a94dffc00754f8090060b91

SHA512
093a519c0e434020b26d5e3d533d694385bf24caeb2977886d3f257e8e87af441a82c121cec3789365bf76d2ce85ae6d8819237f4ab4c3fea8fdab7e449ccd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
78af396c719498f573282ab147b0f8e3

SHA1
646ea46b05d008e3cb1062a539acc76b83c769c0

SHA256
ec28e1f8e20529616b903d94b76801dcae62c333b838b0679a0756261e470aa1

SHA512
105b311f3a1ece3303dbb9c865630aa767356ed02968cca784bb39357525568fbada163d90a224c6425c5a2475b313e8f2377c377938d9ca4bf2287910799a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
50c58267987c5ae1b6afe78ae70051a8

SHA1
8bf02c849ac69947d8dbad6cd8bd9f174913650c

SHA256
c6526e5fe29a504a08c6f0661d75c140e86ca442ce5d82393861661043c250e5

SHA512
371e6ee11cfbba6d3078fa8daa2b992c440df34a0eee3fafbf789a115b0f4d6b0bb41cd1d720c9a442991b0abcbd0468b90201b38ee5bed67dbd0dd4f92ad0dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
22bba6d0bcecc864239f04ca9245f3c0

SHA1
c02dcd24864d635682876a6c498ddece15f9b78b

SHA256
332167ba9fd4a9f97eaf7010ab792e61f7446bbcb73609df9d4c5671313ea7d2

SHA512
ec605ff5e9289c11fba2fc501803e8eb65271c963f1c37e04cb2e81bc1c73c628a1aa05bf5d8cadd7b80979486217caac0260fd2d504be88985d21af019dd031

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
938a8212206af7b4f96b56766a43d796

SHA1
c509d3f50125a5ff24b684fd53817815b42d86f1

SHA256
8ae052a8781a6c14fe3daacabfea5ce97e4f6c089f489cb816dd9d01aea1c7d8

SHA512
e3501815c92620e3395075517806514d4f23a336098abe665212073bf09ab1d0934ec9e16e5ff3864a54c583c00020ccad3d88535e14382729e396aede7c8d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
cd25aaba4bc9b1e7a8bdb6738fa754e3

SHA1
5b3b7ab86e42c29ead66455364a003c1d0b82780

SHA256
84a54902f25b6e7f63b593d93b07c86a542d359dc9051d8f2fdcd48e2ff43b0d

SHA512
7de60df87d9084773993b5bb030b791af95ffc4d3f28d42c65a40fe1f00a76e38689fbcded605ff1207d853496c475b10b256121446acbf2d38836d4dd2cef45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\base_library.zip

Filesize
859KB

MD5
b71c1e073b7a1bb2e4f87767eb17bf63

SHA1
452cebd6aff011e96f36c600bbc46ef18f2d8996

SHA256
927b335f7088b8a9f8509f99e59e5a86435a4a691a85a889a5bc6833a3a3381e

SHA512
11147deaffe0a1bbe3702da0a771cf32245adbedd10543542f49aae124638b5c9facdacfb216825544e2e985cba43eabe6f52404bd6e792b65719ad30e1d683b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\pyexpat.pyd

Filesize
86KB

MD5
508f8439e450b56409612ff466651dd6

SHA1
e75ec56d4b821904eeba37b27b105d7011a975a6

SHA256
cda327a17de419bbfb99b2e477f1c5cc67bd6ff46da06f71ffde474e7e470616

SHA512
b6053f8f2742e270c52982f4311fadf0bc8ef9ad41b91938069fe6842786d153cb0b0da294871979fa5e80daac0f8106cbb6dab3b2dd678470ef6580098dcaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\python310.dll

Filesize
1.4MB

MD5
fa9a03ed5867a5de5fd7f6f1b25e17c6

SHA1
66abd856bc05d1244aedae411a1a551bb817e7df

SHA256
05a83dd64e758c80e05405b8a070c29df704b7fdc451ffb8527956e55461992f

SHA512
de489f2377eaf6394f23f78555f82b0c5ae233e99b5e1d267c00a6e7a55db131df6db10cfb9fcdcae1305e78ae65cb1af2b35e7e88929077c67d64d169ec932e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\select.pyd

Filesize
24KB

MD5
9b444c541783e25468c7abb470e0911f

SHA1
857ab423f25e5a1e228d3257898466327aa603ea

SHA256
64172b5f9dd1fa2ab75555a11d296db36306c73aa89e67a0f59ea0d32eae027f

SHA512
12f77c7217ba4a79e083c6e3693f5dcd327dadd9c37a209d51f959c2c796f8ffe15eee984a72b91a8d488c7f942b6a6e34f199cbac9ec0cf74e99816bfa7ec74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\ucrtbase.dll

Filesize
986KB

MD5
f7409ff2f0ea3a7b6a18709d4fda563a

SHA1
902eea6263811f6866d2a1df4d3bd7686083d221

SHA256
a56ee0ddc5120538cd7cb2073657b3a0d95cfa202712b2079a5a8d5052594b2a

SHA512
e600160c11e17c69d0fca8999290bd84d8afe748f77fe91c708a7136c976bb85cd16f60905fccb045c7ead7032af3778feb6ed21b687a82f4a7da698333dfa4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26842\unicodedata.pyd

Filesize
288KB

MD5
e478cce0524eb03b32dd6558f86729af

SHA1
4fbb865f113c46d32013b2fcc2a8475730239d19

SHA256
3157340068bd86c309fbb099e16dd16e86d7ee6073c1acd4a9245d5947df076f

SHA512
3c256792592e62c2d8b0b8047a7f5e0765e301f518a4fef728bd0c9c5e55e0c4321ca0adf7a463c1a974d53367381ee3fcb7486f3db65704c2d242b54c404d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjlo50sj.hyc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\idkpne.exe

Filesize
2.4MB

MD5
3f592264dc8de465cb43cc2a1dd2465b

SHA1
1cd1b7ddc91050375caa57f9c380de627b32451e

SHA256
1ae386495c85d4a374e2f559f3a5ad862b25b784d85d1722fc9052830a97e0e0

SHA512
32cfbc9a598a889bd4e853de60d3321a7de2a56ec81b89c5b5b967867b9c22c3b922ccf357e8142ea9c22dce185de7a8b15f3f9e70edd6bc8a9044932d6734c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\luxwrc.exe

Filesize
661KB

MD5
9ddcae402b224bff7c5a666804233467

SHA1
32dcc1dd75433a763087d2d8913c2e2f49d18136

SHA256
6155513e83a9a86f189eb6a87d4c4dc117bdc8a3f3b06e2ebcda1a842377093d

SHA512
26b302732f422a3f08ad3b4d369c065f56c05cb0858e646e4a1f81f87184eb6dbac977c14cb55ce6d0823fde65613b9e6797751e0d07866396d4d22ce5794dfb

Download Submit
memory/1016-10048-0x0000000009D80000-0x0000000009D8C000-memory.dmp

Filesize
48KB

Download
memory/1016-10047-0x0000000009D30000-0x0000000009D3E000-memory.dmp

Filesize
56KB

Download
memory/1016-5959-0x0000000000800000-0x000000000082E000-memory.dmp

Filesize
184KB

Download
memory/1016-5990-0x0000000005D80000-0x0000000005D8A000-memory.dmp

Filesize
40KB

Download
memory/1016-5960-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/2740-231-0x00007FFD443E0000-0x00007FFD443EC000-memory.dmp

Filesize
48KB

Download
memory/2740-326-0x00007FFD44B40000-0x00007FFD44B59000-memory.dmp

Filesize
100KB

Download
memory/2740-203-0x00007FFD444F0000-0x00007FFD445A8000-memory.dmp

Filesize
736KB

Download
memory/2740-202-0x00007FFD32D80000-0x00007FFD330F5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-204-0x00007FFD44690000-0x00007FFD446A5000-memory.dmp

Filesize
84KB

Download
memory/2740-205-0x00007FFD44B40000-0x00007FFD44B59000-memory.dmp

Filesize
100KB

Download
memory/2740-206-0x00007FFD4DEE0000-0x00007FFD4DEF0000-memory.dmp

Filesize
64KB

Download
memory/2740-207-0x00007FFD444D0000-0x00007FFD444E4000-memory.dmp

Filesize
80KB

Download
memory/2740-210-0x00007FFD32C60000-0x00007FFD32D78000-memory.dmp

Filesize
1.1MB

Download
memory/2740-209-0x00007FFD444A0000-0x00007FFD444C6000-memory.dmp

Filesize
152KB

Download
memory/2740-208-0x00007FFD44990000-0x00007FFD4499B000-memory.dmp

Filesize
44KB

Download
memory/2740-211-0x00007FFD44460000-0x00007FFD44498000-memory.dmp

Filesize
224KB

Download
memory/2740-220-0x00007FFD38C80000-0x00007FFD38D3C000-memory.dmp

Filesize
752KB

Download
memory/2740-221-0x00007FFD44400000-0x00007FFD4440C000-memory.dmp

Filesize
48KB

Download
memory/2740-233-0x00007FFD43E00000-0x00007FFD43E12000-memory.dmp

Filesize
72KB

Download
memory/2740-199-0x00007FFD327D0000-0x00007FFD32C3E000-memory.dmp

Filesize
4.4MB

Download
memory/2740-229-0x00007FFD443F0000-0x00007FFD443FE000-memory.dmp

Filesize
56KB

Download
memory/2740-228-0x00007FFD43FC0000-0x00007FFD43FCC000-memory.dmp

Filesize
48KB

Download
memory/2740-227-0x0000022396380000-0x00000223966F5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-226-0x00007FFD43FD0000-0x00007FFD43FDD000-memory.dmp

Filesize
52KB

Download
memory/2740-225-0x00007FFD443A0000-0x00007FFD443AC000-memory.dmp

Filesize
48KB

Download
memory/2740-224-0x00007FFD443B0000-0x00007FFD443BC000-memory.dmp

Filesize
48KB

Download
memory/2740-223-0x00007FFD443C0000-0x00007FFD443CB000-memory.dmp

Filesize
44KB

Download
memory/2740-222-0x00007FFD443D0000-0x00007FFD443DB000-memory.dmp

Filesize
44KB

Download
memory/2740-219-0x00007FFD44410000-0x00007FFD4441C000-memory.dmp

Filesize
48KB

Download
memory/2740-218-0x00007FFD44420000-0x00007FFD4442B000-memory.dmp

Filesize
44KB

Download
memory/2740-217-0x00007FFD44430000-0x00007FFD4443C000-memory.dmp

Filesize
48KB

Download
memory/2740-216-0x00007FFD44440000-0x00007FFD4444B000-memory.dmp

Filesize
44KB

Download
memory/2740-215-0x00007FFD44450000-0x00007FFD4445C000-memory.dmp

Filesize
48KB

Download
memory/2740-214-0x00007FFD44660000-0x00007FFD4466B000-memory.dmp

Filesize
44KB

Download
memory/2740-213-0x00007FFD44900000-0x00007FFD4490B000-memory.dmp

Filesize
44KB

Download
memory/2740-212-0x00007FFD44010000-0x00007FFD4403E000-memory.dmp

Filesize
184KB

Download
memory/2740-129-0x00007FFD327D0000-0x00007FFD32C3E000-memory.dmp

Filesize
4.4MB

Download
memory/2740-200-0x00007FFD48070000-0x00007FFD4809E000-memory.dmp

Filesize
184KB

Download
memory/2740-254-0x00007FFD48070000-0x00007FFD4809E000-memory.dmp

Filesize
184KB

Download
memory/2740-256-0x00007FFD32D80000-0x00007FFD330F5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-284-0x00007FFD444F0000-0x00007FFD445A8000-memory.dmp

Filesize
736KB

Download
memory/2740-286-0x00007FFD48040000-0x00007FFD48064000-memory.dmp

Filesize
144KB

Download
memory/2740-315-0x00007FFD44690000-0x00007FFD446A5000-memory.dmp

Filesize
84KB

Download
memory/2740-306-0x00007FFD44460000-0x00007FFD44498000-memory.dmp

Filesize
224KB

Download
memory/2740-299-0x00007FFD32D80000-0x00007FFD330F5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-297-0x00007FFD48070000-0x00007FFD4809E000-memory.dmp

Filesize
184KB

Download
memory/2740-285-0x00007FFD327D0000-0x00007FFD32C3E000-memory.dmp

Filesize
4.4MB

Download
memory/2740-295-0x00007FFD38C80000-0x00007FFD38D3C000-memory.dmp

Filesize
752KB

Download
memory/2740-294-0x00007FFD44010000-0x00007FFD4403E000-memory.dmp

Filesize
184KB

Download
memory/2740-137-0x00007FFD4DDB0000-0x00007FFD4DDBF000-memory.dmp

Filesize
60KB

Download
memory/2740-323-0x00007FFD4DDB0000-0x00007FFD4DDBF000-memory.dmp

Filesize
60KB

Download
memory/2740-321-0x00007FFD327D0000-0x00007FFD32C3E000-memory.dmp

Filesize
4.4MB

Download
memory/2740-324-0x00007FFD49D20000-0x00007FFD49D39000-memory.dmp

Filesize
100KB

Download
memory/2740-201-0x0000022396380000-0x00000223966F5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-333-0x00007FFD48070000-0x00007FFD4809E000-memory.dmp

Filesize
184KB

Download
memory/2740-339-0x00007FFD44990000-0x00007FFD4499B000-memory.dmp

Filesize
44KB

Download
memory/2740-340-0x00007FFD444A0000-0x00007FFD444C6000-memory.dmp

Filesize
152KB

Download
memory/2740-341-0x00007FFD32C60000-0x00007FFD32D78000-memory.dmp

Filesize
1.1MB

Download
memory/2740-335-0x00007FFD32D80000-0x00007FFD330F5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-338-0x00007FFD444D0000-0x00007FFD444E4000-memory.dmp

Filesize
80KB

Download
memory/2740-334-0x00007FFD444F0000-0x00007FFD445A8000-memory.dmp

Filesize
736KB

Download
memory/2740-331-0x00007FFD38C80000-0x00007FFD38D3C000-memory.dmp

Filesize
752KB

Download
memory/2740-336-0x00007FFD44690000-0x00007FFD446A5000-memory.dmp

Filesize
84KB

Download
memory/2740-337-0x00007FFD4DEE0000-0x00007FFD4DEF0000-memory.dmp

Filesize
64KB

Download
memory/2740-332-0x00007FFD43FE0000-0x00007FFD4400B000-memory.dmp

Filesize
172KB

Download
memory/2740-330-0x00007FFD44010000-0x00007FFD4403E000-memory.dmp

Filesize
184KB

Download
memory/2740-329-0x00007FFD449B0000-0x00007FFD449BD000-memory.dmp

Filesize
52KB

Download
memory/2740-328-0x00007FFD44040000-0x00007FFD44074000-memory.dmp

Filesize
208KB

Download
memory/2740-327-0x00007FFD48870000-0x00007FFD4887D000-memory.dmp

Filesize
52KB

Download
memory/2740-325-0x00007FFD48010000-0x00007FFD4803D000-memory.dmp

Filesize
180KB

Download
memory/2740-322-0x00007FFD48040000-0x00007FFD48064000-memory.dmp

Filesize
144KB

Download
memory/2740-342-0x00007FFD44460000-0x00007FFD44498000-memory.dmp

Filesize
224KB

Download
memory/2740-191-0x00007FFD48010000-0x00007FFD4803D000-memory.dmp

Filesize
180KB

Download
memory/2740-190-0x00007FFD49D20000-0x00007FFD49D39000-memory.dmp

Filesize
100KB

Download
memory/2740-136-0x00007FFD48040000-0x00007FFD48064000-memory.dmp

Filesize
144KB

Download
memory/2740-192-0x00007FFD44B40000-0x00007FFD44B59000-memory.dmp

Filesize
100KB

Download
memory/2740-193-0x00007FFD48870000-0x00007FFD4887D000-memory.dmp

Filesize
52KB

Download
memory/2740-194-0x00007FFD44040000-0x00007FFD44074000-memory.dmp

Filesize
208KB

Download
memory/2740-195-0x00007FFD449B0000-0x00007FFD449BD000-memory.dmp

Filesize
52KB

Download
memory/2740-196-0x00007FFD44010000-0x00007FFD4403E000-memory.dmp

Filesize
184KB

Download
memory/2740-197-0x00007FFD38C80000-0x00007FFD38D3C000-memory.dmp

Filesize
752KB

Download
memory/2740-198-0x00007FFD43FE0000-0x00007FFD4400B000-memory.dmp

Filesize
172KB

Download
memory/2960-391-0x0000000005390000-0x00000000055B9000-memory.dmp

Filesize
2.2MB

Download
memory/2960-389-0x0000000005390000-0x00000000055B9000-memory.dmp

Filesize
2.2MB

Download
memory/2960-5488-0x0000000006200000-0x00000000067A6000-memory.dmp

Filesize
5.6MB

Download
memory/2960-5567-0x0000000005D50000-0x0000000005DA4000-memory.dmp

Filesize
336KB

Download
memory/2960-5395-0x0000000005850000-0x000000000589C000-memory.dmp

Filesize
304KB

Download
memory/2960-5393-0x00000000056C0000-0x000000000572C000-memory.dmp

Filesize
432KB

Download
memory/2960-380-0x0000000005390000-0x00000000055B9000-memory.dmp

Filesize
2.2MB

Download
memory/2960-381-0x0000000005390000-0x00000000055B9000-memory.dmp

Filesize
2.2MB

Download
memory/2960-383-0x0000000005390000-0x00000000055B9000-memory.dmp

Filesize
2.2MB

Download
memory/2960-385-0x0000000005390000-0x00000000055B9000-memory.dmp

Filesize
2.2MB

Download
memory/2960-5462-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/2960-387-0x0000000005390000-0x00000000055B9000-memory.dmp

Filesize
2.2MB

Download
memory/2960-5460-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/2960-318-0x0000000000650000-0x0000000000800000-memory.dmp

Filesize
1.7MB

Download
memory/2960-343-0x0000000005390000-0x00000000055BE000-memory.dmp

Filesize
2.2MB

Download
memory/2976-10045-0x0000020698070000-0x00000206980C6000-memory.dmp

Filesize
344KB

Download
memory/2976-6044-0x00000206FCBD0000-0x00000206FCCD8000-memory.dmp

Filesize
1.0MB

Download
memory/2976-6043-0x00000206FAE00000-0x00000206FAEAA000-memory.dmp

Filesize
680KB

Download
memory/3724-10057-0x0000000000B30000-0x0000000000D98000-memory.dmp

Filesize
2.4MB

Download
memory/3724-10058-0x0000000005870000-0x0000000005B62000-memory.dmp

Filesize
2.9MB

Download
memory/4104-243-0x0000020B67B70000-0x0000020B67B92000-memory.dmp

Filesize
136KB

Download