asyncrat | d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d

Analysis

max time kernel
149s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wow.exe
Size

14.8MB
MD5

b2c17e4aaa1ab07e2be2c6e08120c7fe
SHA1

67eb0fbafb9d75d7e95dc8429c09a99e73ed5c74
SHA256

d6427e58dfa1a8bfb69f510d4c3806c36cbb7fcfac82984cafcd2ff539631f0d
SHA512

5ec8edc34ebd4329c263fd43a76fbecc69d4af248b86d40ba69df40ba85b78bf0e5abb2fcb3b65708b726cdc3fe594e06f27ae637f98a038b9249c399b52b223
SSDEEP

393216:gOWd863huc1dQJlAoF3MnG3WaiVLedWmoNr/xHWgrHz:5893hr1dQJ3MGGZKUpT

Score

10^/10

asyncrat metasploit stealc xworm default line solarafake backdoor discovery execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

lohoainam2008-36048.portmap.io:36048

Attributes

Install_directory
%AppData%
install_file
Setup.exe
telegram
https://api.telegram.org/bot6189190228:AAF5CGiKGC5p4mkyZfTy1Lp5BrZMWsKu-pk/sendMessage?chat_id=5666777098

Extracted

Family

metasploit

Version

windows/reverse_tcp

147.185.221.19:58142

Extracted

Family

xworm

127.0.0.1:48990

147.185.221.22:48990

Attributes

Install_directory
%Userprofile%
install_file
svchostt.exe

Extracted

Family

xworm

Version

3.0

soon-lp.at.ply.gg:17209

Attributes

Install_directory
%AppData%
install_file
NjRat Dangerous.exe

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SolaraFake

anyone-blogging.gl.at.ply.gg:22284

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
Windows.exe
install_folder
%Temp%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

14.243.221.170:3322

Mutex

ynBzTukwLg8N

Attributes

delay
3
install
false
install_file
Clean.bat
install_folder
%Temp%

aes.plain

Extracted

Family

stealc

Botnet

Line

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ab3c-146.dat	family_xworm
behavioral1/memory/3024-161-0x0000000000920000-0x000000000093A000-memory.dmp	family_xworm
behavioral1/files/0x001900000002ab30-204.dat	family_xworm
behavioral1/memory/1436-217-0x0000000000940000-0x0000000000956000-memory.dmp	family_xworm
behavioral1/files/0x001900000002ab6c-237.dat	family_xworm
behavioral1/memory/4932-245-0x0000000000900000-0x0000000000918000-memory.dmp	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002ab6b-184.dat	family_asyncrat
behavioral1/files/0x001900000002ab2d-190.dat	family_asyncrat
behavioral1/files/0x001c00000002ab5e-213.dat	family_asyncrat
behavioral1/files/0x001900000002ab63-223.dat	family_asyncrat
behavioral1/files/0x001900000002ab72-228.dat	family_asyncrat
behavioral1/files/0x001900000002ab6b-255.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1264	powershell.exe
1512	powershell.exe
4576	powershell.exe
3388	powershell.exe
2716	powershell.exe
1880	powershell.exe
664	powershell.exe
2772	powershell.exe
4492	powershell.exe
900	powershell.exe
808	powershell.exe

Downloads MZ/PE file

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT%20DANGEROUS.lnk	NJRAT%20DANGEROUS.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnk	com%20surrogate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostt.lnk	com%20surrogate.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Setup.lnk	XClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NJRAT%20DANGEROUS.lnk	NJRAT%20DANGEROUS.exe

Executes dropped EXE 18 IoCs

pid	Process
3024	XClient.exe
4276	kali_tools.exe
2768	system404.exe
2028	shell.exe
1436	com%20surrogate.exe
1256	TCP.exe
2892	Solara_Protect.exe
4932	NJRAT%20DANGEROUS.exe
3064	vtoroy.exe
1736	AsyncClient.exe
1396	sup.exe
3892	Windows.exe
4736	NJRAT%20DANGEROUS.exe
4652	svchostt.exe
4080	Setup.exe
1476	NJRAT%20DANGEROUS.exe
1976	svchostt.exe
2152	Setup.exe

Loads dropped DLL 52 IoCs

pid	Process
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4972	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe
4980	wow.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchostt = "C:\\Users\\Admin\\svchostt.exe"	com%20surrogate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\Setup = "C:\\Users\\Admin\\AppData\\Roaming\\Setup.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\NJRAT%20DANGEROUS = "C:\\Users\\Admin\\AppData\\Roaming\\NJRAT%20DANGEROUS.exe"	NJRAT%20DANGEROUS.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
73	raw.githubusercontent.com
210	raw.githubusercontent.com
222	raw.githubusercontent.com
219	raw.githubusercontent.com
224	raw.githubusercontent.com
63	raw.githubusercontent.com
69	raw.githubusercontent.com
74	raw.githubusercontent.com
87	raw.githubusercontent.com
211	raw.githubusercontent.com
195	raw.githubusercontent.com
199	raw.githubusercontent.com
212	raw.githubusercontent.com
3	raw.githubusercontent.com
66	raw.githubusercontent.com
79	raw.githubusercontent.com
82	raw.githubusercontent.com
85	raw.githubusercontent.com
244	raw.githubusercontent.com
234	raw.githubusercontent.com
47	raw.githubusercontent.com
51	raw.githubusercontent.com
54	raw.githubusercontent.com
71	raw.githubusercontent.com
91	raw.githubusercontent.com
78	raw.githubusercontent.com
213	raw.githubusercontent.com
215	raw.githubusercontent.com
240	raw.githubusercontent.com
223	raw.githubusercontent.com
225	raw.githubusercontent.com
59	raw.githubusercontent.com
68	raw.githubusercontent.com
72	raw.githubusercontent.com
81	raw.githubusercontent.com
217	raw.githubusercontent.com
75	raw.githubusercontent.com
229	raw.githubusercontent.com
233	raw.githubusercontent.com
236	raw.githubusercontent.com
230	raw.githubusercontent.com
246	raw.githubusercontent.com
62	raw.githubusercontent.com
65	raw.githubusercontent.com
80	raw.githubusercontent.com
200	raw.githubusercontent.com
206	raw.githubusercontent.com
232	raw.githubusercontent.com
237	raw.githubusercontent.com
228	raw.githubusercontent.com
235	raw.githubusercontent.com
245	raw.githubusercontent.com
52	raw.githubusercontent.com
88	raw.githubusercontent.com
89	raw.githubusercontent.com
90	raw.githubusercontent.com
201	raw.githubusercontent.com
67	raw.githubusercontent.com
94	raw.githubusercontent.com
221	raw.githubusercontent.com
231	raw.githubusercontent.com
242	raw.githubusercontent.com
84	raw.githubusercontent.com
203	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
127	ip-api.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4720	GameBarPresenceWriter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kali_tools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara_Protect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtoroy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system404.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1444	timeout.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	wow.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3973800497-2716210218-310192997-1000\{3A411E74-B46A-4B55-9E03-9676642FFD78}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1916	schtasks.exe
3036	schtasks.exe
1620	schtasks.exe
3216	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3024	XClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3388	powershell.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
3388	powershell.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2892	Solara_Protect.exe
2716	powershell.exe
1880	powershell.exe
2716	powershell.exe
1880	powershell.exe
664	powershell.exe
4492	powershell.exe
2772	powershell.exe
664	powershell.exe
4492	powershell.exe
2772	powershell.exe
1264	powershell.exe
900	powershell.exe
1512	powershell.exe
1264	powershell.exe
900	powershell.exe
1512	powershell.exe
572	taskmgr.exe
572	taskmgr.exe
808	powershell.exe
808	powershell.exe
4576	powershell.exe
4576	powershell.exe
572	taskmgr.exe
572	taskmgr.exe
3024	XClient.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
3024	XClient.exe
3024	XClient.exe
3024	XClient.exe
3024	XClient.exe
3024	XClient.exe
3024	XClient.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
1436	com%20surrogate.exe
3024	XClient.exe
3024	XClient.exe
3024	XClient.exe
1436	com%20surrogate.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	XClient.exe
Token: SeDebugPrivilege	1436	com%20surrogate.exe
Token: SeDebugPrivilege	4932	NJRAT%20DANGEROUS.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	2892	Solara_Protect.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	572	taskmgr.exe
Token: SeSystemProfilePrivilege	572	taskmgr.exe
Token: SeCreateGlobalPrivilege	572	taskmgr.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: 33	572	taskmgr.exe
Token: SeIncBasePriorityPrivilege	572	taskmgr.exe
Token: SeDebugPrivilege	1436	com%20surrogate.exe
Token: SeDebugPrivilege	3024	XClient.exe
Token: SeDebugPrivilege	4932	NJRAT%20DANGEROUS.exe
Token: SeDebugPrivilege	3892	Windows.exe
Token: SeDebugPrivilege	4736	NJRAT%20DANGEROUS.exe
Token: SeDebugPrivilege	4652	svchostt.exe
Token: SeDebugPrivilege	4080	Setup.exe
Token: SeDebugPrivilege	1476	NJRAT%20DANGEROUS.exe
Token: SeDebugPrivilege	2152	Setup.exe
Token: SeDebugPrivilege	1976	svchostt.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe
572	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3032	OpenWith.exe
2548	OpenWith.exe
3024	XClient.exe
1436	com%20surrogate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 4972	1344	wow.exe	80
PID 1344 wrote to memory of 4972	1344	wow.exe	80
PID 4972 wrote to memory of 3024	4972	wow.exe	83
PID 4972 wrote to memory of 3024	4972	wow.exe	83
PID 4972 wrote to memory of 4276	4972	wow.exe	84
PID 4972 wrote to memory of 4276	4972	wow.exe	84
PID 4972 wrote to memory of 4276	4972	wow.exe	84
PID 4972 wrote to memory of 2768	4972	wow.exe	85
PID 4972 wrote to memory of 2768	4972	wow.exe	85
PID 4972 wrote to memory of 2768	4972	wow.exe	85
PID 4972 wrote to memory of 2028	4972	wow.exe	86
PID 4972 wrote to memory of 2028	4972	wow.exe	86
PID 4972 wrote to memory of 2028	4972	wow.exe	86
PID 4972 wrote to memory of 1436	4972	wow.exe	87
PID 4972 wrote to memory of 1436	4972	wow.exe	87
PID 4972 wrote to memory of 1256	4972	wow.exe	88
PID 4972 wrote to memory of 1256	4972	wow.exe	88
PID 4972 wrote to memory of 1256	4972	wow.exe	88
PID 4972 wrote to memory of 2892	4972	wow.exe	89
PID 4972 wrote to memory of 2892	4972	wow.exe	89
PID 4972 wrote to memory of 2892	4972	wow.exe	89
PID 4972 wrote to memory of 4932	4972	wow.exe	90
PID 4972 wrote to memory of 4932	4972	wow.exe	90
PID 4972 wrote to memory of 3064	4972	wow.exe	91
PID 4972 wrote to memory of 3064	4972	wow.exe	91
PID 4972 wrote to memory of 3064	4972	wow.exe	91
PID 4972 wrote to memory of 1736	4972	wow.exe	92
PID 4972 wrote to memory of 1736	4972	wow.exe	92
PID 4972 wrote to memory of 1736	4972	wow.exe	92
PID 4972 wrote to memory of 1396	4972	wow.exe	93
PID 4972 wrote to memory of 1396	4972	wow.exe	93
PID 3024 wrote to memory of 3388	3024	XClient.exe	95
PID 3024 wrote to memory of 3388	3024	XClient.exe	95
PID 1436 wrote to memory of 2716	1436	com%20surrogate.exe	97
PID 1436 wrote to memory of 2716	1436	com%20surrogate.exe	97
PID 4932 wrote to memory of 1880	4932	NJRAT%20DANGEROUS.exe	99
PID 4932 wrote to memory of 1880	4932	NJRAT%20DANGEROUS.exe	99
PID 2892 wrote to memory of 4368	2892	Solara_Protect.exe	101
PID 2892 wrote to memory of 4368	2892	Solara_Protect.exe	101
PID 2892 wrote to memory of 4368	2892	Solara_Protect.exe	101
PID 2892 wrote to memory of 4936	2892	Solara_Protect.exe	102
PID 2892 wrote to memory of 4936	2892	Solara_Protect.exe	102
PID 2892 wrote to memory of 4936	2892	Solara_Protect.exe	102
PID 4936 wrote to memory of 1444	4936	cmd.exe	105
PID 4936 wrote to memory of 1444	4936	cmd.exe	105
PID 4936 wrote to memory of 1444	4936	cmd.exe	105
PID 4368 wrote to memory of 1916	4368	cmd.exe	106
PID 4368 wrote to memory of 1916	4368	cmd.exe	106
PID 4368 wrote to memory of 1916	4368	cmd.exe	106
PID 3024 wrote to memory of 4492	3024	XClient.exe	107
PID 3024 wrote to memory of 4492	3024	XClient.exe	107
PID 4932 wrote to memory of 664	4932	NJRAT%20DANGEROUS.exe	109
PID 4932 wrote to memory of 664	4932	NJRAT%20DANGEROUS.exe	109
PID 1436 wrote to memory of 2772	1436	com%20surrogate.exe	111
PID 1436 wrote to memory of 2772	1436	com%20surrogate.exe	111
PID 4932 wrote to memory of 1264	4932	NJRAT%20DANGEROUS.exe	113
PID 4932 wrote to memory of 1264	4932	NJRAT%20DANGEROUS.exe	113
PID 3024 wrote to memory of 900	3024	XClient.exe	115
PID 3024 wrote to memory of 900	3024	XClient.exe	115
PID 1436 wrote to memory of 1512	1436	com%20surrogate.exe	117
PID 1436 wrote to memory of 1512	1436	com%20surrogate.exe	117
PID 1436 wrote to memory of 808	1436	com%20surrogate.exe	121
PID 1436 wrote to memory of 808	1436	com%20surrogate.exe	121
PID 3024 wrote to memory of 4576	3024	XClient.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\wow.exe
"C:\Users\Admin\AppData\Local\Temp\wow.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\wow.exe
  "C:\Users\Admin\AppData\Local\Temp\wow.exe"
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\Downloads\haus\XClient.exe
    "C:\Users\Admin\Downloads\haus\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\haus\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Setup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Setup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Setup" /tr "C:\Users\Admin\AppData\Roaming\Setup.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3216
- - C:\Users\Admin\Downloads\haus\kali_tools.exe
    "C:\Users\Admin\Downloads\haus\kali_tools.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4276
- - C:\Users\Admin\Downloads\haus\system404.exe
    "C:\Users\Admin\Downloads\haus\system404.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Users\Admin\Downloads\haus\shell.exe
    "C:\Users\Admin\Downloads\haus\shell.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2028
- - C:\Users\Admin\Downloads\haus\com%20surrogate.exe
    "C:\Users\Admin\Downloads\haus\com%20surrogate.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\haus\com%20surrogate.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'com%20surrogate.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchostt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchostt.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:808
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchostt" /tr "C:\Users\Admin\svchostt.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1620
- - C:\Users\Admin\Downloads\haus\TCP.exe
    "C:\Users\Admin\Downloads\haus\TCP.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1256
- - C:\Users\Admin\Downloads\haus\Solara_Protect.exe
    "C:\Users\Admin\Downloads\haus\Solara_Protect.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Windows" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7927.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\Windows.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Windows.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
- - C:\Users\Admin\Downloads\haus\NJRAT%20DANGEROUS.exe
    "C:\Users\Admin\Downloads\haus\NJRAT%20DANGEROUS.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\haus\NJRAT%20DANGEROUS.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NJRAT%20DANGEROUS.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1264
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NJRAT%20DANGEROUS" /tr "C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3036
- - C:\Users\Admin\Downloads\haus\vtoroy.exe
    "C:\Users\Admin\Downloads\haus\vtoroy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Users\Admin\Downloads\haus\AsyncClient.exe
    "C:\Users\Admin\Downloads\haus\AsyncClient.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Users\Admin\Downloads\haus\sup.exe
    "C:\Users\Admin\Downloads\haus\sup.exe"
    3⤵
    - Executes dropped EXE
    PID:1396

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:4720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2936

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:572

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
1⤵
PID:1236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4912
- C:\Users\Admin\AppData\Local\Temp\wow.exe
  wow.exe
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\wow.exe
    wow.exe
    3⤵
    - Loads dropped DLL
    PID:4980

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Users\Admin\svchostt.exe
C:\Users\Admin\svchostt.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Users\Admin\AppData\Roaming\Setup.exe
C:\Users\Admin\AppData\Roaming\Setup.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
C:\Users\Admin\AppData\Roaming\NJRAT%20DANGEROUS.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Users\Admin\AppData\Roaming\Setup.exe
C:\Users\Admin\AppData\Roaming\Setup.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Users\Admin\svchostt.exe
C:\Users\Admin\svchostt.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13442\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_asyncio.pyd

Filesize
62KB

MD5
2859c39887921dad2ff41feda44fe174

SHA1
fae62faf96223ce7a3e6f7389a9b14b890c24789

SHA256
aebc378db08617ea81a0a3a3bc044bcc7e6303e314630392dd51bab12f879bd9

SHA512
790be0c95c81eb6d410e53fe8018e2ca5efd1838dc60539ebb011911c36c8478333ee95989cfd1ddaf4f892b537ae8305eb4cd893906930deae59c8965cf2fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_brotli.cp311-win_amd64.pyd

Filesize
801KB

MD5
d9fc15caf72e5d7f9a09b675e309f71d

SHA1
cd2b2465c04c713bc58d1c5de5f8a2e13f900234

SHA256
1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf

SHA512
84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_bz2.pyd

Filesize
81KB

MD5
4101128e19134a4733028cfaafc2f3bb

SHA1
66c18b0406201c3cfbba6e239ab9ee3dbb3be07d

SHA256
5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80

SHA512
4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_cffi_backend.cp311-win_amd64.pyd

Filesize
174KB

MD5
739d352bd982ed3957d376a9237c9248

SHA1
961cf42f0c1bb9d29d2f1985f68250de9d83894d

SHA256
9aee90cf7980c8ff694bb3ffe06c71f87eb6a613033f73e3174a732648d39980

SHA512
585a5143519ed9b38bb53f912cea60c87f7ce8ba159a1011cf666f390c2e3cc149e0ac601b008e039a0a78eaf876d7a3f64fff612f5de04c822c6e214bc2efde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_decimal.pyd

Filesize
245KB

MD5
d47e6acf09ead5774d5b471ab3ab96ff

SHA1
64ce9b5d5f07395935df95d4a0f06760319224a2

SHA256
d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e

SHA512
52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_hashlib.pyd

Filesize
62KB

MD5
de4d104ea13b70c093b07219d2eff6cb

SHA1
83daf591c049f977879e5114c5fea9bbbfa0ad7b

SHA256
39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e

SHA512
567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_lzma.pyd

Filesize
154KB

MD5
337b0e65a856568778e25660f77bc80a

SHA1
4d9e921feaee5fa70181eba99054ffa7b6c9bb3f

SHA256
613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a

SHA512
19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_multiprocessing.pyd

Filesize
32KB

MD5
1386dbc6dcc5e0be6fef05722ae572ec

SHA1
470f2715fafd5cafa79e8f3b0a5434a6da78a1ba

SHA256
0ae3bf383ff998886f97576c55d6bf0a076c24395cf6fcd2265316e9a6e8c007

SHA512
ca6e5c33273f460c951cb8ec1d74ce61c0025e2ead6d517c18a6b0365341a0fd334e8976006cd62b72eb5620ccc42cfdd5196e8b10691b8f19f69f851a440293

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_overlapped.pyd

Filesize
48KB

MD5
01ad7ca8bc27f92355fd2895fc474157

SHA1
15948cd5a601907ff773d0b48e493adf0d38a1a6

SHA256
a083e83f609ed7a2fc18a95d44d8f91c9dc74842f33e19e91988e84db94c3b5b

SHA512
8fe6ac8430f8dde45c74f45575365753042642dc9fa9defbcf25ae1832baf6abb1ea1ad6d087e4ece5d0590e36cee1beea99845aef6182c1eec4bafdf9557604

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_queue.pyd

Filesize
30KB

MD5
ff8300999335c939fcce94f2e7f039c0

SHA1
4ff3a7a9d9ca005b5659b55d8cd064d2eb708b1a

SHA256
2f71046891ba279b00b70eb031fe90b379dbe84559cf49ce5d1297ea6bf47a78

SHA512
f29b1fd6f52130d69c8bd21a72a71841bf67d54b216febcd4e526e81b499b9b48831bb7cdff0bff6878aab542ca05d6326b8a293f2fb4dd95058461c0fd14017

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_ssl.pyd

Filesize
155KB

MD5
069bccc9f31f57616e88c92650589bdd

SHA1
050fc5ccd92af4fbb3047be40202d062f9958e57

SHA256
cb42e8598e3fa53eeebf63f2af1730b9ec64614bda276ab2cd1f1c196b3d7e32

SHA512
0e5513fbe42987c658dba13da737c547ff0b8006aecf538c2f5cf731c54de83e26889be62e5c8a10d2c91d5ada4d64015b640dab13130039a5a8a5ab33a723dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\_uuid.pyd

Filesize
23KB

MD5
9a4957bdc2a783ed4ba681cba2c99c5c

SHA1
f73d33677f5c61deb8a736e8dde14e1924e0b0dc

SHA256
f7f57807c15c21c5aa9818edf3993d0b94aef8af5808e1ad86a98637fc499d44

SHA512
027bdcb5b3e0ca911ee3c94c42da7309ea381b4c8ec27cf9a04090fff871db3cf9b7b659fdbcfff8887a058cb9b092b92d7d11f4f934a53be81c29ef8895ac2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\base_library.zip

Filesize
1.4MB

MD5
9836732a064983e8215e2e26e5b66974

SHA1
02e9a46f5a82fa5de6663299512ca7cd03777d65

SHA256
3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f

SHA512
1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
cbf62e25e6e036d3ab1946dbaff114c1

SHA1
b35f91eaf4627311b56707ef12e05d6d435a4248

SHA256
06032e64e1561251ea3035112785f43945b1e959a9bf586c35c9ea1c59585c37

SHA512
04b694d0ae99d5786fa19f03c5b4dd8124c4f9144cfe7ca250b48a3c0de0883e06a6319351ae93ea95b55bbbfa69525a91e9407478e40ad62951f1d63d45ff18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
118KB

MD5
bac273806f46cffb94a84d7b4ced6027

SHA1
773fbc0435196c8123ee89b0a2fc4d44241ff063

SHA256
1d9aba3ff1156ea1fbe10b8aa201d4565ae6022daf2117390d1d8197b80bb70b

SHA512
eaec1f072c2c0bc439ac7b4e3aea6e75c07bd4cd2d653be8500bbffe371fbfe045227daead653c162d972ccaadff18ac7da4d366d1200618b0291d76e18b125c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\libssl-1_1.dll

Filesize
686KB

MD5
8769adafca3a6fc6ef26f01fd31afa84

SHA1
38baef74bdd2e941ccd321f91bfd49dacc6a3cb6

SHA256
2aebb73530d21a2273692a5a3d57235b770daf1c35f60c74e01754a5dac05071

SHA512
fac22f1a2ffbfb4789bdeed476c8daf42547d40efe3e11b41fadbc4445bb7ca77675a31b5337df55fdeb4d2739e0fb2cbcac2feabfd4cd48201f8ae50a9bd90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\multidict\_multidict.cp311-win_amd64.pyd

Filesize
46KB

MD5
ecc0b2fcda0485900f4b72b378fe4303

SHA1
40d9571b8927c44af39f9d2af8821f073520e65a

SHA256
bcbb43ce216e38361cb108e99bab86ae2c0f8930c86d12cadfca703e26003cb1

SHA512
24fd07eb0149cb8587200c055f20ff8c260b8e626693c180cba4e066194bed7e8721dde758b583c93f7cb3d691b50de6179ba86821414315c17b3d084d290e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\propcache\_helpers_c.cp311-win_amd64.pyd

Filesize
73KB

MD5
04444380b89fb22b57e6a72b3ae42048

SHA1
cfe9c662cb5ca1704e3f0763d02e0d59c5817d77

SHA256
d123d7fefde551c82eb61454d763177322e5ce1eaa65dc489e19de5ab7faf7b4

SHA512
9e7d367bab0f6cc880c5870fdcdb06d9a9e5eb24eba489ca85549947879b0fa3c586779ffcea0fca4c50aa67dad098e7bd9e82c00e2d00412d9441991267d2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\pyexpat.pyd

Filesize
193KB

MD5
1c0a578249b658f5dcd4b539eea9a329

SHA1
efe6fa11a09dedac8964735f87877ba477bec341

SHA256
d97f3e27130c267e7d3287d1b159f65559e84ead9090d02a01b4c7dc663cd509

SHA512
7b21dcd7b64eeba13ba8a618960190d1a272fa4805dedcf8f9e1168aebfe890b0ced991435ecbd353467a046fc0e8307f9a9be1021742d7d93aa124c52cc49e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\unicodedata.pyd

Filesize
1.1MB

MD5
bc58eb17a9c2e48e97a12174818d969d

SHA1
11949ebc05d24ab39d86193b6b6fcff3e4733cfd

SHA256
ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa

SHA512
4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\wheel-0.45.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13442\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
95KB

MD5
1c6c610e5e2547981a2f14f240accf20

SHA1
4a2438293d2f86761ef84cfdf99a6ca86604d0b8

SHA256
4a982ff53e006b462ddf7090749bc06ebb6e97578be04169489d27e93f1d1804

SHA512
f6ea205a49bf586d7f3537d56b805d34584a4c2c7d75a81c53ce457a4a438590f6dbeded324362bfe18b86ff5696673de5fbe4c9759ad121b5e4c9ae2ef267c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aw3phbql.t4h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\haus\AsyncClient.exe

Filesize
45KB

MD5
7ace559d317742937e8254dc6da92a7e

SHA1
e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9

SHA256
b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f

SHA512
2c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3

Download Submit
C:\Users\Admin\Downloads\haus\AsyncClient.exe

Filesize
45KB

MD5
9ae47a32295e25abad934f880b2246d2

SHA1
c7b027f6946e2343712d5b4e5a0e707a853bf0b1

SHA256
3c924a149b80a5bf5862c2e3029dd0717a84b5e640332da71e0fa70eb04ec096

SHA512
3563a201544254367f5e2605aedcb0b0ab3e4eb9c2e80e26dd7219c4edd2c47e52880b11712f2903e9d00bed2aaea31fad7bc7633c27c6a9ca739cb8cc6165ff

Download Submit
C:\Users\Admin\Downloads\haus\Discordd.exe

Filesize
47KB

MD5
17bbb12504a20c0c2544c8dac52ed0a1

SHA1
ff9c5d849ee5817d47e1339b7a7c266119352d45

SHA256
1b9e97ba99aed432ccc47149bc929f9ad64a16241ac168017205312075600a52

SHA512
b73ca96a3a51cebeb520b82b25da49785943d0aeeab731080a224c5f0397767ce12744b8f0ab56c9395b49070246badabd915882180592e4e79f7dc1882b7b44

Download Submit
C:\Users\Admin\Downloads\haus\Loader.exe

Filesize
47KB

MD5
222749341749d92397472025c0350961

SHA1
183a40710a7e96e8b69477db45ecabcfe9df7a2d

SHA256
eb3be957f0a8e1f2fd544608a90b4c4a5b22f34c6e5ae5bc0342d35de0701a14

SHA512
cb16d19e0fc4edc157506ebc97d265a526ecec52a482050679c80d5fbb36a41ce0eb332c444a3fea0242093d93ad51e7be9004d64569e6e06b54fbc2d317b5ae

Download Submit
C:\Users\Admin\Downloads\haus\NJRAT%20DANGEROUS.exe

Filesize
69KB

MD5
401b1ea00d135d5060f237c2f5a8a6c4

SHA1
6955a95c3b4f5de689b352e3d7e0badd821d624b

SHA256
9b8cbcf33039dc4ee3a8649fab25ed587e7c75958473f4eb814d5c13d90f8ffa

SHA512
36324a55944a423adbde5856dbfd80498edbbdafea4808f4f39da7ab5a9c50059c4d242b2365062856187160ee65edb573e81d4644a1e7fbde20b4656ee892b4

Download Submit
C:\Users\Admin\Downloads\haus\Solara_Protect.exe

Filesize
63KB

MD5
9eb074e0713a33f7a6e499b0fbf2484c

SHA1
132ca59a5fb654c3d0794f92f05eaf43e3a7af94

SHA256
519f3ceedba4471f3d5178451c1007911145fb6eaf4e259a2c29b8e3483dabb1

SHA512
367fbbf6f058ef21367e329c8b0373d482c9c97dfbb42a67b17c9b1dc1d0139ae879c8ddb87b0960c5545746610d2c5690343abb458818c2dea9dbca66f39794

Download Submit
C:\Users\Admin\Downloads\haus\TCP.exe

Filesize
45KB

MD5
f127aef5829703426ff8399a76c1852c

SHA1
17e72d081ceb20119abe7bef8c640d5db48276f6

SHA256
6907ab3a0f4e69bf6dcb8c03a18bd8402afa701ade8863a0e15808614ffb1b17

SHA512
c3125920567b59119b86e284ed96c3860b1998f9d6b6078b5c2a18aa6b4c56274124fd2f77710bbbf972a6387ef20cb4a5d19c96be2131fb02f6d5692c2384c0

Download Submit
C:\Users\Admin\Downloads\haus\XClient.exe

Filesize
80KB

MD5
1fdbde7773dca61675f332594d8f7e99

SHA1
b993f62c871c311fe9a398ad2424389b1072906e

SHA256
439f9b3edd8b69f54c8a03c34f56660b95f345688edfad7911780a41f9839d65

SHA512
51a74a252c827f9fd3cbcd39cd6b95d721b97fd25fb8f78574700ccbf60e85d072ffa5b893887d67a2c5f69478df3ce687c6d11632312117bed928800b3e63b6

Download Submit
C:\Users\Admin\Downloads\haus\com%20surrogate.exe

Filesize
59KB

MD5
8843d79e5ece984ef952051cb5b4f601

SHA1
72bb266a7aae0320f05276a0ed42753c2dc07f2b

SHA256
80d44bb082a49dd49bf5926ea31ca0c225725daa4ba0614ae3ef1e121fdef89c

SHA512
e19cb6c484f0415cd3cab9e716a07cd5ae3662ee22b690310081c68ab73617df8fa8236a98d72fbf5ae3b88efefe88e3c845eb42f0bf9b93963c628573c87ba1

Download Submit
C:\Users\Admin\Downloads\haus\kali_tools.exe

Filesize
72KB

MD5
0cf225d4e9a1a440b7f9194d56533598

SHA1
fb7446f256e389fe8f957ccb34422870b52fb233

SHA256
2c042ffcb4b89bf6a65195ca81430a0497a827c125b24aea15822302d4d76a59

SHA512
7e8efd8a96545b54762ad2d4998e55332f1162d007ce544b5d6aeb4112f1674924319b9a2369cbb90c08fddfe0549242bf9ac563e54c9ed11d0f633ae7a10853

Download Submit
C:\Users\Admin\Downloads\haus\shell.exe

Filesize
72KB

MD5
b46f3e8790d907a8f6e216b006eb1c95

SHA1
a16301af03d94abe661cc11b5ca3da7fc1e6a7bb

SHA256
f400dfc798338bf8c960fe04bafe60a3f95d4facd182ab08448b4918efe35262

SHA512
16345afb33b8626893da0700b9ac7580cdea3b3d42ace6d137abb9f6e99a0e446d9af2fbb98979b7ea815cab07fb6eb368a590166bdf048deacd7fd63c429de9

Download Submit
C:\Users\Admin\Downloads\haus\sup.exe

Filesize
203KB

MD5
05045ceec9b55ec26c7572620b838d20

SHA1
113b2919c7aed6f50946f4ecfd600e13046cec7b

SHA256
d46988f81eb72e8587a297dfb345ea39eba96a9ba248041424fd8e2191a49cf7

SHA512
8518de2e0ef75827f00295daff8c29a62eb62ee6328a4189d8147a8289ae6a7794c04b32022a08aaa5ad1e77cad443003bfd84b23cfaa0349a06ee92d4cdbb05

Download Submit
C:\Users\Admin\Downloads\haus\system404.exe

Filesize
72KB

MD5
5cf4fd83c632025a479544de58d05c7e

SHA1
911c13319381c254b5b4b768e11628cb08c4cd59

SHA256
03cfaaa0f04f424b6f426063f25c8f51ca030c47f8b09fdb120063c95fa5255e

SHA512
029642de076e54ed85aa2e1835db0bd3ad5119393db4a146204befff65302f3e19c3962fa7b4cdad73f694908049824d8c2fd3643d87d202f9462dfb0908c598

Download Submit
C:\Users\Admin\Downloads\haus\vtoroy.exe

Filesize
239KB

MD5
1e6930dc9f7e53ffba84c295d8f766ed

SHA1
ac716d7c6e2d65ea845f8f2cd4252c82e387577b

SHA256
5ec0ca0d40ea0737601710565265bce4fbfed9e813d2ce401e038726e1155746

SHA512
ffdc5ed06b0a98d3216aec12ed878929defe5ebd750be9653bf14210bb104d6142bb8b9bafa0f7de5807d1d60d700b8b6f15e005504f76633869a6ae20a16890

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/572-428-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-442-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-437-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-438-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-427-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-439-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-429-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-443-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-440-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/572-441-0x0000016DC24A0000-0x0000016DC24A1000-memory.dmp

Filesize
4KB

Download
memory/664-376-0x0000024961790000-0x00000249618DF000-memory.dmp

Filesize
1.3MB

Download
memory/808-433-0x00000270FDF60000-0x00000270FE0AF000-memory.dmp

Filesize
1.3MB

Download
memory/900-410-0x000001C6F5830000-0x000001C6F597F000-memory.dmp

Filesize
1.3MB

Download
memory/1256-248-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1264-408-0x000001F73DCB0000-0x000001F73DDFF000-memory.dmp

Filesize
1.3MB

Download
memory/1396-273-0x0000000140000000-0x00000001400354C0-memory.dmp

Filesize
213KB

Download
memory/1396-268-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1436-217-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/1512-406-0x0000018A65020000-0x0000018A6516F000-memory.dmp

Filesize
1.3MB

Download
memory/1736-263-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1880-348-0x0000028757750000-0x000002875789F000-memory.dmp

Filesize
1.3MB

Download
memory/2716-350-0x000002569FFB0000-0x00000256A00FF000-memory.dmp

Filesize
1.3MB

Download
memory/2772-380-0x00000153F2400000-0x00000153F254F000-memory.dmp

Filesize
1.3MB

Download
memory/2892-313-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/2892-249-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/3024-161-0x0000000000920000-0x000000000093A000-memory.dmp

Filesize
104KB

Download
memory/3064-276-0x0000000000920000-0x0000000000B70000-memory.dmp

Filesize
2.3MB

Download
memory/3064-259-0x0000000000920000-0x0000000000B70000-memory.dmp

Filesize
2.3MB

Download
memory/3388-346-0x000001EA7CF30000-0x000001EA7D07F000-memory.dmp

Filesize
1.3MB

Download
memory/3388-319-0x000001EA7CA00000-0x000001EA7CA22000-memory.dmp

Filesize
136KB

Download
memory/4492-378-0x000001494BB50000-0x000001494BC9F000-memory.dmp

Filesize
1.3MB

Download
memory/4576-432-0x0000020CB0040000-0x0000020CB018F000-memory.dmp

Filesize
1.3MB

Download
memory/4932-245-0x0000000000900000-0x0000000000918000-memory.dmp

Filesize
96KB

Download