268c6becff37f87d1dc106c33643cbecae4ae853fd67abd4ec43c569bc82fda7

Analysis

max time kernel
34s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2023, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spectrum.bat
Size

1.4MB
MD5

1af995cb5fac4820b7920baaea61d13a
SHA1

b942023ea99a52a3652837c5a263eee7465bf2b6
SHA256

90e86864b37fd38e8035d1d44d1320db1ababef9220066408cd5214b9754ce65
SHA512

e63cf39341205f3de8efcc5b1681a077ee02811b0d4a49d98bbc5cff4562b8c27cea178d807d28914eeacecf2c071c60c212483c88afe138ce48b131b7878067
SSDEEP

6144:bkPKthCtA9ikfH0DyHYCvE57McOCZYXDe2XjFKEhwfKd+z6k:bTbfL4rycOCGzjB+mk

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2788	powershell.exe
2788	powershell.exe
1516	powershell.exe
1516	powershell.exe
2212	powershell.exe
2212	powershell.exe
3544	powershell.exe
3544	powershell.exe
4628	powershell.exe
4628	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1636	2436	cmd.exe	86
PID 2436 wrote to memory of 1636	2436	cmd.exe	86
PID 2436 wrote to memory of 1324	2436	cmd.exe	87
PID 2436 wrote to memory of 1324	2436	cmd.exe	87
PID 2436 wrote to memory of 2212	2436	cmd.exe	88
PID 2436 wrote to memory of 2212	2436	cmd.exe	88
PID 2212 wrote to memory of 2200	2212	net.exe	89
PID 2212 wrote to memory of 2200	2212	net.exe	89
PID 2436 wrote to memory of 1724	2436	cmd.exe	90
PID 2436 wrote to memory of 1724	2436	cmd.exe	90
PID 2436 wrote to memory of 208	2436	cmd.exe	91
PID 2436 wrote to memory of 208	2436	cmd.exe	91
PID 2436 wrote to memory of 3024	2436	cmd.exe	92
PID 2436 wrote to memory of 3024	2436	cmd.exe	92
PID 2436 wrote to memory of 1904	2436	cmd.exe	93
PID 2436 wrote to memory of 1904	2436	cmd.exe	93
PID 2436 wrote to memory of 2280	2436	cmd.exe	94
PID 2436 wrote to memory of 2280	2436	cmd.exe	94
PID 2436 wrote to memory of 2384	2436	cmd.exe	95
PID 2436 wrote to memory of 2384	2436	cmd.exe	95
PID 2436 wrote to memory of 4784	2436	cmd.exe	96
PID 2436 wrote to memory of 4784	2436	cmd.exe	96
PID 2436 wrote to memory of 4652	2436	cmd.exe	97
PID 2436 wrote to memory of 4652	2436	cmd.exe	97
PID 2436 wrote to memory of 1628	2436	cmd.exe	98
PID 2436 wrote to memory of 1628	2436	cmd.exe	98
PID 2436 wrote to memory of 2972	2436	cmd.exe	99
PID 2436 wrote to memory of 2972	2436	cmd.exe	99
PID 2436 wrote to memory of 4688	2436	cmd.exe	100
PID 2436 wrote to memory of 4688	2436	cmd.exe	100
PID 2436 wrote to memory of 2176	2436	cmd.exe	101
PID 2436 wrote to memory of 2176	2436	cmd.exe	101
PID 2436 wrote to memory of 2276	2436	cmd.exe	102
PID 2436 wrote to memory of 2276	2436	cmd.exe	102
PID 2436 wrote to memory of 4620	2436	cmd.exe	103
PID 2436 wrote to memory of 4620	2436	cmd.exe	103
PID 2436 wrote to memory of 2648	2436	cmd.exe	104
PID 2436 wrote to memory of 2648	2436	cmd.exe	104
PID 2436 wrote to memory of 3780	2436	cmd.exe	105
PID 2436 wrote to memory of 3780	2436	cmd.exe	105
PID 2436 wrote to memory of 2348	2436	cmd.exe	106
PID 2436 wrote to memory of 2348	2436	cmd.exe	106
PID 2436 wrote to memory of 3940	2436	cmd.exe	107
PID 2436 wrote to memory of 3940	2436	cmd.exe	107
PID 2436 wrote to memory of 3548	2436	cmd.exe	108
PID 2436 wrote to memory of 3548	2436	cmd.exe	108
PID 2436 wrote to memory of 4368	2436	cmd.exe	109
PID 2436 wrote to memory of 4368	2436	cmd.exe	109
PID 2436 wrote to memory of 1848	2436	cmd.exe	110
PID 2436 wrote to memory of 1848	2436	cmd.exe	110
PID 2436 wrote to memory of 484	2436	cmd.exe	111
PID 2436 wrote to memory of 484	2436	cmd.exe	111
PID 2436 wrote to memory of 1368	2436	cmd.exe	112
PID 2436 wrote to memory of 1368	2436	cmd.exe	112
PID 2436 wrote to memory of 1856	2436	cmd.exe	113
PID 2436 wrote to memory of 1856	2436	cmd.exe	113
PID 2436 wrote to memory of 3220	2436	cmd.exe	114
PID 2436 wrote to memory of 3220	2436	cmd.exe	114
PID 2436 wrote to memory of 4608	2436	cmd.exe	115
PID 2436 wrote to memory of 4608	2436	cmd.exe	115
PID 2436 wrote to memory of 1332	2436	cmd.exe	116
PID 2436 wrote to memory of 1332	2436	cmd.exe	116
PID 2436 wrote to memory of 2516	2436	cmd.exe	117
PID 2436 wrote to memory of 2516	2436	cmd.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat" "
  2⤵
  PID:1636
- C:\Windows\system32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:1324
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2200
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2516
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat" "
  2⤵
  PID:1816
- C:\Windows\system32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:2076
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:2928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:784
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:5116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat" "
  2⤵
  PID:4548
- C:\Windows\system32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:1520
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:1364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1924
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\Spectrum.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE) -or ($bytes[2] -ne 0x26)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$bytes = [System.IO.File]::ReadAllBytes('C:\Users\Admin\AppData\Local\Temp\Spectrum.bat') ; if (($bytes[0] -ne 0xFF) -or ($bytes[1] -ne 0xFE) -or ($bytes[2] -ne 0x26)) { Write-Host 'The first 3 bytes of the file are not FF FE 0A.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat" "
  2⤵
  PID:4368
- C:\Windows\system32\find.exe
  find /i "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:5112
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:4356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1856
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Spectrum.bat"
  2⤵
  PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4684
- C:\Windows\system32\forfiles.exe
  forfiles /p C:\Users\Admin\AppData\Local\Temp /m BAD_EXE.exe /c 'cmd /c start @file'
  2⤵
  PID:1588
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:756
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b98cf4ca327d4a7848b0799f796835ef

SHA1
f080fc252eea740cb720c769452fe099fc2480a6

SHA256
439a8a1aa5c09ab478a25226f008670a71b1d2215a8ba71317df380f56b72a3c

SHA512
44c76b5cf2116e7dcfb8adc0b2ef83c4cd5609a2cd9412717f6ba9d9585c6e33c18b64ba9e9efe085eaa8067805b5c48d9fd94651e06efa5e0be4d62f262fc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
23909774a4f0358be8e03226d73fbd61

SHA1
4df262994ce4eb3935965881c1e2dc730668da94

SHA256
6dbd177f5aa34f836bf52885c04a3a93771384ebad954911be812c039290bcad

SHA512
6ed0bfd0a498043cccf9ef2d9bebc869c4f5f2befc90636e2e3167b2d0b694c538f93aaeefe221bc08ca3962c6499f402df4934444c9f82883d3314075d5f05b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pics4lhz.vyz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotZFzEB.bat

Filesize
170B

MD5
fb3964cc66cca8c7b0e52fcb19831089

SHA1
46a92c69859ec7ded655d14bf6ea7ddb7dbc644a

SHA256
885c8431091bc43a9ca302edd786f0efb82e520ccdeba7baff048f4880f096e5

SHA512
6259bae53bd7f66ee13b12f8696137d2bbfae64a28f8b0348ea12163d452bbf75e9258539cd4d48540964ad2522c1c64093927ccc18de7b207fb0a29e689a041

Download Submit
memory/1516-191-0x0000028E129A0000-0x0000028E129B0000-memory.dmp

Filesize
64KB

Download
memory/1516-184-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download
memory/1516-185-0x0000028E129A0000-0x0000028E129B0000-memory.dmp

Filesize
64KB

Download
memory/1516-198-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download
memory/2212-212-0x000001B4D8EB0000-0x000001B4D8EC0000-memory.dmp

Filesize
64KB

Download
memory/2212-214-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download
memory/2212-205-0x000001B4D8EB0000-0x000001B4D8EC0000-memory.dmp

Filesize
64KB

Download
memory/2212-199-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download
memory/2212-210-0x000001B4D8EB0000-0x000001B4D8EC0000-memory.dmp

Filesize
64KB

Download
memory/2788-182-0x00007FFEE7720000-0x00007FFEE81E1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-176-0x00007FFEE7720000-0x00007FFEE81E1000-memory.dmp

Filesize
10.8MB

Download
memory/2788-178-0x0000017045C60000-0x0000017045C70000-memory.dmp

Filesize
64KB

Download
memory/2788-177-0x0000017045C60000-0x0000017045C70000-memory.dmp

Filesize
64KB

Download
memory/2788-179-0x0000017045C60000-0x0000017045C70000-memory.dmp

Filesize
64KB

Download
memory/2788-166-0x0000017047CE0000-0x0000017047D02000-memory.dmp

Filesize
136KB

Download
memory/3544-215-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download
memory/3544-226-0x0000024B78DB0000-0x0000024B78DC0000-memory.dmp

Filesize
64KB

Download
memory/3544-216-0x0000024B78DB0000-0x0000024B78DC0000-memory.dmp

Filesize
64KB

Download
memory/3544-256-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download
memory/4628-240-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download
memory/4628-250-0x000001C15A780000-0x000001C15A790000-memory.dmp

Filesize
64KB

Download
memory/4628-251-0x000001C15A780000-0x000001C15A790000-memory.dmp

Filesize
64KB

Download
memory/4628-253-0x000001C15A780000-0x000001C15A790000-memory.dmp

Filesize
64KB

Download
memory/4628-255-0x00007FFEE77D0000-0x00007FFEE8291000-memory.dmp

Filesize
10.8MB

Download