Overview

overview

10

Static

static

3

50f212da43...cs.exe

windows7-x64

10

50f212da43...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    50f212da43ad32fe7504eef47811e2f0_NeikiAnalytics.exe

  • Size

    52KB

  • MD5

    50f212da43ad32fe7504eef47811e2f0

  • SHA1

    bac5412ee24fd94f00c0d27855851aca5f6a31bc

  • SHA256

    7001597d4fa6b20a09ebbb2476555535d819d4d7c5f81b60318c9c626e70d72b

  • SHA512

    ed83b4d8062723ff19de27b6af9f507285c27c8464cb25c8f144154bfb7fa464232c0025709aa4b82d06900a8dedf16f76268f0ba531e1f2cb58d8e45bc96fa0

  • SSDEEP

    768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1+33j5n/wy0kfw:IzaEW5gMxZVXf8a3yO10pwyu

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
    evasion
  • Windows security bypass 2 TTPs 25 IoCs
    evasiontrojan
  • Blocks application from running via registry modification 30 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Disables RegEdit via registry modification 10 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Sets file execution options in registry 2 TTPs 10 IoCs
    persistence
  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 34 IoCs
  • Modifies system executable filetype association 2 TTPs 62 IoCs
    persistence
  • Windows security modification 2 TTPs 30 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 15 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 34 IoCs
  • Drops file in Windows directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 45 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 4 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 35 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\50f212da43ad32fe7504eef47811e2f0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\50f212da43ad32fe7504eef47811e2f0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Windows security bypass
    • Blocks application from running via registry modification
    • Disables RegEdit via registry modification
    • Sets file execution options in registry
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Windows security modification
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2484
    • C:\Windows\nEwb0Rn.exe
      C:\Windows\nEwb0Rn.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2436
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2296
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:632
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2420
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2832
    • C:\Windows\SysWOW64\WishfulThinking.exe
      C:\Windows\system32\WishfulThinking.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2876
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1700
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:1836
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1632
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2404
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:588
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2220
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:2656
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2836
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1524
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Windows security bypass
      • Blocks application from running via registry modification
      • Disables RegEdit via registry modification
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Windows security modification
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2712
      • C:\Windows\nEwb0Rn.exe
        C:\Windows\nEwb0Rn.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2432
      • C:\Windows\SysWOW64\WishfulThinking.exe
        C:\Windows\system32\WishfulThinking.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of SetWindowsHookEx
        PID:592
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2868
      • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
        "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2464
    • C:\Windows\nEwb0Rn.exe
      C:\Windows\nEwb0Rn.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1084
    • C:\Windows\SysWOW64\WishfulThinking.exe
      C:\Windows\system32\WishfulThinking.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:1952
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2188
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

10
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    52KB

    MD5

    539b8594d3a8efd62355e8c0ced778c7

    SHA1

    1b17aa4642638c5ba22a1948615e2c0c4039afd6

    SHA256

    44707c3eb21a9da39fb6cf7e146d889dd77c66d35ccd2095ff57607ffd436553

    SHA512

    52f9b7712baf6c33933ce2f5e6c19e29ce9abd91e0b02f344f8a454529c9a2142cd288c74dd2489eaa1400ad9b0928f0dd49c55ef40cd0b29d3245e97e3b96ae

    Download Submit

  • C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif
    Filesize

    52KB

    MD5

    627f3ab39b6e85fc52223c015473c736

    SHA1

    13d6bb20a63a62389ba13decf79238ddbc9baf69

    SHA256

    235ea2d3d97c80c1329c01eb017386be3e4d680659e7a0907f45765cd93486ae

    SHA512

    e44de68837ad6e983610c82bc9daba9c97bcd22576c652dd6c0d6a760f3863e43897cb03ecccfaab3134adb25388f2bfbb7e46198b572a6c2c6d539182d55e8b

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    021f23ee0fa80154479d46e40c1d7073

    SHA1

    406e07ee3d54cd1e0f17edfbf60c2d4ed5539bf7

    SHA256

    362636e43367f3976c31d10db3a937f3ca481cbd74ba5fdb4b1f29cf4bfbaea6

    SHA512

    3cd0acc85763b4cbfd3962e27f821fae21c4c9c495895e41312ee77d5ded573be507ea579cc3a120322f0763a57d67e98c3278cb98059c5938ef4d8f3683b332

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    38c808fa5344842b252597326c1ef4fd

    SHA1

    c90087475339924ba66253c9cbb0dd4ff9401877

    SHA256

    707c54c355d0a926b900b86a814a6102c69de6fa36e120aaeb11c900670b7a24

    SHA512

    4b2a98ef2d63837b6a89c2ed6f5cc91d27f87871abaf8b893575dbaa9188d534a17b1a2acf21fb6f7c2fddd5f558e05b5d076955de3b10244085c2ce1c449db5

    Download Submit

  • C:\Windows\SysWOW64\DamageControl.scr
    Filesize

    52KB

    MD5

    50f212da43ad32fe7504eef47811e2f0

    SHA1

    bac5412ee24fd94f00c0d27855851aca5f6a31bc

    SHA256

    7001597d4fa6b20a09ebbb2476555535d819d4d7c5f81b60318c9c626e70d72b

    SHA512

    ed83b4d8062723ff19de27b6af9f507285c27c8464cb25c8f144154bfb7fa464232c0025709aa4b82d06900a8dedf16f76268f0ba531e1f2cb58d8e45bc96fa0

    Download Submit

  • C:\Windows\SysWOW64\JawsOfLife.exe
    Filesize

    52KB

    MD5

    da0558abdb1fe1f7b7bb399378ee9c89

    SHA1

    ab75a655a4510a9230615b944cd784b3f79a3fe1

    SHA256

    9b8397607dec36dfb9ccabd8daf75ff12ce9817201887f1209f3d87c474c8ca1

    SHA512

    f54e455065d0fb597d2bce16d776a72465b4aeb3429040e6313ee2b3857f243692cb24d624d1f116c364dd083c1a009e8e96158c46235c526bf8857f6810ebbb

    Download Submit

  • C:\Windows\SysWOW64\JawsOfLife.exe
    Filesize

    52KB

    MD5

    1bd69ff95440aeaa6968060beaadeec0

    SHA1

    102a35f488fd53d498d40fc125f36d2f2ee786e9

    SHA256

    8fc3819580446259be73a60ca57a3021522fe135c047c2f70381b976d191c614

    SHA512

    b132c935f8461981f30d229ac968c4c8a0efd8d466ac222ecec271968e55896918b96a54674c6f5ba3bc100763e2b7ba6f652f021c8c48c6c6190c403eecee9c

    Download Submit

  • C:\Windows\SysWOW64\JawsOfLife.exe
    Filesize

    52KB

    MD5

    d71a2bcbcbc210eb301c5a11cb4deb90

    SHA1

    ee5f7c1ee3b8ca590f2f9c9f97253be57d90c939

    SHA256

    bb8661117fc285cff4628a6b555e2d01ce1937e4840d30e34aa1d7507d449572

    SHA512

    723125166837981d54eb5519de8bb3ab2ab3d8d8f9b7e4b00bf80c84307106b416134ce00b6db2b835dcc6c8943a1d01ad6c83223b69eebcd2e7c9610ebb95ec

    Download Submit

  • C:\Windows\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    889995c90212aabb2771bc57cc697682

    SHA1

    317215ace8c421e0684b578e2d83f09052f80959

    SHA256

    675ef553c6d0bc792042cfaab2a2b97401ddf0325beb2cad2472f91314c9e2cf

    SHA512

    e9fc03a93072f136f7404e7a055c17e8057442bb56e35aa42dee9b35d5769a01e4b32d657b5e22f192e89e99ac95d581810b49789fb9728530cb3d77e84fc294

    Download Submit

  • C:\about.htm
    Filesize

    2KB

    MD5

    94c0c5518c4f4bb044842a006d04932a

    SHA1

    23d9a914f6681d65e2b1faa171f4cf492562ebdb

    SHA256

    224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

    SHA512

    79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

    Download Submit

  • C:\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    2831365f4c6f42b1bae066515e41d8ab

    SHA1

    acf43ac72620ddbbd616d7fb5ca42260b8cab5f2

    SHA256

    47c8c1fd09daee524fc8461f26f40078ac240e045f97c6bc687e4ccbd3e6cf98

    SHA512

    0d4844ded19a7373f2363561cc9407ff01536a6e0a5931b47fe90d047ac4dba86de94ec4ea546de3c4dc098fd4dea256771d6e42b8da78d25f95377f2942c930

    Download Submit

  • C:\nEwb0Rn.exe
    Filesize

    52KB

    MD5

    aa3157d587427d1d2e6c2253cda3f98c

    SHA1

    a54a4505f1285ef892f125bb921af4c167ed4258

    SHA256

    ec35650ac852574d0092dfaa985ac176be87ce7650632f5f91ba7a2f434db5a7

    SHA512

    ec0f7a2fd929bbf0d3f68f41ac0898cf9f70f5e33064d3dda2d27bf0f3ae796dc08e3ea9412d8be5313caf7beb5615b95fa0d3fdcfd177605cba587e8261e25a

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    52KB

    MD5

    17fe3c170afe6eae0f0f9cc807bc631f

    SHA1

    0958ed641ef0ff271967a8bd874aaa088574f010

    SHA256

    af646ebd18263c5cf72db44cc6a87f30b6c73d51f11319a050f43e51289fe748

    SHA512

    1ff51521b87ae88068e4eb6e3b9460efd6f7ab06b83091b89a07b5122ef02582ef829f0c0a382125da93d5cd8900cdf931eded1a7cb8fcfed1a917ed5dbf3dc1

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    52KB

    MD5

    8d38658b93d9905f06fd2bd1ba1aa3e7

    SHA1

    cf747d443e0da9722908a627278e6eee54926667

    SHA256

    1216d8bd94c0f5eca1c68f0310e3c7d6c6ffae38ceb08723d9ae59e070930535

    SHA512

    ddfb2699b05b43aa74236a86ad800c756213a7823bf518b7e4d28ee93f521b072c60283d1b1a8a1cefbd6ba621a970b588e473d62ebdc2888d378ef27336fbd8

    Download Submit

  • \Windows\SysWOW64\WishfulThinking.exe
    Filesize

    52KB

    MD5

    5e82ce0e9d82feb2c82520dfa50304c2

    SHA1

    1c5470595fc6615f0cf3e20ced6a4e5c47b51b0d

    SHA256

    3a6671f4173a6a1dce7abfa6e71eefcabe546a0900aea0dd33e5dfc75818b1bc

    SHA512

    47a615329d8337994d0e766db42a4688c1ef0156e9dda6d19f1169acc805ef1eacf607b72f62157b9d1dd0bfe90de05b5713cc0cc5c288793db5ad46668eb953

    Download Submit

  • memory/588-465-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/588-298-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/588-468-0x00000000025E0000-0x0000000002608000-memory.dmp

    Filesize

    160KB

    Download

  • memory/588-476-0x00000000025E0000-0x0000000002608000-memory.dmp

    Filesize

    160KB

    Download

  • memory/588-445-0x00000000025E0000-0x0000000002608000-memory.dmp

    Filesize

    160KB

    Download

  • memory/588-409-0x00000000025E0000-0x0000000002608000-memory.dmp

    Filesize

    160KB

    Download

  • memory/588-104-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/588-475-0x00000000025E0000-0x0000000002608000-memory.dmp

    Filesize

    160KB

    Download

  • memory/592-453-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/632-276-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/632-411-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1084-164-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1084-152-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1084-165-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1524-452-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1524-446-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1632-413-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1632-299-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1700-267-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1700-263-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1700-253-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1700-252-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-273-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1952-203-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1952-166-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2188-210-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2220-382-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2220-361-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2220-383-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2296-217-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2296-218-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2296-214-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2296-213-0x00000000001B0000-0x00000000001C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2404-435-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2420-421-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2432-438-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2432-437-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2436-469-0x00000000004B0000-0x00000000004D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2436-470-0x00000000004B0000-0x00000000004D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2436-426-0x00000000004B0000-0x00000000004D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2436-161-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2436-463-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2436-80-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2436-425-0x00000000004B0000-0x00000000004D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2464-461-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-102-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-115-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-109-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-261-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-255-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-380-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-258-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-257-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-79-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-74-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-0-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2484-84-0x0000000002540000-0x0000000002568000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2656-419-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2656-415-0x0000000000220000-0x0000000000230000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2712-466-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2712-440-0x0000000000530000-0x0000000000558000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2712-439-0x0000000000530000-0x0000000000558000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2712-423-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2712-408-0x0000000000530000-0x0000000000558000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2712-467-0x0000000000530000-0x0000000000558000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2712-477-0x0000000000530000-0x0000000000558000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2832-427-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2832-429-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2836-450-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2868-458-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2868-456-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2876-464-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2876-256-0x0000000001FF0000-0x0000000002018000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2876-91-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2876-254-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2932-262-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2932-271-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download