Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/05/2024, 15:39

General

  • Target

    nursultan nexgen fix.exe

  • Size

    1.5MB

  • MD5

    a3d07c747770c9a471a44446e46e33d5

  • SHA1

    8340534fb1770bae9660287ddb0496e243efcfe4

  • SHA256

    16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

  • SHA512

    307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99

  • SSDEEP

    24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5096
        • C:\portagentbrowserweb\Containerruntime.exe
          "C:\portagentbrowserweb\Containerruntime.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2832
          • C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe
            "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:5008
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4616
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\WaaSMedicAgent.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\WaaSMedicAgent.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4192
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\portagentbrowserweb\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3508
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2796
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4968
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1916
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4124
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\AssertDebug.htm
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6c8346f8,0x7ffa6c834708,0x7ffa6c834718
      2⤵
        PID:3432
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        2⤵
          PID:3068
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1416
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
          2⤵
            PID:2724
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
            2⤵
              PID:952
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:4956
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
                2⤵
                  PID:2020
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4320
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                  2⤵
                    PID:1008
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                    2⤵
                      PID:2900
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
                      2⤵
                        PID:1432
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
                        2⤵
                          PID:404
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:3116
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:5080

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            ce4c898f8fc7601e2fbc252fdadb5115

                            SHA1

                            01bf06badc5da353e539c7c07527d30dccc55a91

                            SHA256

                            bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                            SHA512

                            80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            4158365912175436289496136e7912c2

                            SHA1

                            813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                            SHA256

                            354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                            SHA512

                            74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            b63d86330430134881f16eb740bfec17

                            SHA1

                            582f03cb70d6a381504305aaf6ef877f48579df3

                            SHA256

                            63c4c6f4e9ef5fd77dbdec28557c48b8e9ca1babd72681a0de9022a9c537ee09

                            SHA512

                            d7c9928d699492695d7e8076c61a75b31df301525605de94d2f75d5559c5c11753e439787bca24ad669761c5838807e77ea910520b37452aa5dcbd3b485812bb

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            0d4ddbaf33fc04e4da4f0d31c7685613

                            SHA1

                            9738a58bf59882f4962c0504a4ddf20824529769

                            SHA256

                            08bb7d8bde6e97064a608c3cd54fb3acc88e9a7c596e08c86befbd994cad8bab

                            SHA512

                            cee53f59d4bca1a35cd39fd82d1e06e5149bafe58d7f4f438007d186a678d96ed5c823d075feeb031071e9eb03dc7eb4875764997293c45aa5c1d5aed92fa269

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            11KB

                            MD5

                            5f564575b62ea655b9f57b0130bb7027

                            SHA1

                            7ab9a07391979286506402bc01b0e65c13715f3c

                            SHA256

                            9353a4144b944dcda4496d80894264ec983fecc4894f15a70d1c967143ed8714

                            SHA512

                            c76e8093ef1c48c6cab74aea7437078eefbf2c9ed891d95318afa7ea02a07c37d4238754d2707692eb4488c332d4c408e4554d528e8a4ef0d274a75a86bd3719

                          • C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat

                            Filesize

                            157B

                            MD5

                            c8f8a078dace2ff4cb106803c9199643

                            SHA1

                            a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

                            SHA256

                            1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

                            SHA512

                            efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

                          • C:\portagentbrowserweb\Containerruntime.exe

                            Filesize

                            1.2MB

                            MD5

                            5887a563351ca99247b7e2c448bd9f2e

                            SHA1

                            b24695e88143863297535989900bb7521ea86d67

                            SHA256

                            e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

                            SHA512

                            b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

                          • C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe

                            Filesize

                            220B

                            MD5

                            61a07f2f9e8e9b1f5175b2d60c3e3f18

                            SHA1

                            e695b0c2b43c786453bf3f6ae504f0626951d281

                            SHA256

                            5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

                            SHA512

                            8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

                          • memory/2832-13-0x0000000000640000-0x0000000000772000-memory.dmp

                            Filesize

                            1.2MB

                          • memory/2832-17-0x0000000001090000-0x000000000109C000-memory.dmp

                            Filesize

                            48KB

                          • memory/2832-16-0x00000000028B0000-0x00000000028C6000-memory.dmp

                            Filesize

                            88KB

                          • memory/2832-15-0x0000000002930000-0x0000000002980000-memory.dmp

                            Filesize

                            320KB

                          • memory/2832-14-0x0000000002890000-0x00000000028AC000-memory.dmp

                            Filesize

                            112KB

                          • memory/2832-12-0x00007FFA73CB3000-0x00007FFA73CB5000-memory.dmp

                            Filesize

                            8KB