Analysis

  • max time kernel
    1187s
  • max time network
    1196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 15:18

General

  • Target

    nursultan nexgen fix.exe

  • Size

    1.5MB

  • MD5

    a3d07c747770c9a471a44446e46e33d5

  • SHA1

    8340534fb1770bae9660287ddb0496e243efcfe4

  • SHA256

    16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

  • SHA512

    307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99

  • SSDEEP

    24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 22 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\portagentbrowserweb\Containerruntime.exe
          "C:\portagentbrowserweb\Containerruntime.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:224
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mhkL5UGXK6.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4304
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2520
              • C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe
                "C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:4580
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            4⤵
            • Modifies registry key
            PID:1560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1668
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5032
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4984
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\portagentbrowserweb\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\portagentbrowserweb\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2764
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1612
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1356
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1484
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\portagentbrowserweb\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2296
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4272
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\portagentbrowserweb\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2120
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4720
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1164
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2992
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3000
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\sysmon.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2108
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3544
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3528
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4588
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4524
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1936
    • C:\Recovery\WindowsRE\conhost.exe
      C:\Recovery\WindowsRE\conhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe
      "C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4556
    • C:\portagentbrowserweb\TextInputHost.exe
      C:\portagentbrowserweb\TextInputHost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4600
    • C:\Program Files (x86)\Common Files\WmiPrvSE.exe
      "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\portagentbrowserweb\spoolsv.exe
      C:\portagentbrowserweb\spoolsv.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1572
    • C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe
      "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
    • C:\Recovery\WindowsRE\upfc.exe
      C:\Recovery\WindowsRE\upfc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1172
    • C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe
      "C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Recovery\WindowsRE\conhost.exe
      C:\Recovery\WindowsRE\conhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:440
    • C:\Program Files\dotnet\sysmon.exe
      "C:\Program Files\dotnet\sysmon.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4464
    • C:\Recovery\WindowsRE\sihost.exe
      C:\Recovery\WindowsRE\sihost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3124
    • C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe
      "C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4796
    • C:\portagentbrowserweb\TextInputHost.exe
      C:\portagentbrowserweb\TextInputHost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
    • C:\Program Files (x86)\Common Files\WmiPrvSE.exe
      "C:\Program Files (x86)\Common Files\WmiPrvSE.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3344
    • C:\portagentbrowserweb\spoolsv.exe
      C:\portagentbrowserweb\spoolsv.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1780
    • C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe
      "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3892
    • C:\Recovery\WindowsRE\conhost.exe
      C:\Recovery\WindowsRE\conhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Recovery\WindowsRE\upfc.exe
      C:\Recovery\WindowsRE\upfc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5004
    • C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe
      "C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3956
    • C:\Recovery\WindowsRE\conhost.exe
      C:\Recovery\WindowsRE\conhost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1888

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log
      Filesize

      1KB

      MD5

      baf55b95da4a601229647f25dad12878

      SHA1

      abc16954ebfd213733c4493fc1910164d825cac8

      SHA256

      ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

      SHA512

      24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

    • C:\Users\Admin\AppData\Local\Temp\mhkL5UGXK6.bat
      Filesize

      223B

      MD5

      5d1e9f05ff07a8af0239e89566f57a8a

      SHA1

      a1919e37838f587d3185dab332b40d8a8b40ce7b

      SHA256

      39f851eab7acef9f55f091f6efcb40a3be44ec42c4ea4ece4c5b46939d419d1e

      SHA512

      434e99eb40716ef87f145b68835d0bad1878698eec53f8c83be4d04a3e3f67660975ff38273b7ea176003c62b952161ecac67984222bd5008f96091b0bba3992

    • C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat
      Filesize

      157B

      MD5

      c8f8a078dace2ff4cb106803c9199643

      SHA1

      a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

      SHA256

      1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

      SHA512

      efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

    • C:\portagentbrowserweb\Containerruntime.exe
      Filesize

      1.2MB

      MD5

      5887a563351ca99247b7e2c448bd9f2e

      SHA1

      b24695e88143863297535989900bb7521ea86d67

      SHA256

      e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

      SHA512

      b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

    • C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe
      Filesize

      220B

      MD5

      61a07f2f9e8e9b1f5175b2d60c3e3f18

      SHA1

      e695b0c2b43c786453bf3f6ae504f0626951d281

      SHA256

      5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

      SHA512

      8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

    • memory/224-12-0x00007FFF0A813000-0x00007FFF0A815000-memory.dmp
      Filesize

      8KB

    • memory/224-13-0x00000000005F0000-0x0000000000722000-memory.dmp
      Filesize

      1.2MB

    • memory/224-14-0x0000000002830000-0x000000000284C000-memory.dmp
      Filesize

      112KB

    • memory/224-16-0x0000000002850000-0x0000000002866000-memory.dmp
      Filesize

      88KB

    • memory/224-15-0x000000001B310000-0x000000001B360000-memory.dmp
      Filesize

      320KB

    • memory/224-17-0x0000000002870000-0x000000000287C000-memory.dmp
      Filesize

      48KB