c56c00ca3f42026f17affef76b3752f268d1498f862b3143985ca7c1d33feb39

Resubmissions

21-01-2025 13:35

250121-qvptgawqbk 10

21-01-2025 11:58

21-01-2025 11:44

21-01-2025 11:07

17-07-2024 20:08

Analysis

max time kernel
58s
max time network
64s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
17-07-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1PDF.FaturaDetay_202407.exe
Size

323KB
MD5

d8bf792f818877bf4848fde9511caeb8
SHA1

a8aea1abb7cf1ddb275584bb5746c97790342e80
SHA256

f5d96127b34730cf3bbbccd1c35098873fc0af897cc5d6dc3dd39a8e64c511d7
SHA512

28292c32d518cecb66ef0a41f583022b6c125ae758fb013dd51896c25625cc23da2a8604d794e2198939f994d15bec09d9b67003bc5bd734d27b15b167e1ebe4
SSDEEP

6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLtsorUC7ggXpTILMYSQpIIQENMshQt:kANwRo+mv8QD4+0V161tTNjkIIFN5c

Score

8^/10

defense_evasion discovery execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2976	powershell.exe

Executes dropped EXE 15 IoCs

pid	Process
2688	RootDesign.exe
3044	RootDesign.exe
2820	RootDesign.exe
4644	RootDesign.exe
2988	RootDesign.exe
1644	RootDesign.exe
2028	RootDesign.exe
4136	RootDesign.exe
1928	RootDesign.exe
2056	RootDesign.exe
3640	RootDesign.exe
220	RootDesign.exe
4008	RootDesign.exe
4452	RootDesign.exe
4120	RootDesign.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUqdates = "C:\\TheDream\\RootDesign.exe"	RootDesign.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
1548	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2976	powershell.exe
2976	powershell.exe
4936	powershell.exe
4936	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2820	RootDesign.exe
Token: SeDebugPrivilege	4644	RootDesign.exe
Token: SeDebugPrivilege	2988	RootDesign.exe
Token: SeDebugPrivilege	1644	RootDesign.exe
Token: SeDebugPrivilege	2028	RootDesign.exe
Token: SeDebugPrivilege	4136	RootDesign.exe
Token: SeDebugPrivilege	1928	RootDesign.exe
Token: SeDebugPrivilege	2056	RootDesign.exe
Token: SeDebugPrivilege	3640	RootDesign.exe
Token: SeDebugPrivilege	220	RootDesign.exe
Token: SeDebugPrivilege	4008	RootDesign.exe
Token: SeDebugPrivilege	4452	RootDesign.exe
Token: SeDebugPrivilege	4120	RootDesign.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1548	3516	1PDF.FaturaDetay_202407.exe	82
PID 3516 wrote to memory of 1548	3516	1PDF.FaturaDetay_202407.exe	82
PID 3516 wrote to memory of 1548	3516	1PDF.FaturaDetay_202407.exe	82
PID 1548 wrote to memory of 2976	1548	cmd.exe	84
PID 1548 wrote to memory of 2976	1548	cmd.exe	84
PID 1548 wrote to memory of 2976	1548	cmd.exe	84
PID 2976 wrote to memory of 4936	2976	powershell.exe	85
PID 2976 wrote to memory of 4936	2976	powershell.exe	85
PID 2976 wrote to memory of 4936	2976	powershell.exe	85
PID 4936 wrote to memory of 2688	4936	powershell.exe	86
PID 4936 wrote to memory of 2688	4936	powershell.exe	86
PID 4936 wrote to memory of 2688	4936	powershell.exe	86
PID 2688 wrote to memory of 3044	2688	RootDesign.exe	90
PID 2688 wrote to memory of 3044	2688	RootDesign.exe	90
PID 2688 wrote to memory of 3044	2688	RootDesign.exe	90
PID 3044 wrote to memory of 2820	3044	RootDesign.exe	91
PID 3044 wrote to memory of 2820	3044	RootDesign.exe	91
PID 3044 wrote to memory of 2820	3044	RootDesign.exe	91
PID 2820 wrote to memory of 4644	2820	RootDesign.exe	93
PID 2820 wrote to memory of 4644	2820	RootDesign.exe	93
PID 2820 wrote to memory of 4644	2820	RootDesign.exe	93
PID 4644 wrote to memory of 2988	4644	RootDesign.exe	95
PID 4644 wrote to memory of 2988	4644	RootDesign.exe	95
PID 4644 wrote to memory of 2988	4644	RootDesign.exe	95
PID 2988 wrote to memory of 1644	2988	RootDesign.exe	96
PID 2988 wrote to memory of 1644	2988	RootDesign.exe	96
PID 2988 wrote to memory of 1644	2988	RootDesign.exe	96
PID 1644 wrote to memory of 2028	1644	RootDesign.exe	97
PID 1644 wrote to memory of 2028	1644	RootDesign.exe	97
PID 1644 wrote to memory of 2028	1644	RootDesign.exe	97
PID 2028 wrote to memory of 4136	2028	RootDesign.exe	98
PID 2028 wrote to memory of 4136	2028	RootDesign.exe	98
PID 2028 wrote to memory of 4136	2028	RootDesign.exe	98
PID 4136 wrote to memory of 1928	4136	RootDesign.exe	99
PID 4136 wrote to memory of 1928	4136	RootDesign.exe	99
PID 4136 wrote to memory of 1928	4136	RootDesign.exe	99
PID 1928 wrote to memory of 2056	1928	RootDesign.exe	102
PID 1928 wrote to memory of 2056	1928	RootDesign.exe	102
PID 1928 wrote to memory of 2056	1928	RootDesign.exe	102
PID 2056 wrote to memory of 3640	2056	RootDesign.exe	103
PID 2056 wrote to memory of 3640	2056	RootDesign.exe	103
PID 2056 wrote to memory of 3640	2056	RootDesign.exe	103
PID 3640 wrote to memory of 220	3640	RootDesign.exe	104
PID 3640 wrote to memory of 220	3640	RootDesign.exe	104
PID 3640 wrote to memory of 220	3640	RootDesign.exe	104
PID 220 wrote to memory of 4008	220	RootDesign.exe	108
PID 220 wrote to memory of 4008	220	RootDesign.exe	108
PID 220 wrote to memory of 4008	220	RootDesign.exe	108
PID 4008 wrote to memory of 4452	4008	RootDesign.exe	109
PID 4008 wrote to memory of 4452	4008	RootDesign.exe	109
PID 4008 wrote to memory of 4452	4008	RootDesign.exe	109
PID 4452 wrote to memory of 4120	4452	RootDesign.exe	110
PID 4452 wrote to memory of 4120	4452	RootDesign.exe	110
PID 4452 wrote to memory of 4120	4452	RootDesign.exe	110

C:\Users\Admin\AppData\Local\Temp\1PDF.FaturaDetay_202407.exe
"C:\Users\Admin\AppData\Local\Temp\1PDF.FaturaDetay_202407.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden powershell -c C:\TheDream\RootDesign.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c C:\TheDream\RootDesign.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\TheDream\RootDesign.exe
        
        "C:\TheDream\RootDesign.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TheDream\RootDesign.exe

Filesize
126KB

MD5
ba563203779c4ad6b2e619c42463f4a8

SHA1
d85458664b6c971d2e24da84a2dbbb88a03fc542

SHA256
a5794b8e199ca1a7c35cb4d393282fde4a73e9f9190153e97a13eb9baf3a35e6

SHA512
6a6b85d228ac630f6468965d5b8c66d2f7edc07f1a18444debc22b46a7923fe7021e4219cb3513ac1996d6b36052d64455267836835f5df12961039a1b858849

Download Submit
C:\TheDream\log.txt

Filesize
138B

MD5
fa0440d87ec10af45f66333216844909

SHA1
2f1ff91d9a7f001176b06f3b70c4d593ed33c3d4

SHA256
c4fbf77cf6239d853c97644cf6aeeb959dcffb61ca9eed3a3605be66d198e451

SHA512
7d599131dd374b5359cb5cdc862af91ae90621c16ec2a5d35745330ddc8580ffd1322f50f6aa8c33cf83d732e031e93a980b34a11b162e5e798c6470b60c5f97

Download Submit
C:\TheDream\log.txt

Filesize
153B

MD5
c008ffc89a197bacb86718c0bd5c76bc

SHA1
048f4007285eee07ea2269e596cea941cc59725f

SHA256
0b72c619f792591166ca361aa368e1fea6201ad25c2e3141081e2b00aabee25b

SHA512
e36c579e6441528d7f02c5229a4ca989ffe52708ecd2ab2d976b5a6c55785b00202fae3d0431e12e428f3f45d0f74ae7b68e15c1b991139f17fdb1d14d5b3ec4

Download Submit
C:\TheDream\log.txt

Filesize
168B

MD5
4c1ac33e48afabde05f3b008972ce1fe

SHA1
7e8309854591cc4241505a07b0d96a6b05c957b7

SHA256
ed4fa850abf07403217302c8a0dbcd7027eac7adf89854cbd0a6b148c34b53ad

SHA512
1e71f789e68e31105922f13c4c16d8d71aeaaf81fe63655e7d5b0f3caf576ef012531b38c16fbf0cc259a610d2e7911822930f2276cad8f80ed757cc43d8cd62

Download Submit
C:\TheDream\log.txt

Filesize
183B

MD5
537b234acfbc03809e2ea6472eb85287

SHA1
b4ad167d8eae2a2aff0fcc820f392fad7fdfd10f

SHA256
ab2181424f65545b16d43254ef61929c13282f39d98c1aaca1de3f7ec15b1988

SHA512
038f35253b7ba243ff78973e2bdc1ed37633df87240baaf4504a7f9c0613ae2f5b2ca165f8234d0755a89e5f6304a16e86502f654014198186ae81d08b18ea3e

Download Submit
C:\TheDream\log.txt

Filesize
198B

MD5
8f35d2e08da3b2cea10bd75fa259d585

SHA1
b2ec34511c4dba3abf542b16ca90c0d8e516afe7

SHA256
914107c0ed2e0b015a775b549e6b472786c572bacadd5fdb566326da36f197c8

SHA512
884154ee90522f38bc0a9880b5426bf18b355f158f1c00b746fa6c2107693d9fe13e2a8e7580e1b2e736a88ab2b89a2dd3c890ab72c89342225a49d091ffb31e

Download Submit
C:\TheDream\log.txt

Filesize
213B

MD5
a3a64fa03717fce236b529388da4810a

SHA1
d528d26dd06d75cf655645693184d29df36b83a9

SHA256
f2cd16e4c354581c9c1a7dfbb54b1d7fb07527f9f1cd2939c9988e7063ecf0eb

SHA512
30cbcf8be1559609c813be64a3ced98f29c820a5ed2046b9220b1c61844209e5e46380cfc1bd8ed578f889473017735c5b918ab5f3847364e4ebe56abb5c0ae7

Download Submit
C:\TheDream\log.txt

Filesize
17B

MD5
6973b88e8ca2c8c4ad67369cd211a49f

SHA1
cce768cc4a13cf8edd1841add873c2b0dea1738b

SHA256
b060331cb9f98d15d3fe25b8a311dc431c84a85bfa06426ad80cc3bef5b924ec

SHA512
35e2ddc683fea47325d6c7374a6a93faa71d52185b2f0f127a9cf7dec0f2347b12668eb668a267314443ed511b5e7d939f1f93640b9c6425fcc660d42f35d945

Download Submit
C:\TheDream\log.txt

Filesize
33B

MD5
b1eec1f4ab428032df8fe89e1126d0eb

SHA1
545171c320602c976b0fc13754ddbb307724e0aa

SHA256
c3b9233cb90ee38b6916f27a84fcbfbd70e7d59f792a4a191e5b6adb87ca75f1

SHA512
f5f624a15f1f6910c25e5c1f7b292345062378972c07106c64d7139def46ee3dea7e3b99ba4216c2cd7d84a7a82906b0092b97edff86865b5e73b12156edea1a

Download Submit
C:\TheDream\log.txt

Filesize
48B

MD5
1d89a8d548de37e16541372cc27300af

SHA1
5fd89d509296bf368c2e498a0bc72e04aea596f5

SHA256
93e10bc4fe7068fe7564384e1d32d850b97183d54067dcd7618c6c21aabb94fa

SHA512
ee0ff6bec74732277459a9a81e147e4dcc194fa8f5b57406b68424220b16f9b5ddf2a26c063566d1e120afbda37b59fc36adb94f1b7308989fa1055400e19258

Download Submit
C:\TheDream\log.txt

Filesize
63B

MD5
f81d9e83620c89bfde85ab2941bb0376

SHA1
1fbfcc09f799a24f82e678ca1c474e1ab1f63a52

SHA256
385d6c604a215eb5866ae59f63656fb58d0af0782156a1546de47682174807d7

SHA512
b12f842f8b9f2faf6b1bca1b637b4b54821b9a9c473974322cf3af80e6eac21e398ff16d03546a94733b94909e71553a45814a9dd669dfbb9b9c6a1dd0407a5b

Download Submit
C:\TheDream\log.txt

Filesize
78B

MD5
e5194869aa1e865bef36ee36b51aa863

SHA1
51e5896c5ae667ab0c3a6a7206a22d0332d2aa45

SHA256
4c8c1f2d9ef8192c3afd48d716c3c572acbde061dad28c93b96b4dd322094ee4

SHA512
ed523b4f21f15d1ce5c05b0856a58b45a51894e572f7dcafbc7ebb82fbf0164b9375635a0328636011e185f0b8874446c266a7591112abd23065457eb9f52747

Download Submit
C:\TheDream\log.txt

Filesize
93B

MD5
c750d058e9c023e7abe42af831492850

SHA1
d30e88ae6aff3de778ad8c220e2d59aae9aa3352

SHA256
4a0ba824e91f2ca7987a077f9fb81cae03b1fa9a1c2a7a67f79beea1c1b3e625

SHA512
f623b6a066702c86808b3bb1f57bcd505653eae75cf5b713043cd3f96b1acdbb2e7512455a00dd9d746ffea87afece5cdeee55371fc5baafcce892847e82129b

Download Submit
C:\TheDream\log.txt

Filesize
108B

MD5
d1a558e5ec2a77d45e9c9582ba8fa824

SHA1
23089dd277005ac0d9f2dfcebfbb0b502f9768d7

SHA256
b1c032cfce765a0dd494411169cf576d1d179ae7fe747b87229826abaa1f6d3a

SHA512
890e9fe98f9d497d79ee9c23d0cc00a093298989ee80e189b83f77fee6e46b662f8789643b1105d60289aadb2a0d1ff8771a3b1b1bc734d5b48f21e0d3ec64fe

Download Submit
C:\TheDream\log.txt

Filesize
123B

MD5
05f6ab189a1de6e6df6e38f5b0b8b4bd

SHA1
03d7d11d92abed5920c707f60ba581a76f9bd7ad

SHA256
ce9fbb33ac5f8ac3c5eb16837eaf74c913abe713888479ee8f08257f45f31a69

SHA512
67849b09a1a3c8114d250e61043f825e82d904349ae1a0e5e7e9f76e5933ddc48c2daa51308c475fec6df1c05b11ad6e8eb65ec71ecb904d4c26f48ca961ba50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RootDesign.exe.log

Filesize
1KB

MD5
b8c2d394d4c9f1088167eb57241ad45f

SHA1
02e78a96addcea046506c62e578313e866b9e90f

SHA256
af12f5acfa61313bd02a5e7c748aaccfd2bf4195155c7e4bf3aac74ae9565d64

SHA512
f045735e9ccdace1e15b71abf04585c208e9a1863437441105acb5231834dad2ec1ea920dee067763170534cd922fb44a1ab1b43776fb8ad6c976aaba07134a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
5b74da6778ccaa0e1ca4ae7484775943

SHA1
0a2f6f315a0ca1a0366b509aec7b13c606645654

SHA256
172282931d7eeb60228e6b9b4b913fd78c73f2a7855620f35fb24a5c847b6c78

SHA512
20b4cb7174f49b22426b249f1dfc8f6273f50d1502536e773f4dcd073bf027f2a554d2437c2dc628dbe021c5c3b968b2d89f810ff1bb19630c1560e7feee1a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
d00dfd158eb8e60d020363a8199851c7

SHA1
6b32ea34d9d5de2cda621ea34593cf190a8cd248

SHA256
c7cd3888bb18c11acb036cd3208569ecffb5a78fe46dc264fee9343b8afabefe

SHA512
f933382584c500771b4f24fcc2fab9ff06cd658057ac79a1a59d1e0760f09349d2691ed1904879aa46fa94af88afce3f59b91e115881b403029d286e0d182a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p23xb3l5.y2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
934c538703a8d75fc9452968bd4153e4

SHA1
f85647d373dcafe1dc6c54d2fef2a6cb192a5172

SHA256
04ead23fabb8ebae8d2e271624b5059a89300c6ae824469b671d26dc5d72208d

SHA512
7112ac70c40ab61bfa68151ac78ff6ebee02ee8a61869ae0f083bd5fbc8d22ff585ecbb59156694cf17072363d4ffb4bf1bb51b9194e697e1bf1827f79ac0c05

Download Submit
memory/2688-49-0x0000000003210000-0x0000000003216000-memory.dmp

Filesize
24KB

Download
memory/2688-53-0x000000000AFD0000-0x000000000AFF2000-memory.dmp

Filesize
136KB

Download
memory/2688-52-0x000000000B020000-0x000000000B0B2000-memory.dmp

Filesize
584KB

Download
memory/2688-57-0x0000000001880000-0x000000000188A000-memory.dmp

Filesize
40KB

Download
memory/2688-51-0x000000000B430000-0x000000000B9D6000-memory.dmp

Filesize
5.6MB

Download
memory/2688-48-0x0000000000E90000-0x0000000000EB8000-memory.dmp

Filesize
160KB

Download
memory/2976-31-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/2976-21-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/2976-16-0x0000000000F30000-0x0000000000F66000-memory.dmp

Filesize
216KB

Download
memory/2976-15-0x0000000072A7E000-0x0000000072A7F000-memory.dmp

Filesize
4KB

Download
memory/2976-17-0x0000000072A70000-0x0000000073221000-memory.dmp

Filesize
7.7MB

Download
memory/2976-18-0x0000000004F60000-0x000000000558A000-memory.dmp

Filesize
6.2MB

Download
memory/2976-19-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/2976-32-0x0000000005C00000-0x0000000005C4C000-memory.dmp

Filesize
304KB

Download
memory/2976-58-0x0000000072A70000-0x0000000073221000-memory.dmp

Filesize
7.7MB

Download
memory/2976-30-0x00000000056E0000-0x0000000005A37000-memory.dmp

Filesize
3.3MB

Download
memory/2976-20-0x0000000005600000-0x0000000005666000-memory.dmp

Filesize
408KB

Download
memory/3516-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4936-50-0x0000000072A70000-0x0000000073221000-memory.dmp

Filesize
7.7MB

Download
memory/4936-33-0x0000000072A70000-0x0000000073221000-memory.dmp

Filesize
7.7MB

Download
memory/4936-42-0x0000000072A70000-0x0000000073221000-memory.dmp

Filesize
7.7MB

Download
memory/4936-43-0x0000000072A70000-0x0000000073221000-memory.dmp

Filesize
7.7MB

Download