Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

DUCSetup_v4_1_1.exe

windows7-x64

7

DUCSetup_v4_1_1.exe

windows10-2004-x64

7

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

DUC40.exe

windows7-x64

3

DUC40.exe

windows10-2004-x64

3

ducapi.dll

windows7-x64

1

ducapi.dll

windows10-2004-x64

1

portmapper-2.2.3.exe

windows7-x64

10

portmapper-2.2.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    portmapper-2.2.3.exe

  • Size

    5.2MB

  • MD5

    9f14a0573f96ce3c3374044e585f7eb0

  • SHA1

    88247dac3c2a4e5a760c215436a99afe9ad5577f

  • SHA256

    e5f62be708a0caa8b4e5dfcf07127eabc49a8a61a300f434367718b7e7c2e7e3

  • SHA512

    f1e5af30c5c251a294998eb15cef22d22c6e30c900e08d86721ad3bfe400b86b8866c8ec66082014f3f3da2fb576a4cf35f1ff9e1f36d1dad26403fa96f9f91b

  • SSDEEP

    98304:rqw3fQlyOEaEyr9QsYhzAkSuwnu0J74Ijb4eDaJo99AXvhdkfx5:rqw3fsVPYa7J7zjxae7iZdK

Score
10/10
asyncratnanocorexwormdefaultdefense_evasiondiscoveryevasionexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

L838 RAT v1.0.0

Botnet

Default

C2

127.0.0.1:54984

l838.ddns.net:54984
Mutex

kswxiqghhjgkjqpqzz

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows Service Wrapper.exe

  • install_folder

    %programdata%

aes.plain

Extracted

Family

xworm

C2

127.0.0.1:3232

l838.ddns.net:3232

0x365c3e6EeF15a2938FC7267D5A3386c8e23aBc5F:123
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Security Wrapper.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 2 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe
    "C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAegBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYwBoACMAPgA="
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
      • C:\Users\Admin\WindowsSmartScreen.exe
        "C:\Users\Admin\WindowsSmartScreen.exe"
        3⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsSmartScreen.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2980
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSmartScreen.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2832
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Security Wrapper.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Wrapper.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:228
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Security Wrapper" /tr "C:\ProgramData\Windows Security Wrapper.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4536
      • C:\Users\Admin\WindowsDriverFoundation.exe
        "C:\Users\Admin\WindowsDriverFoundation.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:5100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\STEALER.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Disabling-WindowsRecoveryEnvironment"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5020
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsExecutables'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4428
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3240
        • C:\Windows\SysWOW64\find.exe
          find /i "SystemUpdateWindowsSmartScreen"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4936
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsSmartScreen" /t REG_SZ /d "C:\Users\Admin\WindowsSmartScreen.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2516
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3420
        • C:\Windows\SysWOW64\find.exe
          find /i "SystemUpdateWindowsDriverFoundation"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3440
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsDriverFoundation" /t REG_SZ /d "C:\Users\Admin\WindowsDriverFoundation.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2564
      • C:\Users\Admin\AppData\Roaming\trellrt.exe
        "C:\Users\Admin\AppData\Roaming\trellrt.exe"
        3⤵
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3840
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks.exe" /create /f /tn "DSL Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE38A.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:860
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar"
      2⤵
        PID:4768
    • C:\ProgramData\Windows Security Wrapper.exe
      "C:\ProgramData\Windows Security Wrapper.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4944
    • C:\ProgramData\Windows Security Wrapper.exe
      "C:\ProgramData\Windows Security Wrapper.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2852

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Obfuscated Files or Information

    1
    T1027

    Command Obfuscation

    1
    T1027.010

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Security Wrapper.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      968d5f3eb5a534806d6b48600b2fb501

      SHA1

      0903327719a78aeb0b2a3987916d2f2e29f194d5

      SHA256

      38821e0289791cba6a852307c9d8ef1d6af6c85e80af5a4bbc2163005233450b

      SHA512

      0f4db0b0c0ca29d3a9d6328c559644cb1b5888419ef4020d91c92c23fed8829ac81ab6fa927f33bd1c1a12fab25b1015d4ed5d6216f796072fede73d7da97139

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      9b80cd7a712469a4c45fec564313d9eb

      SHA1

      6125c01bc10d204ca36ad1110afe714678655f2d

      SHA256

      5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

      SHA512

      ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e60eb305a7b2d9907488068b7065abd3

      SHA1

      1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

      SHA256

      ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

      SHA512

      95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      36c1937644741dead48c1c090eeea972

      SHA1

      f795939bced5653be2c10e6850ba94c268fb6b42

      SHA256

      c9368ff7aa0e52a8f66081c343bd9e8e7827d9cb0acb25fe05bd4efb01813c68

      SHA512

      7af3c3d12de9f185c5fbdc7519d221f1fa91053056516e1d200561d553a39c22c1e8714b6c38c81a71f1f23e21e51380fb3359f877370a387dfe27aefea764c5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe
      Filesize

      353KB

      MD5

      565ab186944e5842406ab4f9d74f46f5

      SHA1

      224bd1ca4711683c583945b3d6ecab5e5c639470

      SHA256

      679d4c6a8111b4948639cc03794708f234501e052b2ebe0451a3d8bcbc379328

      SHA512

      14b493887904eedcc55e2acf48196f4299a3e88a458ba75477a96796d644f5b11245f038cc0479d44bf58ea071c6a383a90c494654f775de4810ab2bb8129de8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar
      Filesize

      5.0MB

      MD5

      df6057d0eeba1ab4266dd271536f1298

      SHA1

      8be95aa1a26c4c4328ca6c5a98ba34766f748102

      SHA256

      aa5f3fb51ff107a38aaf07537e79754d94855fbe62f95a8cb702d7eeed928b6e

      SHA512

      f291051434229931681a55afb313f0f595de52c0d176155343c3e05fa73a5378451a203be061265cf696a5f334190a1a8060b513ee6bc9e838efda5b26c06795

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\STEALER.bat
      Filesize

      1KB

      MD5

      1f69a22a7a1b2d2fd521ce21eb188c8f

      SHA1

      e966e6e359bb9e7b77ed74e77375145e5cd21fdd

      SHA256

      54585cad234b01400a62516b60260366f8bf29fde4aaebd81cb6b1d4bfe0cce7

      SHA512

      905699190d5ee151ce34900920720e955a328a4d5012542529c8e22ccebcf96d0ab18f4b3977e3f1b65a41c52a7f2ede61ceff4eb07a9a66f8bf41ac7002d755

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zic2nnm4.jae.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE38A.tmp
      Filesize

      1KB

      MD5

      c959800473a9762a191d5458383878a6

      SHA1

      b4e211472e313711cd59ada511b0d9ad38ed7ff3

      SHA256

      de79f0647decf1c96baa7c71f984a23f651745a047cc5d979f42824efc3ce701

      SHA512

      239dd7b34a46fd5abb06d81a979b0586e9a129293248df0afdc403e3be22671df0a1d422e5e9270d8fbe5faae415b4fff9fa747aa32ef695177c4ced38688128

      Download Submit

    • C:\Users\Admin\AppData\Roaming\trellrt.exe
      Filesize

      203KB

      MD5

      40b631e57ce22a4b52cb382cc44204c9

      SHA1

      58f46159e4cd20044d60c2572b91f6d48e9afafd

      SHA256

      338c3e0d6dc067eb96eba389e63f60621bcd5b3573bf0e6fd73dced54fe55d7a

      SHA512

      060d1c6e2a706bf3f375eb50647ba4820ac0c9f2d34838bda5f0303f1ef14e75e83d9167e9f50a19d72bfe4bb55fc28b7e64aa650e379f5dd2077b9e3ebbbdba

      Download Submit

    • C:\Users\Admin\WindowsDriverFoundation.exe
      Filesize

      74KB

      MD5

      e40cf402a05b77c43a1934802059a39d

      SHA1

      126f95a2d81c7007214be6933862485292fab294

      SHA256

      edcae846e567107bdc6a741cdda70b82cd2526829899bc16ba4651f68e76a16c

      SHA512

      ded21984cf2d95b9cab4b677f2c58cadd914f3b5b63ecae056bcfd55bfd43c03433dbef73156aaa99c4a1fd47a8e32e0371f49ae5113beca31a47dd8221f1259

      Download Submit

    • C:\Users\Admin\WindowsSmartScreen.exe
      Filesize

      69KB

      MD5

      603b4a00b2f8cb021066710cc002e323

      SHA1

      8d8b2f0e16de8c3e40485f608405bce07a31b49b

      SHA256

      5e380cae6f287ef4a209916f2e0f86e1511bec721fe85ddbab2bcb30255ad9a2

      SHA512

      0beefc1647b5e4cdd058c0a0d1e7c739297733f4d4dbf4cf5f2588b2c1c23049376c392150a375df855a27e4c99cf05f2c924427bc457bbe7ca53e58d8958956

      Download Submit

    • memory/228-240-0x0000023CB1ED0000-0x0000023CB1EE9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/228-241-0x0000023CB2040000-0x0000023CB205E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2832-217-0x00000226721F0000-0x000002267220E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2832-216-0x0000022671890000-0x00000226718A9000-memory.dmp

      Filesize

      100KB

      Download

    • memory/2980-186-0x000001C8EFF90000-0x000001C8EFFB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3660-72-0x0000000000DA0000-0x0000000000DB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4428-212-0x0000000007720000-0x0000000007734000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4428-187-0x00000000747F0000-0x000000007483C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4428-175-0x0000000006210000-0x000000000625C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4428-173-0x0000000005D70000-0x00000000060C4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4428-197-0x0000000007190000-0x0000000007233000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4428-200-0x00000000076E0000-0x00000000076F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4644-151-0x00000000077E0000-0x00000000077FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4644-139-0x0000000073C30000-0x0000000073C7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4644-85-0x0000000004EF0000-0x0000000004F26000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4644-89-0x00000000055D0000-0x0000000005BF8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4644-98-0x0000000005E50000-0x0000000005EB6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4644-153-0x0000000007A60000-0x0000000007AF6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4768-123-0x000001627D2E0000-0x000001627D2E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5020-138-0x0000000006F80000-0x0000000006F9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5020-121-0x0000000006950000-0x000000000696E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5020-152-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5020-140-0x0000000007B50000-0x0000000007BF3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/5020-154-0x0000000007E70000-0x0000000007E81000-memory.dmp

      Filesize

      68KB

      Download

    • memory/5020-128-0x0000000073C30000-0x0000000073C7C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5020-127-0x0000000006F20000-0x0000000006F52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/5020-158-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/5020-122-0x0000000006980000-0x00000000069CC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/5020-150-0x00000000082C0000-0x000000000893A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/5020-110-0x0000000006340000-0x0000000006694000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5020-93-0x0000000005890000-0x00000000058B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5020-96-0x0000000006160000-0x00000000061C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5020-157-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5020-156-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/5020-155-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5100-73-0x0000000000850000-0x0000000000868000-memory.dmp

      Filesize

      96KB

      Download