Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

WizClient.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17/11/2024, 15:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WizClient.exe

  • Size

    77KB

  • MD5

    a307d64f791cb555d029c214364162d8

  • SHA1

    04f134fd1a0b71e0b4b745a97e9a08ed1ee45c74

  • SHA256

    c346655d32844eda0a9ec3d3d9b16c1c27248bda424fc8b91804d26cd8986454

  • SHA512

    d432bcf7874ea3f74ec7e4fc51b400f7c3492b06479fd12949b7cde698e513bbabd08afae8d0ffc2efbe3d7d0cb44e08c5b2bba3f116b9fd6120713e2cd5f96e

  • SSDEEP

    1536:x5sFO8g/9VM5dQ+aomobhr3KXg6wzOB1SmOnU7Ua+G:x5sU9Vv4bbhr6SOB1S5nU7MG

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

left-noon.gl.at.ply.gg:60705

Attributes
  • Install_directory

    %AppData%

  • install_file

    US11B.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 57 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\WizClient.exe
    "C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WizClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5108
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WizClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:376
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\Admin\AppData\Roaming\WizClient.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:908
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2520
  • C:\Users\Admin\AppData\Roaming\WizClient.exe
    "C:\Users\Admin\AppData\Roaming\WizClient.exe"
    1⤵
    • Executes dropped EXE
    PID:3148
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\FindConvertFrom.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2248
  • C:\Users\Admin\AppData\Roaming\WizClient.exe
    "C:\Users\Admin\AppData\Roaming\WizClient.exe"
    1⤵
    • Executes dropped EXE
    PID:4352
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da376f15-bc44-45c5-bf15-eb7387e65011} 224 "\\.\pipe\gecko-crash-server-pipe.224" gpu
        3⤵
          PID:760
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6820f48-b20c-42b7-a50f-a1d92eda823e} 224 "\\.\pipe\gecko-crash-server-pipe.224" socket
          3⤵
          • Checks processor information in registry
          PID:1996
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2828 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3052 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ceaef2e3-c916-4028-a0c0-f7fac0b4480d} 224 "\\.\pipe\gecko-crash-server-pipe.224" tab
          3⤵
            PID:1224
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -childID 2 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1972f55d-ba99-4e72-a3b2-2b77f629cf55} 224 "\\.\pipe\gecko-crash-server-pipe.224" tab
            3⤵
              PID:2088
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4928 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4508 -prefMapHandle 4224 -prefsLen 29198 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11bcfbf8-a034-4d48-9734-77ae53f3e868} 224 "\\.\pipe\gecko-crash-server-pipe.224" utility
              3⤵
              • Checks processor information in registry
              PID:4544
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 3 -isForBrowser -prefsHandle 5404 -prefMapHandle 5392 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {223eeb0b-b252-443b-8b6d-dc218ed80c58} 224 "\\.\pipe\gecko-crash-server-pipe.224" tab
              3⤵
                PID:5524
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5576 -prefMapHandle 5580 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a968c0ec-7a8e-4839-b56a-8afc15c6c7c7} 224 "\\.\pipe\gecko-crash-server-pipe.224" tab
                3⤵
                  PID:5536
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5772 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d6c0c81-f33a-47e9-8b5e-429c1d815297} 224 "\\.\pipe\gecko-crash-server-pipe.224" tab
                  3⤵
                    PID:5548
              • C:\Users\Admin\AppData\Roaming\WizClient.exe
                "C:\Users\Admin\AppData\Roaming\WizClient.exe"
                1⤵
                • Executes dropped EXE
                PID:2316

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WizClient.exe.log
                Filesize

                654B

                MD5

                11c6e74f0561678d2cf7fc075a6cc00c

                SHA1

                535ee79ba978554abcb98c566235805e7ea18490

                SHA256

                d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

                SHA512

                32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                Filesize

                3KB

                MD5

                3eb3833f769dd890afc295b977eab4b4

                SHA1

                e857649b037939602c72ad003e5d3698695f436f

                SHA256

                c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                SHA512

                c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                f0731f5760fdaec554ebeac92c5b858a

                SHA1

                4ac0a7f4cac1a8993d8d2e41490519b203272aec

                SHA256

                994163ee07fb3c0657229e7adbe8e3468d8f134c607552668a48660f70067e2e

                SHA512

                7fdbf4c8b22f2a36b32212dc41c5379496c8a4a670a6b13eeac02ebfbc394035ff25a8d79ae0a16c4f5f22bd5f59a141bb5774ba5439d1894e5363b3214dde33

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                0351b6d5385995efd8f0f96e10779d90

                SHA1

                1503b8b19f80adf6ff439b97825adc798b5025d5

                SHA256

                cfa345952ebffdddb214c2f7da3b33515841602a93173f9635c9513a6cad685d

                SHA512

                80be5424fc5e3eec6ff41475b05d03b75c80de5f6477c9084f9da374b7197056a84432c17e8cb77e9d3c08fbd01f9fca9c6b4859e2f984d4de70ce704b855cae

                Download Submit

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\activity-stream.discovery_stream.json
                Filesize

                22KB

                MD5

                e7e5e5d0d2d58cccaab7bcba70fdc9a7

                SHA1

                a74c62a0b28d3da61377d80cc1572bae3dbefc9e

                SHA256

                ac5bb04f2a97cc92900a6844aeb892b860d5a9ad33e76c1d5f0fd46c0fc1897d

                SHA512

                8b09fb23836e63381bb53183bd10472201d67458c9aa85c7e1bd5e10865096add421e05181508ac5548c2e26b831aec146f47ca4b57e6fefa123a28bcc55f06e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ys54bzbu.5uj.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Filesize

                308B

                MD5

                d6a65dccbeccd494ab22a4edeb3aeaec

                SHA1

                6d7cf735eb92f66b445004e4277402e64f99017a

                SHA256

                73c57e5496ac04494551578e98b8973093d6af79ed94ec3069ecb7fe0dd32636

                SHA512

                4d2473daddcdd4302bc35a79c4b06b7b01b30c2a94255a439941ad5d14339bfe501b7cf0e34c9852c5eb18ffd46c703fc78dcffc5847feded302547b16e17b50

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
                Filesize

                1KB

                MD5

                ad3f900454bf0da1b626af0812e76169

                SHA1

                add21c2db2dcf2a24ef846159d0bafdd58c21722

                SHA256

                c720dcae77e45ac9ecea0fe597d85ce76451a3d9824746d39ea9155a2c171bb7

                SHA512

                2e8bbb03efce8073ea0882fa637586b1a535e681cfa0d7da222783b56dff596e509af9748ef88f002e1c1b9f8c23b23cede563567ae65dad7f2c0ac3950bc166

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
                Filesize

                1KB

                MD5

                24e3d3adaeccaf07ff059d5a0fde6fd4

                SHA1

                200d040ec133b4fe11915545dfddc35a0f5ee2b2

                SHA256

                a44adf1e1aed44c05890f3088e92e083a2968b2bd0bfacaee5181dde1a996742

                SHA512

                fbd5fe94edc5187dc9ef07ae511240fcb53503656a2fcde02fe917b6c5e9babc4a8b7ba4af1819c8e603421cf24034735e2a5fa92b1343c4a15a6d82701b85ee

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk
                Filesize

                783B

                MD5

                bbe260f0bfd17402da48a469e022213e

                SHA1

                0af6b017102b45b41e5481561864824af2e7c7fa

                SHA256

                0b3606d7c6f965e871acbd79367eb717ce1bd0574bc61f0874ac66ca6c834921

                SHA512

                41473f821c457dcc922a3abe6b84255db68035372437a7a01a4939303b2cb89fff67a37dd56931b1e22512532b7aadfd07b31843f33684768d19fcb97a7db603

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                5KB

                MD5

                6a4dd5a2308018bdb71792ef28ce83ea

                SHA1

                dd8e360bec1681cbae76f92ffad898edc905ff10

                SHA256

                33733a239538ab408235a31f7e6f99ec2c93f09d0ec24622b31ae3175bfc35ff

                SHA512

                b0139bb500ec574ca2dd62d55c744a80ce6132ca8f5f86dd863025a23b52aeee6452321275243b0615129b0a98345b7212cc56ff3e7d2840faf1048c4b2a73dc

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp
                Filesize

                5KB

                MD5

                d4d1222bfaa4bfec97c5f1c5feac2ebe

                SHA1

                d1c150d345c3e19a6eed27810dd36bf7156af4bc

                SHA256

                6f702354ed54cecee99dbef9b1f35e6436855b5120e2ba1a263121b7d17d616a

                SHA512

                d83a6cb3ac096258430cf6d7b6dd370189b244fa43f37ae61ec6806f9db51b100f246f995a602d8310b9351a07162d8c0655d2bca90776aec9b96f8c74d8523a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\160c7043-d995-445c-82f5-874aedfd41ec
                Filesize

                27KB

                MD5

                7c819ef9d8fdf8901014e89c7ced5f6e

                SHA1

                055021f6ac0229ef021be83166959cae7ea300ee

                SHA256

                2bc35dc55778e8ab3bcab29c70143dd3e6fb1c264d48be7b47398eeb32ddac0a

                SHA512

                296dbf04c37e3cfb79e2c8668961e3cb9aeb011a8bdc216464436bad358ede6255d531bf8c6b6d73428eec403555f315cb37f7a794946f15173b6fbd49ba103d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\5442c738-fc19-4a2d-ad9d-0f646f197460
                Filesize

                671B

                MD5

                90d9aa9098f850309668d8a9108578c7

                SHA1

                eb54853ba3ea5e43fbc4011e7031da446b7bbf8f

                SHA256

                e36b8a845dbc7f37ec6c2887f425c7e97ce7457f6b88bee917cb776e980c457a

                SHA512

                6d9c83f169fdfe1b0047f4eafb7b3e08fc3eec8aee9d61402ce9988584e671050b90011fe6fc2527ba7c531afb4bfb715b17b3c7e175ce3e9003498d694007c8

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\6d04088b-83b8-4e39-b374-3bed12cc6797
                Filesize

                982B

                MD5

                37697f80b5d8926f4a7c933d2090e1e3

                SHA1

                ea7d91808c92b3cef07470771605e644328dee65

                SHA256

                c69045a379e18cb76d7e3fb5128ecfc5318a39031b7b5752e39a4f8837e2e3ff

                SHA512

                86cb85bc236d2efb8ef56b76529842977883067c62fc69cbfb7b7fd6c2abbd830a94c4f9a0d0ee6e4cdc5a3ec7585be61929d89057aa18472136a565da9341b5

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js
                Filesize

                11KB

                MD5

                ca640cb8aae76bdf0c612697fc227425

                SHA1

                b6c218c0cc2bc242461d4de3873d5ea346feecc2

                SHA256

                3923807fab048e82b690c6d02b05b24689516534a159a83204883a9ba45bfdb6

                SHA512

                e976d4e81be0e1cb3e66721aa4544ac91ee67e0aa7620485467386b4c61da741b6365f471507b89301c4a6ac122c6afd75bbcd3c0873ae3e9c47b4f10a7c0b4c

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js
                Filesize

                10KB

                MD5

                7f065c7654c3f412de53f094ba0b1aa9

                SHA1

                16a6ca9ef35f288d28cfc68210a9bf72299036d4

                SHA256

                a25e25ef6698c756195abbc40afb4c94af9f4561c842ec687d2747b56a3be0b1

                SHA512

                dab1a508b9925cdb86ff752661956b3b9f53710ba0b508c17a57f2c312bd8ddcf004911235c30191f7718c85921133b3904e04c0a857e727b1f0fc8b7278214d

                Download Submit

              • C:\Users\Admin\AppData\Roaming\WizClient.exe
                Filesize

                77KB

                MD5

                a307d64f791cb555d029c214364162d8

                SHA1

                04f134fd1a0b71e0b4b745a97e9a08ed1ee45c74

                SHA256

                c346655d32844eda0a9ec3d3d9b16c1c27248bda424fc8b91804d26cd8986454

                SHA512

                d432bcf7874ea3f74ec7e4fc51b400f7c3492b06479fd12949b7cde698e513bbabd08afae8d0ffc2efbe3d7d0cb44e08c5b2bba3f116b9fd6120713e2cd5f96e

                Download Submit

              • memory/1148-21-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1148-12-0x00000147FA540000-0x00000147FA562000-memory.dmp

                Filesize

                136KB

                Download

              • memory/1148-13-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1148-14-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1148-15-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1148-16-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/1148-18-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/2248-132-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-133-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-130-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-131-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-72-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-73-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-74-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-75-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-76-0x00007FFB38070000-0x00007FFB38080000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-77-0x00007FFB35EB0000-0x00007FFB35EC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2248-78-0x00007FFB35EB0000-0x00007FFB35EC0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/2520-34-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-35-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-44-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-45-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-33-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-42-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-46-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-40-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-43-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2520-41-0x0000022015D40000-0x0000022015D41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3784-58-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3784-17-0x00007FFB59B43000-0x00007FFB59B45000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3784-0-0x00007FFB59B43000-0x00007FFB59B45000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3784-71-0x000000001C8C0000-0x000000001C8CC000-memory.dmp

                Filesize

                48KB

                Download

              • memory/3784-2-0x00007FFB59B40000-0x00007FFB5A602000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/3784-1-0x0000000000EB0000-0x0000000000ECA000-memory.dmp

                Filesize

                104KB

                Download