e1a5b2392f673f9d652727956690a6f135f5c2d129729a23729bda78f18e32d0

Analysis

max time kernel
112s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48fad24a6419341ce64b063be81e402a.exe
Size

484KB
MD5

48fad24a6419341ce64b063be81e402a
SHA1

aaab00c61a68acaea1f687d3291df88db3092754
SHA256

e1a5b2392f673f9d652727956690a6f135f5c2d129729a23729bda78f18e32d0
SHA512

680d13e3cb49bb3a5712f5f9dff27b9800bdff1287eac9219e5f97061cb99465ff0518c17d268ff31560e089e56525a56c43537d8c06b91738fb343a51e0cd40
SSDEEP

12288:SLdIQpe9G51q7UeRtFB/4zRbqQeg1GNGNrUr8Jyn:SB/sG6waFBARl1mjr8wn

Score

8^/10

adware bootkit persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	bffd.exe

Executes dropped EXE 3 IoCs

pid	Process
4664	bffd.exe
5108	bffd.exe
2024	bffd.exe

Loads dropped DLL 26 IoCs

pid	Process
4360	regsvr32.exe
2024	bffd.exe
1692	rundll32.exe
5004	rundll32.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe
2024	bffd.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "winhome"	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	\??\PhysicalDrive0	bffd.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\3bef.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\bffd.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\SysWOW64\3f37b2	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\a1l8.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b4cb.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\144d.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\1ba4.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\34ua.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\b3fs.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dlltmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\841e.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\14rb.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\4f3r.dll	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\SysWOW64\8b4o.dll	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\SysWOW64\754721104	rundll32.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\bf14.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\f6f.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\4bad.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\f6fu.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\14ba.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a34b.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\8f6.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8f.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\6f1u.bmp	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8fd.flv	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\a8fd.exe	48fad24a6419341ce64b063be81e402a.exe
File opened for modification	C:\Windows\8f6d.exe	48fad24a6419341ce64b063be81e402a.exe
File created	C:\Windows\Tasks\ms.job	48fad24a6419341ce64b063be81e402a.exe

Modifies registry class 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\AppID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\ = "BHO 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ThreadingModel = "apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib\ = "{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\InprocServer32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\8b4o.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ = "CFunPlayer Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\VersionIndependentProgID\ = "BHO.FunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer.1\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ = "IFunPlayer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\ProgID\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7D8644A6-61C5-4641-A655-31C637BD560C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CLSID\ = "{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BHO.FunPlayer\CurVer\ = "BHO.FunPlayer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{84C4A916-2F38-41C4-99BD-C4E8FA05EA54}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9A5E127F-4EB8-4E6C-92EA-5C8631054C7D}\1.0\FLAGS	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2024	bffd.exe
2024	bffd.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4728	2484	48fad24a6419341ce64b063be81e402a.exe	31
PID 2484 wrote to memory of 4728	2484	48fad24a6419341ce64b063be81e402a.exe	31
PID 2484 wrote to memory of 4728	2484	48fad24a6419341ce64b063be81e402a.exe	31
PID 2484 wrote to memory of 2044	2484	48fad24a6419341ce64b063be81e402a.exe	29
PID 2484 wrote to memory of 2044	2484	48fad24a6419341ce64b063be81e402a.exe	29
PID 2484 wrote to memory of 2044	2484	48fad24a6419341ce64b063be81e402a.exe	29
PID 2484 wrote to memory of 1732	2484	48fad24a6419341ce64b063be81e402a.exe	28
PID 2484 wrote to memory of 1732	2484	48fad24a6419341ce64b063be81e402a.exe	28
PID 2484 wrote to memory of 1732	2484	48fad24a6419341ce64b063be81e402a.exe	28
PID 2484 wrote to memory of 324	2484	48fad24a6419341ce64b063be81e402a.exe	19
PID 2484 wrote to memory of 324	2484	48fad24a6419341ce64b063be81e402a.exe	19
PID 2484 wrote to memory of 324	2484	48fad24a6419341ce64b063be81e402a.exe	19
PID 2484 wrote to memory of 4360	2484	48fad24a6419341ce64b063be81e402a.exe	20
PID 2484 wrote to memory of 4360	2484	48fad24a6419341ce64b063be81e402a.exe	20
PID 2484 wrote to memory of 4360	2484	48fad24a6419341ce64b063be81e402a.exe	20
PID 2484 wrote to memory of 4664	2484	48fad24a6419341ce64b063be81e402a.exe	25
PID 2484 wrote to memory of 4664	2484	48fad24a6419341ce64b063be81e402a.exe	25
PID 2484 wrote to memory of 4664	2484	48fad24a6419341ce64b063be81e402a.exe	25
PID 2484 wrote to memory of 5108	2484	48fad24a6419341ce64b063be81e402a.exe	24
PID 2484 wrote to memory of 5108	2484	48fad24a6419341ce64b063be81e402a.exe	24
PID 2484 wrote to memory of 5108	2484	48fad24a6419341ce64b063be81e402a.exe	24
PID 2024 wrote to memory of 1692	2024	bffd.exe	33
PID 2024 wrote to memory of 1692	2024	bffd.exe	33
PID 2024 wrote to memory of 1692	2024	bffd.exe	33
PID 2484 wrote to memory of 5004	2484	48fad24a6419341ce64b063be81e402a.exe	32
PID 2484 wrote to memory of 5004	2484	48fad24a6419341ce64b063be81e402a.exe	32
PID 2484 wrote to memory of 5004	2484	48fad24a6419341ce64b063be81e402a.exe	32

C:\Users\Admin\AppData\Local\Temp\48fad24a6419341ce64b063be81e402a.exe
"C:\Users\Admin\AppData\Local\Temp\48fad24a6419341ce64b063be81e402a.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\8b4o.dll"
  2⤵
  PID:324
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\8b4o.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:4360
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -s
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\SysWOW64\bffd.exe
  C:\Windows\system32\bffd.exe -i
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4f3r.dll"
  2⤵
  PID:1732
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b4cb.dll"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\a1l8.dll"
  2⤵
  PID:4728
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:5004

C:\Windows\SysWOW64\bffd.exe
C:\Windows\SysWOW64\bffd.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\841e.dll,Always
  2⤵
  - Loads dropped DLL
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\h8nil4o8\b.dll

Filesize
94KB

MD5
1ae08166022de75f393c49ff7e37c9bf

SHA1
1c79159f6a7ee289c67a397de870c3ada4a77d65

SHA256
cb0597a2c924d5b9b94342dbc53179df3ab4211e7f335efedfaafd67927e870c

SHA512
bce409f834bb25eb6d015cba34ad6daca1a0d6466cc5a3b2b487b3be1c5314617b16b85b7f62f8c56ccb075a8e00dfe09950e42134a3242cac41dc2c20e8bb29

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8nil4o8\p.dll

Filesize
209KB

MD5
c3b55b95371e14095479e15bdcf6631c

SHA1
a3384a0102cbdd96334b4c32466c8651baa1b6fe

SHA256
e6dfca82e901f68320791485807a8d6506bab6c2d2590388f4f0b4da8e103ab9

SHA512
ef3e56336b87aeae69e7b630de853ea97d58a722bb051f8b27a77b12c56271f490dd7cefa78bdf383c7dca106cf986ba47a48fad4157dd6c75c33d6eb1bf3654

Download Submit
C:\Windows\SysWOW64\8b4o.dll

Filesize
93KB

MD5
e9611acc4fc4a4178b153377e88d88be

SHA1
d20812d47df927fcfcba8f3bdc8c2e7d3824f672

SHA256
c999356a2d8ee84b6533eded8c6cd412e45cc01e498cd43e07b804d487bbd53a

SHA512
ed14ac1e79cb558b4330551a281c0ee99e792d6a22177aafecb2ce1b33b8c5c6de6eef30a472fe72ce9ae5a7f6b4a3e192691c6345fbf76b2856509a0a0e23ec

Download Submit
memory/1692-78-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/1692-80-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

Filesize
8KB

Download
memory/2024-118-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-124-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-192-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-186-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-180-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-182-0x00000000013A0000-0x00000000013A2000-memory.dmp

Filesize
8KB

Download
memory/2024-181-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-177-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-178-0x0000000001390000-0x0000000001392000-memory.dmp

Filesize
8KB

Download
memory/2024-69-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/2024-68-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-85-0x0000000000D80000-0x0000000000D82000-memory.dmp

Filesize
8KB

Download
memory/2024-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-90-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/2024-89-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-174-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-93-0x0000000000DA0000-0x0000000000DA2000-memory.dmp

Filesize
8KB

Download
memory/2024-92-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-94-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-172-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-98-0x0000000000EC0000-0x0000000000EC2000-memory.dmp

Filesize
8KB

Download
memory/2024-97-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-101-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/2024-100-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-106-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/2024-105-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-173-0x0000000001380000-0x0000000001382000-memory.dmp

Filesize
8KB

Download
memory/2024-109-0x0000000001280000-0x0000000001282000-memory.dmp

Filesize
8KB

Download
memory/2024-108-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-110-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-114-0x0000000001290000-0x0000000001292000-memory.dmp

Filesize
8KB

Download
memory/2024-113-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-116-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-117-0x00000000012A0000-0x00000000012A2000-memory.dmp

Filesize
8KB

Download
memory/2024-66-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2024-121-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-122-0x00000000012B0000-0x00000000012B2000-memory.dmp

Filesize
8KB

Download
memory/2024-170-0x0000000001370000-0x0000000001372000-memory.dmp

Filesize
8KB

Download
memory/2024-125-0x00000000012C0000-0x00000000012C2000-memory.dmp

Filesize
8KB

Download
memory/2024-126-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-129-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-130-0x00000000012D0000-0x00000000012D2000-memory.dmp

Filesize
8KB

Download
memory/2024-132-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-133-0x00000000012E0000-0x00000000012E2000-memory.dmp

Filesize
8KB

Download
memory/2024-134-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-137-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-138-0x00000000012F0000-0x00000000012F2000-memory.dmp

Filesize
8KB

Download
memory/2024-140-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-141-0x0000000001300000-0x0000000001302000-memory.dmp

Filesize
8KB

Download
memory/2024-142-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-145-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-146-0x0000000001310000-0x0000000001312000-memory.dmp

Filesize
8KB

Download
memory/2024-149-0x0000000001320000-0x0000000001322000-memory.dmp

Filesize
8KB

Download
memory/2024-148-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-150-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-154-0x0000000001330000-0x0000000001332000-memory.dmp

Filesize
8KB

Download
memory/2024-153-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-157-0x0000000001340000-0x0000000001342000-memory.dmp

Filesize
8KB

Download
memory/2024-156-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-158-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-162-0x0000000001350000-0x0000000001352000-memory.dmp

Filesize
8KB

Download
memory/2024-161-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-164-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/2024-165-0x0000000001360000-0x0000000001362000-memory.dmp

Filesize
8KB

Download
memory/2024-166-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2024-169-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4360-47-0x0000000010000000-0x0000000010026000-memory.dmp

Filesize
152KB

Download
memory/4360-48-0x0000000001280000-0x0000000001282000-memory.dmp

Filesize
8KB

Download
memory/4664-61-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4664-58-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4664-60-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/5004-104-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5004-96-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5004-88-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5004-79-0x0000000010000000-0x00000000100B2000-memory.dmp

Filesize
712KB

Download
memory/5004-81-0x0000000000B90000-0x0000000000B92000-memory.dmp

Filesize
8KB

Download
memory/5108-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5108-63-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download