hiverat | 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
Size

1.8MB
MD5

4e7eb50a75f8bf74751576cdd5381809
SHA1

7e0dfbdd505b9451513b828e4d392e164fe566e9
SHA256

0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c
SHA512

05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3
SSDEEP

49152:d4FrOycrk+0UpzJtKQFHJSm4DO9qSk/kK:scrv0YTKQFHJSmeAHK

Score

10^/10

hiverat warzonerat discovery infostealer rat stealer

Malware Config

Extracted

Family

warzonerat

hive01.duckdns.org:8584

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

HiveRAT payload 12 IoCs

resource	yara_rule
behavioral2/memory/1016-69-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-67-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-89-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-100-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-98-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-96-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-81-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-78-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-76-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/1016-74-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/2396-115-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral2/memory/2396-118-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1640-92-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/1640-71-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe	1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe	2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe	2.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe	3.exe

Executes dropped EXE 9 IoCs

pid	Process
408	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3352	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
2732	1.exe
3284	2.exe
1584	3.exe
1016	2.exe
1640	1.exe
2396	3.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3812 set thread context of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3284 set thread context of 1016	3284	2.exe	98
PID 2732 set thread context of 1640	2732	1.exe	99
PID 1584 set thread context of 2396	1584	3.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3008	2396	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
2732	1.exe
2732	1.exe
2732	1.exe
3284	2.exe
3284	2.exe
3284	2.exe
1584	3.exe
1584	3.exe
1584	3.exe
2732	1.exe
2732	1.exe
2732	1.exe
2732	1.exe
2732	1.exe
2732	1.exe
2732	1.exe
2732	1.exe
3284	2.exe
3284	2.exe
3284	2.exe
3284	2.exe
3284	2.exe
3284	2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1016	2.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
Token: SeDebugPrivilege	2732	1.exe
Token: SeDebugPrivilege	3284	2.exe
Token: SeDebugPrivilege	1584	3.exe
Token: SeDebugPrivilege	1016	2.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 408	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	87
PID 3812 wrote to memory of 408	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	87
PID 3812 wrote to memory of 408	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	87
PID 3812 wrote to memory of 3352	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	88
PID 3812 wrote to memory of 3352	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	88
PID 3812 wrote to memory of 3352	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	88
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 3812 wrote to memory of 5016	3812	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	89
PID 5016 wrote to memory of 2732	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	92
PID 5016 wrote to memory of 2732	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	92
PID 5016 wrote to memory of 2732	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	92
PID 5016 wrote to memory of 3284	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	93
PID 5016 wrote to memory of 3284	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	93
PID 5016 wrote to memory of 3284	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	93
PID 5016 wrote to memory of 1584	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	94
PID 5016 wrote to memory of 1584	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	94
PID 5016 wrote to memory of 1584	5016	4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe	94
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 3284 wrote to memory of 1016	3284	2.exe	98
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 2732 wrote to memory of 1640	2732	1.exe	99
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100
PID 1584 wrote to memory of 2396	1584	3.exe	100

C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Roaming\1.exe
    "C:\Users\Admin\AppData\Roaming\1.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Roaming\1.exe
      "C:\Users\Admin\AppData\Roaming\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1640
- - C:\Users\Admin\AppData\Roaming\2.exe
    "C:\Users\Admin\AppData\Roaming\2.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Roaming\2.exe
      "C:\Users\Admin\AppData\Roaming\2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:1016
- - C:\Users\Admin\AppData\Roaming\3.exe
    "C:\Users\Admin\AppData\Roaming\3.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Users\Admin\AppData\Roaming\3.exe
      "C:\Users\Admin\AppData\Roaming\3.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 764
        5⤵
        Program crash
        
        PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2396 -ip 2396
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e7eb50a75f8bf74751576cdd5381809_JaffaCakes118.exe

Filesize
1.8MB

MD5
4e7eb50a75f8bf74751576cdd5381809

SHA1
7e0dfbdd505b9451513b828e4d392e164fe566e9

SHA256
0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c

SHA512
05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe

Filesize
393KB

MD5
ea33ef88c0e9cf45dcd70dc971c46e02

SHA1
68bad4331a4f108a7ced1dfe0e87a63fc5ded774

SHA256
6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709

SHA512
37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998

Download Submit
C:\Users\Admin\AppData\Roaming\2.exe

Filesize
585KB

MD5
bf400de7c5e0fb5fe483cb09c0ccb745

SHA1
46199385eb5aeccd6638d77a980c780344ac8ace

SHA256
fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc

SHA512
255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
584KB

MD5
d21695b6d9bdd7ed0e35a0c70ce38205

SHA1
33522e95507f48e68a981b1097bcbe0354e31c1a

SHA256
15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c

SHA512
0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f

Download Submit
memory/1016-98-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-114-0x00000000053F0000-0x0000000005456000-memory.dmp

Filesize
408KB

Download
memory/1016-76-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-81-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-69-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-96-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-74-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-100-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-78-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-67-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1016-89-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1584-57-0x0000000000360000-0x00000000003F8000-memory.dmp

Filesize
608KB

Download
memory/1584-60-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/1640-92-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/1640-71-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2396-115-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2396-118-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2732-113-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/2732-58-0x0000000004EF0000-0x0000000004F52000-memory.dmp

Filesize
392KB

Download
memory/2732-54-0x0000000000390000-0x00000000003F8000-memory.dmp

Filesize
416KB

Download
memory/2732-53-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3284-59-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download
memory/3284-56-0x00000000004F0000-0x0000000000588000-memory.dmp

Filesize
608KB

Download
memory/3812-4-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/3812-3-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/3812-6-0x0000000005F10000-0x00000000060E0000-memory.dmp

Filesize
1.8MB

Download
memory/3812-2-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/3812-1-0x0000000000890000-0x0000000000A66000-memory.dmp

Filesize
1.8MB

Download
memory/3812-0-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

Filesize
4KB

Download
memory/3812-5-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3812-9-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3812-19-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/3812-7-0x00000000057D0000-0x000000000586C000-memory.dmp

Filesize
624KB

Download
memory/5016-13-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/5016-55-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download
memory/5016-17-0x0000000001440000-0x0000000001448000-memory.dmp

Filesize
32KB

Download
memory/5016-16-0x0000000074AA0000-0x0000000075250000-memory.dmp

Filesize
7.7MB

Download