bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd

Analysis

max time kernel
170s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe
Size

421KB
MD5

6ce914cb46582678ffdf4eaba9c7fb54
SHA1

cddd8251dd51ffbc7b08f61fab1ab2f194dfb254
SHA256

bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd
SHA512

4e259a9c8bfdcd0f1a6e54afa53d3063e6218b2e37f3bead325c705a1b2335e5910ee8d49e746dbcca98b8ce4233e32b633368783d8dc61f20c1b09838f8c40a
SSDEEP

12288:ZqmpplpGoGL3etQoMiXM8gxf/Sj4yF5RkVYe99od:Z563ey8gZqj4yFIPy

Score

10^/10

aspackv2 persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	lncom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe"	services.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0009000000022e2e-144.dat	aspack_v212_v242

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	lncom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	lncom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe"	services.exe

Executes dropped EXE 3 IoCs

pid	Process
1664	lncom.exe
3724	fservice.exe
2900	services.exe

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}	lncom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	lncom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	lncom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe"	services.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000022e11-133.dat	upx
behavioral2/files/0x000c000000022e11-134.dat	upx
behavioral2/files/0x0008000000022e27-138.dat	upx
behavioral2/files/0x0008000000022e27-139.dat	upx
behavioral2/files/0x0008000000022e2e-140.dat	upx
behavioral2/files/0x0007000000022e2f-142.dat	upx
behavioral2/files/0x0007000000022e2f-143.dat	upx
behavioral2/memory/1664-145-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/3724-146-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/2900-147-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/3724-159-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/1664-161-0x0000000000400000-0x00000000005FC000-memory.dmp	upx
behavioral2/memory/2900-163-0x0000000000400000-0x00000000005FC000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe

Loads dropped DLL 5 IoCs

pid	Process
2900	services.exe
2900	services.exe
2900	services.exe
3724	fservice.exe
1664	lncom.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	lncom.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\reginv.dll	services.exe
File created	C:\Windows\SysWOW64\lncom.exe.bat	lncom.exe
File created	C:\Windows\SysWOW64\lncom.exe	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe
File created	C:\Windows\SysWOW64\lncom_.jpg	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe
File created	C:\Windows\SysWOW64\fservice.exe	fservice.exe
File created	C:\Windows\SysWOW64\winkey.dll	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	services.exe
File created	C:\Windows\SysWOW64\fservice.exe	lncom.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	lncom.exe
File opened for modification	C:\Windows\SysWOW64\fservice.exe	fservice.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system\sservice.exe	services.exe
File created	C:\Windows\system\sservice.exe	lncom.exe
File opened for modification	C:\Windows\system\sservice.exe	lncom.exe
File created	C:\Windows\services.exe	fservice.exe
File opened for modification	C:\Windows\services.exe	fservice.exe
File created	C:\Windows\system\sservice.exe	fservice.exe
File opened for modification	C:\Windows\system\sservice.exe	fservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe
2900	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2900	services.exe
2900	services.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1664	1920	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe	81
PID 1920 wrote to memory of 1664	1920	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe	81
PID 1920 wrote to memory of 1664	1920	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe	81
PID 1920 wrote to memory of 1132	1920	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe	82
PID 1920 wrote to memory of 1132	1920	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe	82
PID 1920 wrote to memory of 1132	1920	bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe	82
PID 1664 wrote to memory of 3724	1664	lncom.exe	84
PID 1664 wrote to memory of 3724	1664	lncom.exe	84
PID 1664 wrote to memory of 3724	1664	lncom.exe	84
PID 3724 wrote to memory of 2900	3724	fservice.exe	85
PID 3724 wrote to memory of 2900	3724	fservice.exe	85
PID 3724 wrote to memory of 2900	3724	fservice.exe	85
PID 2900 wrote to memory of 4880	2900	services.exe	89
PID 2900 wrote to memory of 4880	2900	services.exe	89
PID 2900 wrote to memory of 4880	2900	services.exe	89
PID 2900 wrote to memory of 4892	2900	services.exe	86
PID 2900 wrote to memory of 4892	2900	services.exe	86
PID 2900 wrote to memory of 4892	2900	services.exe	86
PID 4880 wrote to memory of 1212	4880	NET.exe	91
PID 4880 wrote to memory of 1212	4880	NET.exe	91
PID 4880 wrote to memory of 1212	4880	NET.exe	91
PID 4892 wrote to memory of 4244	4892	NET.exe	90
PID 4892 wrote to memory of 4244	4892	NET.exe	90
PID 4892 wrote to memory of 4244	4892	NET.exe	90
PID 1664 wrote to memory of 1980	1664	lncom.exe	92
PID 1664 wrote to memory of 1980	1664	lncom.exe	92
PID 1664 wrote to memory of 1980	1664	lncom.exe	92

C:\Users\Admin\AppData\Local\Temp\bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe
"C:\Users\Admin\AppData\Local\Temp\bd0ba0d181c0f8133810ecc1673a2565c0d55a2d89cd521a4bfceefaac0ea7cd.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\lncom.exe
  "C:\Windows\system32\lncom.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Modifies Installed Components in the registry
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\fservice.exe
    C:\Windows\system32\fservice.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\services.exe
      C:\Windows\services.exe -XP
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Executes dropped EXE
      Modifies Installed Components in the registry
      Loads dropped DLL
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP navapsvc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP navapsvc
        6⤵
        
        PID:4244
    - - C:\Windows\SysWOW64\NET.exe
        
        NET STOP srservice
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 STOP srservice
        6⤵
        
        PID:1212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\lncom.exe.bat
    3⤵
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\BD0BA0~1.EXE.bat
  2⤵
  PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BD0BA0~1.EXE.bat

Filesize
133B

MD5
2aacfa89d868e60ca818cdd9d0f4be14

SHA1
03ccf124263d883d09b4784b5524bcc87e8d56cc

SHA256
91e4d3689157a10f06969b157e78aebeea51706c68b0dbe6a291bd20ebe93352

SHA512
96cb990f0c1825b9d4bb1f2e59b24e03074dd2fc387fd6a2836449a879267d228b50dbd87d6ca46ac7a51143d1682db6e661c4252ceb692928170f513f5ce402

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
0c92bc50b495f273b4cb77aaa4ee713a

SHA1
08d9b2a91a24c2cd99c864c34e91d66048a1ebd8

SHA256
b1c6c5ccbf49376bfeef34893725b9591c8599c3753e75a831e64dc0c9395d12

SHA512
da37cc1d340651680b2f4b473b7821acb55c3a7aa5c0b94c8d1d9b4ba9d02e58099243f13b741aae3a54a11b9203063c1aca6ecefda8890ff1dc21e2180875ec

Download Submit
C:\Windows\SysWOW64\fservice.exe

Filesize
342KB

MD5
0c92bc50b495f273b4cb77aaa4ee713a

SHA1
08d9b2a91a24c2cd99c864c34e91d66048a1ebd8

SHA256
b1c6c5ccbf49376bfeef34893725b9591c8599c3753e75a831e64dc0c9395d12

SHA512
da37cc1d340651680b2f4b473b7821acb55c3a7aa5c0b94c8d1d9b4ba9d02e58099243f13b741aae3a54a11b9203063c1aca6ecefda8890ff1dc21e2180875ec

Download Submit
C:\Windows\SysWOW64\lncom.exe

Filesize
342KB

MD5
0c92bc50b495f273b4cb77aaa4ee713a

SHA1
08d9b2a91a24c2cd99c864c34e91d66048a1ebd8

SHA256
b1c6c5ccbf49376bfeef34893725b9591c8599c3753e75a831e64dc0c9395d12

SHA512
da37cc1d340651680b2f4b473b7821acb55c3a7aa5c0b94c8d1d9b4ba9d02e58099243f13b741aae3a54a11b9203063c1aca6ecefda8890ff1dc21e2180875ec

Download Submit
C:\Windows\SysWOW64\lncom.exe

Filesize
342KB

MD5
0c92bc50b495f273b4cb77aaa4ee713a

SHA1
08d9b2a91a24c2cd99c864c34e91d66048a1ebd8

SHA256
b1c6c5ccbf49376bfeef34893725b9591c8599c3753e75a831e64dc0c9395d12

SHA512
da37cc1d340651680b2f4b473b7821acb55c3a7aa5c0b94c8d1d9b4ba9d02e58099243f13b741aae3a54a11b9203063c1aca6ecefda8890ff1dc21e2180875ec

Download Submit
C:\Windows\SysWOW64\lncom.exe.bat

Filesize
99B

MD5
1f73e450d92934cd37c041eb3f1ff51f

SHA1
f3e9dece5d6b7d7a0e4966c16ffe31437539d4a0

SHA256
3a57d154715459926a51a9e3925687c0c78ec9c88bc39c303b5b93385d34d67e

SHA512
5f982d614e54870ae3ad212f049ca3685602812c1bb066a5f6155e694adb994d6d1608ca7a25bcab605812c6e7e6b22817aaf0dba9e906787add9b0a8e3f32a5

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\reginv.dll

Filesize
36KB

MD5
562e0d01d6571fa2251a1e9f54c6cc69

SHA1
83677ad3bc630aa6327253c7b3deffbd4a8ce905

SHA256
c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6

SHA512
166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea

Download Submit
C:\Windows\SysWOW64\winkey.dll

Filesize
13KB

MD5
b4c72da9fd1a0dcb0698b7da97daa0cd

SHA1
b25a79e8ea4c723c58caab83aed6ea48de7ed759

SHA256
45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f

SHA512
f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
0c92bc50b495f273b4cb77aaa4ee713a

SHA1
08d9b2a91a24c2cd99c864c34e91d66048a1ebd8

SHA256
b1c6c5ccbf49376bfeef34893725b9591c8599c3753e75a831e64dc0c9395d12

SHA512
da37cc1d340651680b2f4b473b7821acb55c3a7aa5c0b94c8d1d9b4ba9d02e58099243f13b741aae3a54a11b9203063c1aca6ecefda8890ff1dc21e2180875ec

Download Submit
C:\Windows\services.exe

Filesize
342KB

MD5
0c92bc50b495f273b4cb77aaa4ee713a

SHA1
08d9b2a91a24c2cd99c864c34e91d66048a1ebd8

SHA256
b1c6c5ccbf49376bfeef34893725b9591c8599c3753e75a831e64dc0c9395d12

SHA512
da37cc1d340651680b2f4b473b7821acb55c3a7aa5c0b94c8d1d9b4ba9d02e58099243f13b741aae3a54a11b9203063c1aca6ecefda8890ff1dc21e2180875ec

Download Submit
C:\Windows\system\sservice.exe

Filesize
342KB

MD5
0c92bc50b495f273b4cb77aaa4ee713a

SHA1
08d9b2a91a24c2cd99c864c34e91d66048a1ebd8

SHA256
b1c6c5ccbf49376bfeef34893725b9591c8599c3753e75a831e64dc0c9395d12

SHA512
da37cc1d340651680b2f4b473b7821acb55c3a7aa5c0b94c8d1d9b4ba9d02e58099243f13b741aae3a54a11b9203063c1aca6ecefda8890ff1dc21e2180875ec

Download Submit
memory/1664-145-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1664-161-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2900-147-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2900-148-0x0000000010000000-0x000000001000B000-memory.dmp

Filesize
44KB

Download
memory/2900-153-0x0000000002D81000-0x0000000002D85000-memory.dmp

Filesize
16KB

Download
memory/2900-163-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3724-146-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3724-159-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download