431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f

Analysis

max time kernel
152s
max time network
167s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Size

290KB
MD5

371b32e34527604a1694fb37e2caa130
SHA1

65d7abecdd1c1f167801fcf6d0dd6d4d70141972
SHA256

431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f
SHA512

e9b1c4d69c602b7be4b817e182c2f9f6f8c8a2227bfc2cd906fa3666a750b4fd6559016f9b4bc30533cc5b73f6369fe81e634941db06b9e61b84e97b467749ad
SSDEEP

6144:MemRlZB1SrW7cX22lMmDTxX8PMM7qJ3Ys/UCJXFIym4OZ0FSbGq:MzRHeW7cX/i+Td2MMl8X1lOZYS

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
960	ofys.exe

Deletes itself 1 IoCs

pid	Process
1068	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	ofys.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	ofys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Akfeev = "C:\\Users\\Admin\\AppData\\Roaming\\Gyacit\\ofys.exe"	ofys.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\30C21C64-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe
960	ofys.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
Token: SeSecurityPrivilege	1068	cmd.exe
Token: SeSecurityPrivilege	1068	cmd.exe
Token: SeSecurityPrivilege	1068	cmd.exe
Token: SeSecurityPrivilege	1068	cmd.exe
Token: SeSecurityPrivilege	1068	cmd.exe
Token: SeManageVolumePrivilege	1508	WinMail.exe
Token: SeSecurityPrivilege	1068	cmd.exe
Token: SeSecurityPrivilege	1068	cmd.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1508	WinMail.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1508	WinMail.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1508	WinMail.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
960	ofys.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 960	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	28
PID 1632 wrote to memory of 960	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	28
PID 1632 wrote to memory of 960	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	28
PID 1632 wrote to memory of 960	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	28
PID 960 wrote to memory of 1128	960	ofys.exe	20
PID 960 wrote to memory of 1128	960	ofys.exe	20
PID 960 wrote to memory of 1128	960	ofys.exe	20
PID 960 wrote to memory of 1128	960	ofys.exe	20
PID 960 wrote to memory of 1128	960	ofys.exe	20
PID 960 wrote to memory of 1188	960	ofys.exe	11
PID 960 wrote to memory of 1188	960	ofys.exe	11
PID 960 wrote to memory of 1188	960	ofys.exe	11
PID 960 wrote to memory of 1188	960	ofys.exe	11
PID 960 wrote to memory of 1188	960	ofys.exe	11
PID 960 wrote to memory of 1216	960	ofys.exe	19
PID 960 wrote to memory of 1216	960	ofys.exe	19
PID 960 wrote to memory of 1216	960	ofys.exe	19
PID 960 wrote to memory of 1216	960	ofys.exe	19
PID 960 wrote to memory of 1216	960	ofys.exe	19
PID 960 wrote to memory of 1632	960	ofys.exe	14
PID 960 wrote to memory of 1632	960	ofys.exe	14
PID 960 wrote to memory of 1632	960	ofys.exe	14
PID 960 wrote to memory of 1632	960	ofys.exe	14
PID 960 wrote to memory of 1632	960	ofys.exe	14
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 1632 wrote to memory of 1068	1632	431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe	29
PID 960 wrote to memory of 1688	960	ofys.exe	30
PID 960 wrote to memory of 1688	960	ofys.exe	30
PID 960 wrote to memory of 1688	960	ofys.exe	30
PID 960 wrote to memory of 1688	960	ofys.exe	30
PID 960 wrote to memory of 1688	960	ofys.exe	30
PID 960 wrote to memory of 1592	960	ofys.exe	31
PID 960 wrote to memory of 1592	960	ofys.exe	31
PID 960 wrote to memory of 1592	960	ofys.exe	31
PID 960 wrote to memory of 1592	960	ofys.exe	31
PID 960 wrote to memory of 1592	960	ofys.exe	31
PID 960 wrote to memory of 1508	960	ofys.exe	32
PID 960 wrote to memory of 1508	960	ofys.exe	32
PID 960 wrote to memory of 1508	960	ofys.exe	32
PID 960 wrote to memory of 1508	960	ofys.exe	32
PID 960 wrote to memory of 1508	960	ofys.exe	32
PID 960 wrote to memory of 1616	960	ofys.exe	33
PID 960 wrote to memory of 1616	960	ofys.exe	33
PID 960 wrote to memory of 1616	960	ofys.exe	33
PID 960 wrote to memory of 1616	960	ofys.exe	33
PID 960 wrote to memory of 1616	960	ofys.exe	33
PID 960 wrote to memory of 1032	960	ofys.exe	34
PID 960 wrote to memory of 1032	960	ofys.exe	34
PID 960 wrote to memory of 1032	960	ofys.exe	34
PID 960 wrote to memory of 1032	960	ofys.exe	34
PID 960 wrote to memory of 1032	960	ofys.exe	34
PID 960 wrote to memory of 2044	960	ofys.exe	35
PID 960 wrote to memory of 2044	960	ofys.exe	35
PID 960 wrote to memory of 2044	960	ofys.exe	35
PID 960 wrote to memory of 2044	960	ofys.exe	35
PID 960 wrote to memory of 2044	960	ofys.exe	35
PID 960 wrote to memory of 268	960	ofys.exe	36

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe
"C:\Users\Admin\AppData\Local\Temp\431bcbcc1b02b884a673b40b10d1c4351bdcc2f8acb5f16c85e032c7d618625f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Roaming\Gyacit\ofys.exe
  "C:\Users\Admin\AppData\Roaming\Gyacit\ofys.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpae0957ca.bat"
  2⤵
  - Deletes itself
  - Suspicious use of AdjustPrivilegeToken
  PID:1068

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "816473285-1320602459-13629735751492792338-1269228612-794440937-1358572783746251807"
1⤵
PID:1592

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpae0957ca.bat

Filesize
307B

MD5
e433d69b9c88d292b92a7a38e2570f36

SHA1
3d27f56a8c29faef2e9a0fb9c934188797cb0d9a

SHA256
94948d7b36f0c06ba19932f207d31dc485701c571d5e9de5354085815ede8ca6

SHA512
eab0dfad5860ed9d821d54ba5e215f6d2c26679a56b5a696f37de740977d004538357c1cd86bd2891ab4b20d5b708741c75c1162fcde65a9396f0de3eb9e454e

Download Submit
C:\Users\Admin\AppData\Roaming\Gyacit\ofys.exe

Filesize
290KB

MD5
7531d30df02290f426e962fcb880b63d

SHA1
a75f16be3340bceda5e36cb4c31553a25e471d53

SHA256
c9f41dbcd8c43a5b5bc60a8a0822ade5b9828a992e7b004acbb08e44e5d9ad33

SHA512
0aff013a4f98f3207fa80846cb8d0177a5b2bed28d9f956a1a0fb07ba415942c9e75ee81ac5148edc073caa2232426c9a21b73f45102697890f15b5f33da6636

Download Submit
C:\Users\Admin\AppData\Roaming\Gyacit\ofys.exe

Filesize
290KB

MD5
7531d30df02290f426e962fcb880b63d

SHA1
a75f16be3340bceda5e36cb4c31553a25e471d53

SHA256
c9f41dbcd8c43a5b5bc60a8a0822ade5b9828a992e7b004acbb08e44e5d9ad33

SHA512
0aff013a4f98f3207fa80846cb8d0177a5b2bed28d9f956a1a0fb07ba415942c9e75ee81ac5148edc073caa2232426c9a21b73f45102697890f15b5f33da6636

Download Submit
C:\Users\Admin\AppData\Roaming\Uturyg\pawy.efy

Filesize
4KB

MD5
e8391743fef8e604541888b74484bafc

SHA1
9fb7612c25f1a9a483f1778d92890eef010c7907

SHA256
c073a7340ce6847721b160150eb0c5571f7990566638079635df2619acb7e0ea

SHA512
e9978351ae6b804ab707e06753bcaf950b74a31167da7b52dfa906ba9587edf7788118df9b282414ead5256d530180d240b2067af3c8ee1e6ab9078b3ab4eacd

Download Submit
C:\Users\Admin\AppData\Roaming\Uturyg\pawy.efy

Filesize
4KB

MD5
1a181cc120caead8cfcb54291be10a59

SHA1
516bf62e2ee1b8cba0b1451285f9145ad4f93015

SHA256
ec08aa7c252e13048501fc120d3d46b4605f8424121ba13774189faa26038a71

SHA512
d6415e7ccd3e017b62f579cb32f955887fb2ae34ddc603cd1522eab8a1ce90c1e86222340c9c77f1b321f6670b27c66cda6242067e5cc2d44230b72b59bf3220

Download Submit
\Users\Admin\AppData\Roaming\Gyacit\ofys.exe

Filesize
290KB

MD5
7531d30df02290f426e962fcb880b63d

SHA1
a75f16be3340bceda5e36cb4c31553a25e471d53

SHA256
c9f41dbcd8c43a5b5bc60a8a0822ade5b9828a992e7b004acbb08e44e5d9ad33

SHA512
0aff013a4f98f3207fa80846cb8d0177a5b2bed28d9f956a1a0fb07ba415942c9e75ee81ac5148edc073caa2232426c9a21b73f45102697890f15b5f33da6636

Download Submit
\Users\Admin\AppData\Roaming\Gyacit\ofys.exe

Filesize
290KB

MD5
7531d30df02290f426e962fcb880b63d

SHA1
a75f16be3340bceda5e36cb4c31553a25e471d53

SHA256
c9f41dbcd8c43a5b5bc60a8a0822ade5b9828a992e7b004acbb08e44e5d9ad33

SHA512
0aff013a4f98f3207fa80846cb8d0177a5b2bed28d9f956a1a0fb07ba415942c9e75ee81ac5148edc073caa2232426c9a21b73f45102697890f15b5f33da6636

Download Submit
memory/960-90-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/960-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/960-387-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/960-91-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1068-354-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/1068-394-0x0000000000050000-0x000000000008C000-memory.dmp

Filesize
240KB

Download
memory/1128-70-0x0000000001D50000-0x0000000001D8C000-memory.dmp

Filesize
240KB

Download
memory/1128-65-0x0000000001D50000-0x0000000001D8C000-memory.dmp

Filesize
240KB

Download
memory/1128-67-0x0000000001D50000-0x0000000001D8C000-memory.dmp

Filesize
240KB

Download
memory/1128-68-0x0000000001D50000-0x0000000001D8C000-memory.dmp

Filesize
240KB

Download
memory/1128-69-0x0000000001D50000-0x0000000001D8C000-memory.dmp

Filesize
240KB

Download
memory/1188-76-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/1188-74-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/1188-73-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/1188-75-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/1216-79-0x0000000002A90000-0x0000000002ACC000-memory.dmp

Filesize
240KB

Download
memory/1216-80-0x0000000002A90000-0x0000000002ACC000-memory.dmp

Filesize
240KB

Download
memory/1216-81-0x0000000002A90000-0x0000000002ACC000-memory.dmp

Filesize
240KB

Download
memory/1216-82-0x0000000002A90000-0x0000000002ACC000-memory.dmp

Filesize
240KB

Download
memory/1632-105-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-117-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-89-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-95-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-97-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-99-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-101-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-103-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1632-107-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-109-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-111-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-113-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-115-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-119-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-93-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-121-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-123-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-125-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-215-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-216-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1632-88-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-87-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-228-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1632-86-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-85-0x0000000001E00000-0x0000000001E3C000-memory.dmp

Filesize
240KB

Download
memory/1632-57-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1632-56-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/1632-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download