c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de

Analysis

max time kernel
298s
max time network
272s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
06/12/2022, 04:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe
Size

1.6MB
MD5

61494a835ce331d776c27fc6584930c7
SHA1

b8c85f0cfb217441608e7019f193579e03047082
SHA256

c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de
SHA512

c605862f9b9264d7333b75091f1f7495459680139f0e44a6db3826ac51091cea83f5a051513c979219029ae694cab073231fea4d3adfed31000dbb7e6a3cd902
SSDEEP

49152:O2Jd3BBHWSCVaUMmKaEahivTVLW2Rx0fC+jeE6N:O2j3BzCVVFKa+7I5fC+S7N

Score

10^/10

evasion trojan upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3392 created 3052	3392	Maui.exe.pif	35

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jsc.exe

Executes dropped EXE 3 IoCs

pid	Process
4256	Engine.exe
3392	Maui.exe.pif
2164	owokVWCwmi.exe.com

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d00000001abff-157.dat	upx
behavioral2/memory/4256-167-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/files/0x000d00000001abff-165.dat	upx
behavioral2/memory/4256-323-0x0000000000400000-0x0000000000558000-memory.dmp	upx
behavioral2/memory/4256-551-0x0000000000400000-0x0000000000558000-memory.dmp	upx

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url	cmd.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	eth0.me

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3392 set thread context of 4988	3392	Maui.exe.pif	84

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3428	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2676	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
4676	powershell.exe
876	powershell.exe
876	powershell.exe
876	powershell.exe
876	powershell.exe
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
4988	jsc.exe
4988	jsc.exe
4988	jsc.exe
4988	jsc.exe
3392	Maui.exe.pif
3392	Maui.exe.pif
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
3392	Maui.exe.pif
3392	Maui.exe.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	4988	jsc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3392	Maui.exe.pif
3392	Maui.exe.pif
3392	Maui.exe.pif
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com
2164	owokVWCwmi.exe.com

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4256	4544	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	66
PID 4544 wrote to memory of 4256	4544	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	66
PID 4544 wrote to memory of 4256	4544	c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe	66
PID 4256 wrote to memory of 3044	4256	Engine.exe	67
PID 4256 wrote to memory of 3044	4256	Engine.exe	67
PID 4256 wrote to memory of 3044	4256	Engine.exe	67
PID 3044 wrote to memory of 4156	3044	cmd.exe	71
PID 3044 wrote to memory of 4156	3044	cmd.exe	71
PID 3044 wrote to memory of 4156	3044	cmd.exe	71
PID 4156 wrote to memory of 4676	4156	cmd.exe	74
PID 4156 wrote to memory of 4676	4156	cmd.exe	74
PID 4156 wrote to memory of 4676	4156	cmd.exe	74
PID 4156 wrote to memory of 876	4156	cmd.exe	75
PID 4156 wrote to memory of 876	4156	cmd.exe	75
PID 4156 wrote to memory of 876	4156	cmd.exe	75
PID 4156 wrote to memory of 2396	4156	cmd.exe	76
PID 4156 wrote to memory of 2396	4156	cmd.exe	76
PID 4156 wrote to memory of 2396	4156	cmd.exe	76
PID 4156 wrote to memory of 3392	4156	cmd.exe	77
PID 4156 wrote to memory of 3392	4156	cmd.exe	77
PID 4156 wrote to memory of 3392	4156	cmd.exe	77
PID 4156 wrote to memory of 2676	4156	cmd.exe	78
PID 4156 wrote to memory of 2676	4156	cmd.exe	78
PID 4156 wrote to memory of 2676	4156	cmd.exe	78
PID 3392 wrote to memory of 4324	3392	Maui.exe.pif	79
PID 3392 wrote to memory of 4324	3392	Maui.exe.pif	79
PID 3392 wrote to memory of 4324	3392	Maui.exe.pif	79
PID 3392 wrote to memory of 3428	3392	Maui.exe.pif	81
PID 3392 wrote to memory of 3428	3392	Maui.exe.pif	81
PID 3392 wrote to memory of 3428	3392	Maui.exe.pif	81
PID 3392 wrote to memory of 4988	3392	Maui.exe.pif	84
PID 3392 wrote to memory of 4988	3392	Maui.exe.pif	84
PID 3392 wrote to memory of 4988	3392	Maui.exe.pif	84
PID 3392 wrote to memory of 4988	3392	Maui.exe.pif	84
PID 3392 wrote to memory of 4988	3392	Maui.exe.pif	84

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe
  "C:\Users\Admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\SETUP_36460\Engine.exe
    C:\Users\Admin\AppData\Local\Temp\SETUP_36460\Engine.exe /TH_ID=_4548 /OriginExe="C:\Users\Admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd < Translated.cda
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avastui
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell get-process avgui
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^dMaM$" Thousands.cda
        6⤵
        
        PID:2396
      - C:\Users\Admin\AppData\Local\Temp\npgtkcrh.jvv\Maui.exe.pif
        
        Maui.exe.pif c
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "Similar" /tr "C:\Users\Admin\AppData\Local\jucxIOkyRf\owokVWCwmi.exe.com C:\Users\Admin\AppData\Local\jucxIOkyRf\T" /sc minute /mo 3 /F
        7⤵
        Creates scheduled task(s)
        
        PID:3428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        7⤵
        UAC bypass
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
      - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 8
        6⤵
        Runs ping.exe
        
        PID:2676
- C:\Windows\System32\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe" 00000000000701C6 /startuptips
  2⤵
  - Checks SCSI registry key(s)
  PID:4216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url" & echo URL="C:\Users\Admin\AppData\Local\jucxIOkyRf\TXLYzJN.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url"
  2⤵
  - Drops startup file
  PID:4324

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:4208

C:\Users\Admin\AppData\Local\jucxIOkyRf\owokVWCwmi.exe.com
C:\Users\Admin\AppData\Local\jucxIOkyRf\owokVWCwmi.exe.com C:\Users\Admin\AppData\Local\jucxIOkyRf\T
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6bf0e5945fb9da68e1b03bdaed5f6f8d

SHA1
eed3802c8e4abe3b327c100c99c53d3bbcf8a33d

SHA256
dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1

SHA512
977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9b07c6ce605ad56261a603b52d5f2a21

SHA1
5139e8c20ecf79ea171ae847d77c6348efcb11ab

SHA256
59bd1c4d8c124179c203e61898a30ccc45226a0a7384e604feab1a8f5f670024

SHA512
0e24753dc8e8d1be24cc77a588390fe791b0585d6eb205f9c4238de527f8bf2836f19095c4ccc17f8d3b1b4e66d45008e201d99a7af0b37f8826a92f8417c914

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_36460\00000#Pools.cda

Filesize
1.5MB

MD5
5dd1213377ce2f40b914c5ea22166b55

SHA1
988e9e72aeecf060b3ed72f61763bd130784bca9

SHA256
d7909fd46fabe766cb531a7cb0e23243c40c8f60918c7dd68612734606ce5ec7

SHA512
35735187cfe55f73920ea62cebdb39fdb0f492b6290cd46cfb236199d7853d64fbc2af0cc263b2fdd8e92e5b55cac60cc3f9a3634ead024b50491fa29f77fca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_36460\00001#Thousands.cda

Filesize
872KB

MD5
36f5c4696f54a98e1bf256df033e34cf

SHA1
52bc9d595effbf4e4b10b3381f44e0306a42d0f4

SHA256
656af4bee6b89094a6828394bf7ea26058abf5186ab606b15440ac1b33fdadcd

SHA512
7763dfba62149936fa494e7d95117e7ae1ff6010dfe5ff999baddc090f3c5f731043513bcd1d0529f4d8daaa6d29dfd9c5bbd268ca6736ca146df68ad8321a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_36460\00002#Translated.cda

Filesize
11KB

MD5
fadbcd2fb4be032ff6145b94eeed068e

SHA1
5cec98c304099488f9f31f61856700a0b8733a34

SHA256
c288b141d2988401ef472325b601d4ee2b4a16b71e6637a7f252556fabe59412

SHA512
4e14c3f89bcb0efab9ef26defdca7ce3d47c9a608b854cc23d47fb600def1e1e859f155203a4ccd3fb691f821d675c89cc003bca665c93c628c2e6010b500a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_36460\Engine.exe

Filesize
392KB

MD5
e57156daad46c61a0395df1fdbadc766

SHA1
11c4359be8649ed873fa1904c89b51ef6a631081

SHA256
dca85f4607b1535bd9daad75f57646b53d2b7e2a381a2306ab62cce0e61b1a35

SHA512
94e5cd2233733f5ecd08fec3cfa82ccd71302697f8c37f8fb04d8dabf75cd2d7a58ce24080b1464a73e0d587a3d611056464ff54ff0bc9cc3d190156cbd8ecf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_36460\Engine.exe

Filesize
392KB

MD5
e57156daad46c61a0395df1fdbadc766

SHA1
11c4359be8649ed873fa1904c89b51ef6a631081

SHA256
dca85f4607b1535bd9daad75f57646b53d2b7e2a381a2306ab62cce0e61b1a35

SHA512
94e5cd2233733f5ecd08fec3cfa82ccd71302697f8c37f8fb04d8dabf75cd2d7a58ce24080b1464a73e0d587a3d611056464ff54ff0bc9cc3d190156cbd8ecf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_36460\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_36460\Setup.txt

Filesize
2KB

MD5
e143502369ba42ea20e32419536742aa

SHA1
934b2801180d21671ea388d6c608d694617f3f6b

SHA256
b242bd6554cf480c29129c89b693a49cd37452a796211e8a6b747423c93bce8f

SHA512
407eb2cca10016cc15b6f8e37e2ce60aa34b3c314cf84c2389311c39a0c766571db3182e28efc71eb82d168b074072aa9d35bdba9dfea40a5ef3abf7d7838b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\npgtkcrh.jvv\Maui.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\npgtkcrh.jvv\Maui.exe.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\jucxIOkyRf\T

Filesize
1.5MB

MD5
5dd1213377ce2f40b914c5ea22166b55

SHA1
988e9e72aeecf060b3ed72f61763bd130784bca9

SHA256
d7909fd46fabe766cb531a7cb0e23243c40c8f60918c7dd68612734606ce5ec7

SHA512
35735187cfe55f73920ea62cebdb39fdb0f492b6290cd46cfb236199d7853d64fbc2af0cc263b2fdd8e92e5b55cac60cc3f9a3634ead024b50491fa29f77fca8

Download Submit
C:\Users\Admin\AppData\Local\jucxIOkyRf\owokVWCwmi.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/4256-183-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-159-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-186-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-184-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-185-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-323-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4256-182-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-181-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-175-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-180-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-179-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-178-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-177-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-174-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-158-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-551-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4256-187-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-160-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-161-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-162-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-163-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-164-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-166-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-168-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-167-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4256-176-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-169-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-170-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-171-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-172-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4256-173-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-147-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-130-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-154-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-153-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-152-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-151-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-150-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-149-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-148-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-120-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-146-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-145-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-144-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-143-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-142-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-141-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-140-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-139-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-138-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-137-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-136-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-135-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-121-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-122-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-123-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-124-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-126-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-125-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-127-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-129-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-128-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-155-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-134-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-131-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-133-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4544-132-0x0000000077340000-0x00000000774CE000-memory.dmp

Filesize
1.6MB

Download
memory/4676-310-0x00000000076F0000-0x0000000007712000-memory.dmp

Filesize
136KB

Download
memory/4676-339-0x0000000009600000-0x0000000009622000-memory.dmp

Filesize
136KB

Download
memory/4676-338-0x0000000009580000-0x000000000959A000-memory.dmp

Filesize
104KB

Download
memory/4676-337-0x00000000098A0000-0x0000000009934000-memory.dmp

Filesize
592KB

Download
memory/4676-322-0x00000000087D0000-0x0000000008846000-memory.dmp

Filesize
472KB

Download
memory/4676-318-0x0000000008660000-0x00000000086AB000-memory.dmp

Filesize
300KB

Download
memory/4676-317-0x0000000007EB0000-0x0000000007ECC000-memory.dmp

Filesize
112KB

Download
memory/4676-314-0x0000000008120000-0x0000000008470000-memory.dmp

Filesize
3.3MB

Download
memory/4676-312-0x0000000007E10000-0x0000000007E76000-memory.dmp

Filesize
408KB

Download
memory/4676-313-0x0000000008060000-0x00000000080C6000-memory.dmp

Filesize
408KB

Download
memory/4676-292-0x0000000007770000-0x0000000007D98000-memory.dmp

Filesize
6.2MB

Download
memory/4676-340-0x0000000009E40000-0x000000000A33E000-memory.dmp

Filesize
5.0MB

Download
memory/4676-287-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

Filesize
216KB

Download
memory/4988-607-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/4988-618-0x0000000006780000-0x0000000006942000-memory.dmp

Filesize
1.8MB

Download
memory/4988-619-0x0000000006E80000-0x00000000073AC000-memory.dmp

Filesize
5.2MB

Download
memory/4988-622-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/4988-590-0x0000000000F00000-0x0000000000FA6000-memory.dmp

Filesize
664KB

Download