Overview

overview

8

Static

static

859f2c2f33...2a.exe

windows7-x64

8

859f2c2f33...2a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    181s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a.exe

  • Size

    534KB

  • MD5

    cff7ae721a6fbe25f8dded7921beeae7

  • SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

  • SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

  • SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

  • SSDEEP

    12288:xo3AEtmcPPhtWHoTpS6glPTWZyeYOUgavBR+QSXdFT5HhQ:xQTscPptWHapSHlPyZyeYOUgavrStFdm

Score
8/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 13 IoCs
  • Modifies Installed Components in the registry 2 TTPs 24 IoCs
    persistence
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 16 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 21 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a.exe
    "C:\Users\Admin\AppData\Local\Temp\859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Checks computer location settings
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Users\Admin\AppData\Local\Temp\859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a.exe
      C:\Users\Admin\AppData\Local\Temp\859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a.exe
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1408
      • \??\c:\windows\SysWOW64\win32i.exe
        "c:\windows\system32\win32i.exe"
        3⤵
        • Executes dropped EXE
        • Modifies Installed Components in the registry
        • Checks computer location settings
        • Adds Run key to start application
        • Maps connected drives based on registry
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5016
        • \??\c:\windows\SysWOW64\win32i.exe
          c:\windows\SysWOW64\win32i.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5032
          • \??\c:\windows\SysWOW64\win32i.exe
            "c:\windows\system32\win32i.exe"
            5⤵
            • Executes dropped EXE
            • Modifies Installed Components in the registry
            • Checks computer location settings
            • Adds Run key to start application
            • Maps connected drives based on registry
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1436
            • \??\c:\windows\SysWOW64\win32i.exe
              c:\windows\SysWOW64\win32i.exe
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1380
              • \??\c:\windows\SysWOW64\win32i.exe
                "c:\windows\system32\win32i.exe"
                7⤵
                • Executes dropped EXE
                • Modifies Installed Components in the registry
                • Checks computer location settings
                • Adds Run key to start application
                • Maps connected drives based on registry
                • Drops file in System32 directory
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:220
                • \??\c:\windows\SysWOW64\win32i.exe
                  c:\windows\SysWOW64\win32i.exe
                  8⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1732
                  • \??\c:\windows\SysWOW64\win32i.exe
                    "c:\windows\system32\win32i.exe"
                    9⤵
                    • Executes dropped EXE
                    • Modifies Installed Components in the registry
                    • Checks computer location settings
                    • Adds Run key to start application
                    • Maps connected drives based on registry
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Suspicious use of SetWindowsHookEx
                    PID:5040
                    • \??\c:\windows\SysWOW64\win32i.exe
                      c:\windows\SysWOW64\win32i.exe
                      10⤵
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4748
                      • \??\c:\windows\SysWOW64\win32i.exe
                        "c:\windows\system32\win32i.exe"
                        11⤵
                        • Executes dropped EXE
                        • Modifies Installed Components in the registry
                        • Checks computer location settings
                        • Adds Run key to start application
                        • Maps connected drives based on registry
                        • Drops file in System32 directory
                        • Suspicious use of SetThreadContext
                        • Suspicious use of SetWindowsHookEx
                        PID:5112
                        • \??\c:\windows\SysWOW64\win32i.exe
                          c:\windows\SysWOW64\win32i.exe
                          12⤵
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2992
                          • \??\c:\windows\SysWOW64\win32i.exe
                            "c:\windows\system32\win32i.exe"
                            13⤵
                            • Executes dropped EXE
                            • Maps connected drives based on registry
                            • Suspicious use of SetThreadContext
                            • Suspicious use of SetWindowsHookEx
                            PID:5064
                            • \??\c:\windows\SysWOW64\win32i.exe
                              c:\windows\SysWOW64\win32i.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:388
                              • \??\c:\windows\SysWOW64\win32i.exe
                                "c:\windows\system32\win32i.exe"
                                15⤵
                                • Executes dropped EXE
                                • Maps connected drives based on registry
                                • Suspicious use of SetWindowsHookEx
                                PID:3680
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
                          12⤵
                          • Drops file in System32 directory
                          PID:3220
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
                      10⤵
                      • Drops file in System32 directory
                      PID:5088
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
                  8⤵
                  • Drops file in System32 directory
                  PID:3624
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
              6⤵
              • Drops file in System32 directory
              PID:4548
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
          4⤵
          • Drops file in System32 directory
          PID:444
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bat.bat" "
      2⤵
      • Drops file in System32 directory
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    118B

    MD5

    2382012071e5f9127e0143a5638dae61

    SHA1

    fc22bd0d62113480195fa5fa8accfd743b1d41f9

    SHA256

    35258e85575117bd5e979cf876e20ad91be962ab6a46ae46779d9d9ec33fbf9c

    SHA512

    1d296fbde47f92d58047126f42c629a0e87cb72a2bf31e5377bf654ec50acc4705a61b36a8bb6504159bd77f4d20818c0013f7498376d66ad791d649300b5843

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    118B

    MD5

    2382012071e5f9127e0143a5638dae61

    SHA1

    fc22bd0d62113480195fa5fa8accfd743b1d41f9

    SHA256

    35258e85575117bd5e979cf876e20ad91be962ab6a46ae46779d9d9ec33fbf9c

    SHA512

    1d296fbde47f92d58047126f42c629a0e87cb72a2bf31e5377bf654ec50acc4705a61b36a8bb6504159bd77f4d20818c0013f7498376d66ad791d649300b5843

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    118B

    MD5

    2382012071e5f9127e0143a5638dae61

    SHA1

    fc22bd0d62113480195fa5fa8accfd743b1d41f9

    SHA256

    35258e85575117bd5e979cf876e20ad91be962ab6a46ae46779d9d9ec33fbf9c

    SHA512

    1d296fbde47f92d58047126f42c629a0e87cb72a2bf31e5377bf654ec50acc4705a61b36a8bb6504159bd77f4d20818c0013f7498376d66ad791d649300b5843

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    118B

    MD5

    2382012071e5f9127e0143a5638dae61

    SHA1

    fc22bd0d62113480195fa5fa8accfd743b1d41f9

    SHA256

    35258e85575117bd5e979cf876e20ad91be962ab6a46ae46779d9d9ec33fbf9c

    SHA512

    1d296fbde47f92d58047126f42c629a0e87cb72a2bf31e5377bf654ec50acc4705a61b36a8bb6504159bd77f4d20818c0013f7498376d66ad791d649300b5843

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    190B

    MD5

    85925b71aec43c4319c4903c0187c9ad

    SHA1

    83cc006d0c6725d7ccd8b0856264c21ab2c7e82d

    SHA256

    7f2faffcbfc4a114d420a80259d498eb13c8373057d37c2112e7e594822d80d0

    SHA512

    aad483cf0b4644d5ca4a9c7472d69fa0274af7e33590de98cf5bd91ea180fd89ffe208909e4539460a19d77029777e61e8cbeff2d3614cc7c7dff18ee3d5add8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bat.bat
    Filesize

    118B

    MD5

    2382012071e5f9127e0143a5638dae61

    SHA1

    fc22bd0d62113480195fa5fa8accfd743b1d41f9

    SHA256

    35258e85575117bd5e979cf876e20ad91be962ab6a46ae46779d9d9ec33fbf9c

    SHA512

    1d296fbde47f92d58047126f42c629a0e87cb72a2bf31e5377bf654ec50acc4705a61b36a8bb6504159bd77f4d20818c0013f7498376d66ad791d649300b5843

    Download Submit

  • C:\Windows\SysWOW64\Vhpjr.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • C:\Windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • \??\c:\windows\SysWOW64\win32i.exe
    Filesize

    534KB

    MD5

    cff7ae721a6fbe25f8dded7921beeae7

    SHA1

    fd2408113833f1ae10caba36cf48a276d22da489

    SHA256

    859f2c2f335b7de5c079f06bebc040557d7b4564aa89c5c2c9c0d6a72dd2d32a

    SHA512

    2479aaa204105b002cfde67f320b7cc0c3a392067845c4f44f482a34603820d4aeb8dfc7742751013bc22b231edfbb83b3c9784c60c7274d20c6d0422e7c6170

    Download Submit

  • memory/220-201-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/220-190-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/220-191-0x0000000000710000-0x000000000072E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/220-186-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/388-260-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/388-251-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1380-182-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1380-197-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1408-142-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1408-141-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1408-139-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1408-161-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1436-183-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1436-173-0x0000000000670000-0x000000000068E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1436-172-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1436-168-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/1732-215-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/1732-200-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2992-252-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2992-236-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/3680-261-0x0000000000770000-0x000000000078E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3680-259-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/3680-255-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/4748-218-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/4748-233-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/4928-146-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/4928-133-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/4928-137-0x00000000007A0000-0x00000000007BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4928-132-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5016-154-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5016-165-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5016-155-0x0000000000660000-0x000000000067E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5016-150-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5032-164-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/5032-179-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/5040-209-0x0000000000570000-0x000000000058E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5040-204-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5040-208-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5040-219-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5064-245-0x0000000000750000-0x000000000076E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5064-240-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5064-244-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5064-262-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5112-237-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5112-226-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5112-222-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download

  • memory/5112-227-0x0000000000550000-0x000000000056E000-memory.dmp

    Filesize

    120KB

    Download