5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae

Analysis

max time kernel
148s
max time network
130s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
18-12-2022 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
Size

7KB
MD5

c3325728896df27f81a2527bc04005e5
SHA1

019273f68e9a84059da7a5369a1480afc3f693c2
SHA256

5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae
SHA512

ab8bcaa2fae88f0683753e778550ba09253b5d33f15fbc1b0ca87e018d25bbe61ccddde444700832f3a2d1e34dbfd608d1feb5ebe5b01d62cfcc60df756677dc
SSDEEP

96:6EwqOd9toIoheOUtNq4lfAK5r/MC1DGtqkVyc937bFnU:FwqihzFpnjMnBVyQS

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4336	Tbmxhzatzsjfwjzkq.exe
1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
3840	Dptokfuletcbpwzupgqov.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\voupgs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vopus\\voupgs.exe\""	Tbmxhzatzsjfwjzkq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
3608	ipconfig.exe
1624	ipconfig.exe
4064	ipconfig.exe
4144	ipconfig.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4336	Tbmxhzatzsjfwjzkq.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2080	powershell.exe
2080	powershell.exe
2080	powershell.exe
3388	powershell.exe
3388	powershell.exe
3388	powershell.exe
604	powershell.exe
604	powershell.exe
604	powershell.exe
4336	Tbmxhzatzsjfwjzkq.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
Token: SeDebugPrivilege	4336	Tbmxhzatzsjfwjzkq.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
Token: SeDebugPrivilege	604	powershell.exe
Token: SeDebugPrivilege	3840	Dptokfuletcbpwzupgqov.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 4132	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	66
PID 1652 wrote to memory of 4132	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	66
PID 4132 wrote to memory of 4144	4132	cmd.exe	68
PID 4132 wrote to memory of 4144	4132	cmd.exe	68
PID 1652 wrote to memory of 2080	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	69
PID 1652 wrote to memory of 2080	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	69
PID 1652 wrote to memory of 4336	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	72
PID 1652 wrote to memory of 4336	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	72
PID 1652 wrote to memory of 4336	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	72
PID 1652 wrote to memory of 2780	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	73
PID 1652 wrote to memory of 2780	1652	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	73
PID 2780 wrote to memory of 3608	2780	cmd.exe	75
PID 2780 wrote to memory of 3608	2780	cmd.exe	75
PID 4336 wrote to memory of 3388	4336	Tbmxhzatzsjfwjzkq.exe	76
PID 4336 wrote to memory of 3388	4336	Tbmxhzatzsjfwjzkq.exe	76
PID 4336 wrote to memory of 3388	4336	Tbmxhzatzsjfwjzkq.exe	76
PID 1616 wrote to memory of 1236	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	79
PID 1616 wrote to memory of 1236	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	79
PID 1236 wrote to memory of 1624	1236	cmd.exe	81
PID 1236 wrote to memory of 1624	1236	cmd.exe	81
PID 1616 wrote to memory of 604	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	82
PID 1616 wrote to memory of 604	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	82
PID 4336 wrote to memory of 3840	4336	Tbmxhzatzsjfwjzkq.exe	84
PID 4336 wrote to memory of 3840	4336	Tbmxhzatzsjfwjzkq.exe	84
PID 3840 wrote to memory of 4812	3840	Dptokfuletcbpwzupgqov.exe	85
PID 3840 wrote to memory of 4812	3840	Dptokfuletcbpwzupgqov.exe	85
PID 1616 wrote to memory of 4260	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	87
PID 1616 wrote to memory of 4260	1616	5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe	87
PID 4260 wrote to memory of 4064	4260	cmd.exe	89
PID 4260 wrote to memory of 4064	4260	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
"C:\Users\Admin\AppData\Local\Temp\5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\Tbmxhzatzsjfwjzkq.exe
  "C:\Users\Admin\AppData\Local\Temp\Tbmxhzatzsjfwjzkq.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQA1AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3388
- - C:\Users\Admin\AppData\Local\Temp\Dptokfuletcbpwzupgqov.exe
    "C:\Users\Admin\AppData\Local\Temp\Dptokfuletcbpwzupgqov.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:3608

C:\Users\Admin\AppData\Roaming\5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
C:\Users\Admin\AppData\Roaming\5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe.log

Filesize
1KB

MD5
ae29b7a843805f722aece191ec9a1c26

SHA1
1be44463fa3fa8d0992fafb8061b617a5eb4eb64

SHA256
df1da27f39fde354f2ab49764b6b3bed10fe9e823bcca5efe360548db3e82de1

SHA512
357281829a54bc24d38337b54ebc5b7bcaca63152a1d84b0cdefed199e7c2183f124f9a29b94fa4f1fd95bd659f335124bf5450a4e0591af885e92d117498cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
5f640bd48e2547b4c1a7421f080f815f

SHA1
a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

SHA256
916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

SHA512
a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9aa50fb3a77090c7658258ab257393e4

SHA1
a8f8d1d0e36bbd9694c58e78e4503af6bf4feae8

SHA256
e8f1bfa74a74b1ade275e8fe69d3a3ac3708d145773e7053e1ed69476493522a

SHA512
d5490d4acfb2acc0bcb1c953211068b0b0d90b479abbbc82d04afc3cd457247750f25ba0d28f5c181767b1910ea01a5f6167f75416627c35b8ee689f1b30efbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
3af9e5cbbb7e82d9aea363aa3fbeac9d

SHA1
443e161e86004971c9fa1e9b2b48b167549af81c

SHA256
cc0e9c57fa9f94670dc3e0107e105fc7ec4088c2fdd5e3245ea1dc52af09558b

SHA512
655352e24b4612afe43364ce0b2df67f9f6ec18864357d0766c716b20dde465d299b89909ce284a875f94252b9d1ef0e2d3c7a5815e5f3e0054ae471950496b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dptokfuletcbpwzupgqov.exe

Filesize
7KB

MD5
f1484e725345d9ca04209b83fb0809da

SHA1
4671aec5df06923bd625fc7836138606f861ead6

SHA256
ad81e4bdbdcad2fecc18c0bae735a1d36504c0aacd6f3665e7c1335c4cfe282e

SHA512
e28e1761314472d74efa884edd24dfc6e5a6ab6bebd481a7a8e1f1d0bab0471c564bb06f626d311c70632cc5e81ccfccfcf65fed1f5971a8dff177a84f7e89b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dptokfuletcbpwzupgqov.exe

Filesize
7KB

MD5
f1484e725345d9ca04209b83fb0809da

SHA1
4671aec5df06923bd625fc7836138606f861ead6

SHA256
ad81e4bdbdcad2fecc18c0bae735a1d36504c0aacd6f3665e7c1335c4cfe282e

SHA512
e28e1761314472d74efa884edd24dfc6e5a6ab6bebd481a7a8e1f1d0bab0471c564bb06f626d311c70632cc5e81ccfccfcf65fed1f5971a8dff177a84f7e89b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tbmxhzatzsjfwjzkq.exe

Filesize
18KB

MD5
8eae30a83f5d7399c4c259fe61bb91e6

SHA1
8e92a92c6e7d12f0c43524f27790c8767403809a

SHA256
1a25006c9938254c53614c9b1a3e148722e8920b3585837474b5ed45e5d010b9

SHA512
ea2e5bbaadf59dfd045b5644b2c480d2ef04850fa854255085a2467c6e0a46f117ba605577227e37cd9142ebc1b99f807ec8883c9aa2521b3abaaa96f64ceb19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tbmxhzatzsjfwjzkq.exe

Filesize
18KB

MD5
8eae30a83f5d7399c4c259fe61bb91e6

SHA1
8e92a92c6e7d12f0c43524f27790c8767403809a

SHA256
1a25006c9938254c53614c9b1a3e148722e8920b3585837474b5ed45e5d010b9

SHA512
ea2e5bbaadf59dfd045b5644b2c480d2ef04850fa854255085a2467c6e0a46f117ba605577227e37cd9142ebc1b99f807ec8883c9aa2521b3abaaa96f64ceb19

Download Submit
C:\Users\Admin\AppData\Roaming\5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe

Filesize
7KB

MD5
c3325728896df27f81a2527bc04005e5

SHA1
019273f68e9a84059da7a5369a1480afc3f693c2

SHA256
5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae

SHA512
ab8bcaa2fae88f0683753e778550ba09253b5d33f15fbc1b0ca87e018d25bbe61ccddde444700832f3a2d1e34dbfd608d1feb5ebe5b01d62cfcc60df756677dc

Download Submit
C:\Users\Admin\AppData\Roaming\5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae.exe

Filesize
7KB

MD5
c3325728896df27f81a2527bc04005e5

SHA1
019273f68e9a84059da7a5369a1480afc3f693c2

SHA256
5d948241ae117d70cf0dbb18f35f04a2237b4d8a18b21ef4617a46f8b8ea8bae

SHA512
ab8bcaa2fae88f0683753e778550ba09253b5d33f15fbc1b0ca87e018d25bbe61ccddde444700832f3a2d1e34dbfd608d1feb5ebe5b01d62cfcc60df756677dc

Download Submit
memory/604-326-0x0000000000000000-mapping.dmp

Download
memory/1236-324-0x0000000000000000-mapping.dmp

Download
memory/1624-325-0x0000000000000000-mapping.dmp

Download
memory/1652-163-0x0000011600480000-0x00000116004D6000-memory.dmp

Filesize
344KB

Download
memory/1652-157-0x00000116003E0000-0x0000011600480000-memory.dmp

Filesize
640KB

Download
memory/1652-116-0x000001165C620000-0x000001165C732000-memory.dmp

Filesize
1.1MB

Download
memory/1652-318-0x00000116005F0000-0x000001160063C000-memory.dmp

Filesize
304KB

Download
memory/1652-319-0x0000011600640000-0x0000011600694000-memory.dmp

Filesize
336KB

Download
memory/1652-117-0x000001165C730000-0x000001165C7C2000-memory.dmp

Filesize
584KB

Download
memory/1652-118-0x000001165AC70000-0x000001165AC92000-memory.dmp

Filesize
136KB

Download
memory/1652-115-0x000001165A760000-0x000001165A766000-memory.dmp

Filesize
24KB

Download
memory/1652-152-0x0000011600020000-0x00000116000A1000-memory.dmp

Filesize
516KB

Download
memory/1652-322-0x000001165AC6A000-0x000001165AC6F000-memory.dmp

Filesize
20KB

Download
memory/1652-155-0x0000011600360000-0x00000116003DA000-memory.dmp

Filesize
488KB

Download
memory/2080-129-0x000001A5F2180000-0x000001A5F21F6000-memory.dmp

Filesize
472KB

Download
memory/2080-121-0x0000000000000000-mapping.dmp

Download
memory/2780-140-0x0000000000000000-mapping.dmp

Download
memory/3388-300-0x0000000007080000-0x000000000709C000-memory.dmp

Filesize
112KB

Download
memory/3388-295-0x0000000007010000-0x0000000007076000-memory.dmp

Filesize
408KB

Download
memory/3388-296-0x00000000078B0000-0x0000000007916000-memory.dmp

Filesize
408KB

Download
memory/3388-305-0x0000000007F80000-0x0000000007FF6000-memory.dmp

Filesize
472KB

Download
memory/3388-276-0x00000000070A0000-0x00000000076C8000-memory.dmp

Filesize
6.2MB

Download
memory/3388-235-0x0000000000000000-mapping.dmp

Download
memory/3388-301-0x0000000007CB0000-0x0000000007CFB000-memory.dmp

Filesize
300KB

Download
memory/3388-271-0x0000000001010000-0x0000000001046000-memory.dmp

Filesize
216KB

Download
memory/3388-317-0x0000000008D70000-0x0000000008D8A000-memory.dmp

Filesize
104KB

Download
memory/3388-316-0x0000000009640000-0x0000000009CB8000-memory.dmp

Filesize
6.5MB

Download
memory/3608-145-0x0000000000000000-mapping.dmp

Download
memory/3840-351-0x0000000000000000-mapping.dmp

Download
memory/3840-354-0x0000021F27DC0000-0x0000021F27DC6000-memory.dmp

Filesize
24KB

Download
memory/3840-357-0x0000021F42260000-0x0000021F42344000-memory.dmp

Filesize
912KB

Download
memory/4064-376-0x0000000000000000-mapping.dmp

Download
memory/4132-119-0x0000000000000000-mapping.dmp

Download
memory/4144-120-0x0000000000000000-mapping.dmp

Download
memory/4260-375-0x0000000000000000-mapping.dmp

Download
memory/4336-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-219-0x0000000005A20000-0x0000000005AD0000-memory.dmp

Filesize
704KB

Download
memory/4336-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-179-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/4336-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-182-0x0000000005060000-0x000000000555E000-memory.dmp

Filesize
5.0MB

Download
memory/4336-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-184-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-187-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-188-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-189-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-190-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-191-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-192-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-193-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-194-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-195-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-196-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-197-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-198-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-199-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-200-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-201-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-202-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-203-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-204-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-205-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-206-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-207-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-208-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-209-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-210-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-211-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-212-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-220-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/4336-221-0x0000000005D50000-0x0000000005D72000-memory.dmp

Filesize
136KB

Download
memory/4336-223-0x0000000005E30000-0x0000000006180000-memory.dmp

Filesize
3.3MB

Download
memory/4336-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-162-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-156-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-154-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-144-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-356-0x00000000008A0000-0x00000000008C2000-memory.dmp

Filesize
136KB

Download
memory/4336-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-381-0x0000000006850000-0x000000000685A000-memory.dmp

Filesize
40KB

Download
memory/4336-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmp

Filesize
1.6MB

Download
memory/4336-138-0x0000000000000000-mapping.dmp

Download
memory/4336-377-0x00000000008D0000-0x0000000000906000-memory.dmp

Filesize
216KB

Download
memory/4336-378-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/4812-358-0x0000000000000000-mapping.dmp

Download