2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab

Analysis

max time kernel
133s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
05/02/2023, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab.exe
Size

3.6MB
MD5

e2494c5c8c51d8a6be9962d2e10b9aad
SHA1

9d7583b120b99610d3bee855ec90481bffa143fa
SHA256

2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab
SHA512

6c14167b193250c2c37a0352d32abbadf3a49f731951494c57a9055f6c765b0fd9afe5bc13228768f32e2dedb5a387097c837a2c35d0b2bf9c89b04ad452f011
SSDEEP

98304:drpLRZqbGxqL5u6DgZpCowJtFkbc/UsINdzk:FpjqixqL5nUZpCoe72C2Ndz

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4484	rundll32.exe
3	4484	rundll32.exe
11	4484	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
4484	rundll32.exe
4484	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 1740	4484	rundll32.exe	67

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\email_all.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Portable Devices\QRCode.pmp	rundll32.exe
File created	C:\Program Files (x86)\Windows Portable Devices\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Portable Devices\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js	rundll32.exe
File created	C:\Program Files (x86)\Windows Portable Devices\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\Windows Portable Devices\base_uris.js	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000455696b6100054656d7000003a0009000400efbe0c55a789455696b62e00000000000000000000000000000000000000000000000000fe54e100540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1740	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4484	2196	2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab.exe	66
PID 2196 wrote to memory of 4484	2196	2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab.exe	66
PID 2196 wrote to memory of 4484	2196	2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab.exe	66
PID 4484 wrote to memory of 1740	4484	rundll32.exe	67
PID 4484 wrote to memory of 1740	4484	rundll32.exe	67
PID 4484 wrote to memory of 1740	4484	rundll32.exe	67

C:\Users\Admin\AppData\Local\Temp\2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab.exe
"C:\Users\Admin\AppData\Local\Temp\2e032f8a08feb42c7deaf05ec601272bd0ef50e3af43ebafa6d37767043955ab.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24048
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:3676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3752

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3324
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows portable devices\nppdf32.dll",d2EWT3I2SA==
  2⤵
  PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\0__Power_EnergyEstimationEngine.provxml

Filesize
677B

MD5
d32e5987adfd5bbf3951b2257e2ce788

SHA1
83f14dcfa84f81eb65977226853c754fe15d0ef8

SHA256
0b02936ce2b42d4d0565ef0ce127d53ec39aa0b48c534ee5e2d5004e5745900a

SHA512
0c6323df352c6022f94147dbec1354fd2ff17288d9e5c08c58415a97a8e4280b22b221d88cd8b4dde2a19211fc87c3fb5ca4fc2f2c38e6778f325f4190dd85a3

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\1__Power_Policy.provxml

Filesize
2KB

MD5
a522777e1a2068e0d7fa1ec3de481867

SHA1
f88c82a9902024dea435c89787125f52e8ebf86e

SHA256
fd88a3363d168330eca8b2cbc67442dcdc61da9e703d67b42d5b77dc3a273fda

SHA512
54dae248a38e2b791d4b6e8989f2d7a5c57e7ca2a6f43eba3ec1e3d15f9cfe5cafadeb9ecc1d8b7dd33a32035fe629ba964f878ef11104a8b650d941861aec6f

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\MasterDatastore.xml

Filesize
271B

MD5
d6650e3886f3c95fb42d4f0762b04173

SHA1
1da4b8bb6bb45d576616ad843cf6e4c2e9d4784b

SHA256
9101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9

SHA512
1f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\Shqhdpq.tmp

Filesize
3.5MB

MD5
dcc3fbe0269703cb79674886f9edb57e

SHA1
008a63790ece7aedca02cdbecd134190769df9ea

SHA256
2f1404668408af25de0e0dacde7e733654c1574e810d8b88257f9c39fc92970c

SHA512
f8fd5a699b506c8781a3f4b687ce7cbe42b18d20491dc912e39c8126ef97470ef6f5dda8934faee9cd38cf981b11ba0b8ac6b406614c1deae48837ac73ce353c

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\setup.ini

Filesize
214B

MD5
d8b2e1bfe12db863bdccdd49a5e1c8b5

SHA1
9c979907f03887b270d4e87b0cdd5377cff3692c

SHA256
00b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301

SHA512
3bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41

Download Submit
C:\ProgramData\{591E2674-0925-9BA2-C1D9-30CB42E7908A}\stream.x64.x-none.dat.cat

Filesize
574KB

MD5
13e2674d1e5118dc8547264aa2b8654b

SHA1
60b0f7065882e839d6a80f1263f9f60a8efa26bd

SHA256
320ae5c50698f4553758c71c37135cf390c06f355cfb3b8cc18dae85ead16944

SHA512
b399d85720844dbcb7220b05a186cd0cf46e3307c8afbebbbdcd132be5aa9f936482ba5743764acd12df256a2b2249a0b06ef7365286c66912db02634cd18bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll

Filesize
4.2MB

MD5
40722c9030bd0f03dc44786defd62591

SHA1
8cbdff8544710ec3524f8df0cc5578f31133576f

SHA256
025cd1eb44cf3dffbfb879cc8c20de75d453a392353dbffd48d4c30c380550bf

SHA512
00729e525d18c60ae0b8830fbe47444781b3fa62e3b5e565061383d0ff0e3e28366b306f4c7ed024e37ef294046a34bf1ff870e8f9e413134ec558f7e2d40b2c

Download Submit
\??\c:\program files (x86)\windows portable devices\nppdf32.dll

Filesize
4.2MB

MD5
09de4907bdb55b12515950e2f6f9fa2e

SHA1
32393c5ff69b9cb8ea5e08e508bbbdc489f2c2f4

SHA256
9138d7e6f56d2ab7fe44881f8fa09d4c94b120a5104efb783decebc3f4608894

SHA512
61595cead98eef0109cf466fbd22a8511ceb02e32c9905a5423dc8d57229cf26a7d03d54f510e2cc38bd1e694d1e8f21dca3e55bd9a87c937fe89eb0eef1aae8

Download Submit
\Program Files (x86)\Windows Portable Devices\nppdf32.dll

Filesize
4.2MB

MD5
09de4907bdb55b12515950e2f6f9fa2e

SHA1
32393c5ff69b9cb8ea5e08e508bbbdc489f2c2f4

SHA256
9138d7e6f56d2ab7fe44881f8fa09d4c94b120a5104efb783decebc3f4608894

SHA512
61595cead98eef0109cf466fbd22a8511ceb02e32c9905a5423dc8d57229cf26a7d03d54f510e2cc38bd1e694d1e8f21dca3e55bd9a87c937fe89eb0eef1aae8

Download Submit
\Program Files (x86)\Windows Portable Devices\nppdf32.dll

Filesize
4.2MB

MD5
09de4907bdb55b12515950e2f6f9fa2e

SHA1
32393c5ff69b9cb8ea5e08e508bbbdc489f2c2f4

SHA256
9138d7e6f56d2ab7fe44881f8fa09d4c94b120a5104efb783decebc3f4608894

SHA512
61595cead98eef0109cf466fbd22a8511ceb02e32c9905a5423dc8d57229cf26a7d03d54f510e2cc38bd1e694d1e8f21dca3e55bd9a87c937fe89eb0eef1aae8

Download Submit
\Program Files (x86)\Windows Portable Devices\nppdf32.dll

Filesize
4.2MB

MD5
09de4907bdb55b12515950e2f6f9fa2e

SHA1
32393c5ff69b9cb8ea5e08e508bbbdc489f2c2f4

SHA256
9138d7e6f56d2ab7fe44881f8fa09d4c94b120a5104efb783decebc3f4608894

SHA512
61595cead98eef0109cf466fbd22a8511ceb02e32c9905a5423dc8d57229cf26a7d03d54f510e2cc38bd1e694d1e8f21dca3e55bd9a87c937fe89eb0eef1aae8

Download Submit
\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll

Filesize
4.2MB

MD5
40722c9030bd0f03dc44786defd62591

SHA1
8cbdff8544710ec3524f8df0cc5578f31133576f

SHA256
025cd1eb44cf3dffbfb879cc8c20de75d453a392353dbffd48d4c30c380550bf

SHA512
00729e525d18c60ae0b8830fbe47444781b3fa62e3b5e565061383d0ff0e3e28366b306f4c7ed024e37ef294046a34bf1ff870e8f9e413134ec558f7e2d40b2c

Download Submit
\Users\Admin\AppData\Local\Temp\Wadadftewrrfq.dll

Filesize
4.2MB

MD5
40722c9030bd0f03dc44786defd62591

SHA1
8cbdff8544710ec3524f8df0cc5578f31133576f

SHA256
025cd1eb44cf3dffbfb879cc8c20de75d453a392353dbffd48d4c30c380550bf

SHA512
00729e525d18c60ae0b8830fbe47444781b3fa62e3b5e565061383d0ff0e3e28366b306f4c7ed024e37ef294046a34bf1ff870e8f9e413134ec558f7e2d40b2c

Download Submit
memory/1740-290-0x00000210C4070000-0x00000210C4313000-memory.dmp

Filesize
2.6MB

Download
memory/1740-289-0x0000000000BA0000-0x0000000000E31000-memory.dmp

Filesize
2.6MB

Download
memory/2196-164-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-129-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-136-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-138-0x00000000027C0000-0x0000000002B41000-memory.dmp

Filesize
3.5MB

Download
memory/2196-137-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-139-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-140-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-141-0x0000000002B50000-0x0000000003026000-memory.dmp

Filesize
4.8MB

Download
memory/2196-142-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-143-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-144-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-145-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-146-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-147-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-148-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-149-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-150-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-151-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-152-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-153-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-154-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-155-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-157-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-156-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-158-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-159-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-160-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-161-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-162-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2196-163-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-117-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-165-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-166-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-167-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-168-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-118-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-171-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-119-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-120-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-174-0x0000000002B50000-0x0000000003026000-memory.dmp

Filesize
4.8MB

Download
memory/2196-121-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-176-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2196-122-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-123-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-124-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-125-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-126-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-128-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-127-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-135-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-130-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-131-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-133-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/2196-134-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/3324-388-0x0000000004670000-0x00000000051BE000-memory.dmp

Filesize
11.3MB

Download
memory/3324-515-0x0000000004670000-0x00000000051BE000-memory.dmp

Filesize
11.3MB

Download
memory/4484-177-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-172-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-182-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-291-0x0000000005740000-0x000000000628E000-memory.dmp

Filesize
11.3MB

Download
memory/4484-181-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-180-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-179-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-178-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-187-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-173-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-175-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-183-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-170-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-184-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-186-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4484-275-0x0000000005740000-0x000000000628E000-memory.dmp

Filesize
11.3MB

Download
memory/4484-185-0x0000000077660000-0x00000000777EE000-memory.dmp

Filesize
1.6MB

Download
memory/4648-483-0x0000000005560000-0x00000000060AE000-memory.dmp

Filesize
11.3MB

Download
memory/4648-475-0x0000000005560000-0x00000000060AE000-memory.dmp

Filesize
11.3MB

Download