eafd8f574ea7fd0f345eaa19eae8d0d78d5323c8154592c850a2d78a86817744

Analysis

max time kernel
583s
max time network
443s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
12-06-2023 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zbxl.zip
Size

43.8MB
MD5

da596c5fa1bfe53dc6ef777e810c2e7d
SHA1

dc756fddd264eaadcc0c8e8576d11259bbe1c150
SHA256

eafd8f574ea7fd0f345eaa19eae8d0d78d5323c8154592c850a2d78a86817744
SHA512

bb7a10c4d9decee9687dfba5987939d1f55c3966bd80d06103d4bde6f61df3957d89392ac185b96ac668bc794193319dad33e34dde199df91eb2981e7e5f9fc3
SSDEEP

196608:rAA/coo9ZmMOfGI0QIdgCUlo1JKq5LJ2q82M/nSk827:rAHX9DQGI0Q321tr82MPl

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	SearchProtocolHost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	SearchIndexer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.mpa = "1"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib\UserChoice\Hash = "F7d60IaM1mk="	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.avi = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000adac718adb9cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\UserChoice\Hash = "/MS75B4zCRs="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e965e156db9cd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mov\UserChoice	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice\Hash = "KeKwGYOEzrI="	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.html = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ffcb467bdb9cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice\ProgId = "AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dib	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WPL\UserChoice	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\FileAssociations\ProgIds\_.crw = "1"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000ec0db57db9cd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001637d1c3db9cd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice\ProgId = "AppX43hnxtbyyps62jhe9sqpdzxn1790zetc"	SearchProtocolHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	control.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: 33	2800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2800	SearchIndexer.exe
Token: SeShutdownPrivilege	4080	control.exe
Token: SeCreatePagefilePrivilege	4080	control.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 4824	2800	SearchIndexer.exe	72
PID 2800 wrote to memory of 4824	2800	SearchIndexer.exe	72
PID 2800 wrote to memory of 2068	2800	SearchIndexer.exe	73
PID 2800 wrote to memory of 2068	2800	SearchIndexer.exe	73
PID 2800 wrote to memory of 4996	2800	SearchIndexer.exe	74
PID 2800 wrote to memory of 4996	2800	SearchIndexer.exe	74
PID 2800 wrote to memory of 4132	2800	SearchIndexer.exe	79
PID 2800 wrote to memory of 4132	2800	SearchIndexer.exe	79

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\zbxl.zip
1⤵
PID:2896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4152

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4824
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  - Modifies data under HKEY_USERS
  PID:2068
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  - Modifies data under HKEY_USERS
  PID:4996
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 684 688 696 8192 692
  2⤵
  PID:4132

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-158-0x000002E7A2B80000-0x000002E7A2B90000-memory.dmp

Filesize
64KB

Download
memory/2068-160-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-161-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-163-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-165-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-166-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-164-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-169-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-173-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-176-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-175-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-179-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-182-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-181-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-180-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-174-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-172-0x000002E7A2BB0000-0x000002E7A2BC0000-memory.dmp

Filesize
64KB

Download
memory/2068-183-0x000002E7A2BE0000-0x000002E7A2BF0000-memory.dmp

Filesize
64KB

Download
memory/2068-184-0x000002E7A2BE0000-0x000002E7A2BE1000-memory.dmp

Filesize
4KB

Download
memory/2068-185-0x000002E7A2BE0000-0x000002E7A2BF0000-memory.dmp

Filesize
64KB

Download
memory/2068-201-0x000002E7A2BE0000-0x000002E7A2BE3000-memory.dmp

Filesize
12KB

Download
memory/2800-121-0x000001BE7DE80000-0x000001BE7DE90000-memory.dmp

Filesize
64KB

Download
memory/2800-137-0x000001BE7E030000-0x000001BE7E040000-memory.dmp

Filesize
64KB

Download
memory/2800-153-0x000001BE7E4E0000-0x000001BE7E4E8000-memory.dmp

Filesize
32KB

Download
memory/2800-186-0x000001BE049A0000-0x000001BE049A8000-memory.dmp

Filesize
32KB

Download
memory/2800-187-0x000001BE04990000-0x000001BE04991000-memory.dmp

Filesize
4KB

Download
memory/2800-189-0x000001BE04990000-0x000001BE04998000-memory.dmp

Filesize
32KB

Download
memory/2800-191-0x000001BE05BF0000-0x000001BE05BF8000-memory.dmp

Filesize
32KB

Download
memory/2800-193-0x000001BE05E10000-0x000001BE05E18000-memory.dmp

Filesize
32KB

Download
memory/2800-194-0x000001BE05B40000-0x000001BE05B41000-memory.dmp

Filesize
4KB

Download
memory/2800-196-0x000001BE04990000-0x000001BE04998000-memory.dmp

Filesize
32KB

Download
memory/4996-204-0x000002D5DC050000-0x000002D5DC060000-memory.dmp

Filesize
64KB

Download
memory/4996-206-0x000002D5DC3C0000-0x000002D5DC3D0000-memory.dmp

Filesize
64KB

Download
memory/4996-209-0x000002D5DC3C0000-0x000002D5DC3D0000-memory.dmp

Filesize
64KB

Download
memory/4996-211-0x000002D5DC3C0000-0x000002D5DC3D0000-memory.dmp

Filesize
64KB

Download
memory/4996-214-0x000002D5DC3C0000-0x000002D5DC3D0000-memory.dmp

Filesize
64KB

Download
memory/4996-213-0x000002D5DC3C0000-0x000002D5DC3D0000-memory.dmp

Filesize
64KB

Download
memory/4996-212-0x000002D5DC3C0000-0x000002D5DC3D0000-memory.dmp

Filesize
64KB

Download
memory/4996-231-0x000002D5DC3D0000-0x000002D5DC3E0000-memory.dmp

Filesize
64KB

Download
memory/4996-232-0x000002D5DC3F0000-0x000002D5DC400000-memory.dmp

Filesize
64KB

Download
memory/4996-243-0x000002D5DC3F0000-0x000002D5DC400000-memory.dmp

Filesize
64KB

Download
memory/4996-244-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-258-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-259-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-285-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-286-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-287-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-288-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-289-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-290-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-291-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-292-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-293-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-294-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download
memory/4996-295-0x000002D5DD710000-0x000002D5DD910000-memory.dmp

Filesize
2.0MB

Download