ef146e82d7ce82f08861801b9b4d0e41d7ecd348075a8e2605c2783964ef0355

Resubmissions

20/07/2023, 09:07

230720-k3sx7sfd4w 7

20/07/2023, 09:04

230720-k12gkaef72 7

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/07/2023, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TTWireConfirmation_20230720 pdf.exe
Size

40KB
MD5

6577e3088e19e789d8cdc328c5c5fe21
SHA1

dabd810e66018ff0b27c891f358fe413e8891fbd
SHA256

177f753bd39be134d1eb4298663f3dfc9d6291a9d6ed56df851604800ae0d5b6
SHA512

f685c5f09f5be1ec031ba3e4e2990e34b5fa5063e5290da36ac3669f591fffc9a3f95e04bd00ea1e77e68692ae270756438a70dd836291f4e96ed33addb49d0f
SSDEEP

768:LZzeRDK3EaC8l2hP3SScNY8cfRqTuM+1+I:LZzCDK3Eaqh36G8BTugI

Score

7^/10

collection persistence spyware stealer

Malware Config

Signatures

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TTWireConfirmation_20230720 pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TTWireConfirmation_20230720 pdf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TTWireConfirmation_20230720 pdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gunalmvy = "C:\\Users\\Admin\\AppData\\Roaming\\Gunalmvy.exe"	TTWireConfirmation_20230720 pdf.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.ipify.org
8	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1692 set thread context of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	TTWireConfirmation_20230720 pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	TTWireConfirmation_20230720 pdf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	TTWireConfirmation_20230720 pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	TTWireConfirmation_20230720 pdf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	TTWireConfirmation_20230720 pdf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	TTWireConfirmation_20230720 pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	TTWireConfirmation_20230720 pdf.exe
2292	TTWireConfirmation_20230720 pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	TTWireConfirmation_20230720 pdf.exe
Token: SeDebugPrivilege	2292	TTWireConfirmation_20230720 pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28
PID 1692 wrote to memory of 2292	1692	TTWireConfirmation_20230720 pdf.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TTWireConfirmation_20230720 pdf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TTWireConfirmation_20230720 pdf.exe

C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\TTWireConfirmation_20230720 pdf.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
13f4211b8ffdabfd035cb6b0de3d9310

SHA1
836555fd17a07f8c05ae1482c019c296f3a8702f

SHA256
766a147db9cfe516b3f875c0e2b5e15841b121bc64a7bd51a5734e70287c1bc6

SHA512
c678d48d7bb568b19f0b0466aa4706916bc94e92f4bddf33d7d7ed1349376702f420f0785241fc08ff51a573e5506713603cae8a774ef7794a11b8f88cd90d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab828A.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8339.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/1692-54-0x00000000000C0000-0x00000000000D0000-memory.dmp

Filesize
64KB

Download
memory/1692-55-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-56-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1692-118-0x0000000005EC0000-0x0000000005FA0000-memory.dmp

Filesize
896KB

Download
memory/1692-120-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-119-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-122-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-124-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-126-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-128-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-130-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-132-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-134-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-136-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-138-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-140-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-142-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-146-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-144-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-148-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-150-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-152-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-154-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-156-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-158-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-160-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-162-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-164-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-166-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-168-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-170-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-172-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-174-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-176-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-178-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-180-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-182-0x0000000005EC0000-0x0000000005F9A000-memory.dmp

Filesize
872KB

Download
memory/1692-686-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-796-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1692-1443-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1692-1444-0x0000000004410000-0x0000000004456000-memory.dmp

Filesize
280KB

Download
memory/1692-1445-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

Filesize
304KB

Download
memory/1692-1457-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-1462-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-1461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2292-1463-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download
memory/2292-1464-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-1465-0x0000000000530000-0x0000000000570000-memory.dmp

Filesize
256KB

Download