4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20/08/2023, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Size

98KB
MD5

a0cad95d0e988a1c252ff15c4f1831e6
SHA1

fc492ec18164f4b5d0de8dbdac285c2ba90c9a65
SHA256

4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57
SHA512

d0e6718a5b5332b41e829a927da644db2486f0dc96b580855baf01e9c534fd73951e126c859763a36ee25a0dc7409b9a60b46591c5f067ed7f3eaec185bb4cd7
SSDEEP

3072:mg7Xjd4cUB+R1YCp9mP7IHJDeWJaCd/GRFpS3lg0aXfJWKq:mg7Xjd4cUAR1YM9mP7IHJDeWJaCd/GRP

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fmbyshgj = "C:\\Users\\Admin\\AppData\\Roaming\\Fmbyshgj.exe"	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\wSStSI = "C:\\Users\\Admin\\AppData\\Roaming\\wSStSI\\wSStSI.exe"	MSBuild.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	api.ipify.org
12	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
2168	MSBuild.exe
2168	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
Token: SeDebugPrivilege	2168	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2524	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	28
PID 2160 wrote to memory of 2524	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	28
PID 2160 wrote to memory of 2524	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	28
PID 2160 wrote to memory of 2524	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	28
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29
PID 2160 wrote to memory of 2168	2160	4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4d0bdffbaf8b92803782672861029a8a05923cdbf7a66a9cc56fb08c4c2f4b57_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9270415552e4723c3d76f535c9cb0a68

SHA1
0a5a88afe32f3ff14120780b7803f898e2f75dbf

SHA256
4e3402e191b7580d52c2dd620aafe508db0ed6fe54bae078a840c9035e56fb22

SHA512
a63ff0d01fbbf34eb3d3ca8d7afb63b3e1b5ce608cfa01a2527dd7a1257fb402fd03022df31779805ea2b38a1c933b1ea851792f50727a43255d901d9570e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab890F.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8A0C.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
memory/2160-53-0x0000000000DE0000-0x0000000000DFE000-memory.dmp

Filesize
120KB

Download
memory/2160-54-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-55-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/2160-117-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2160-118-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/2160-119-0x0000000007EC0000-0x0000000007F8A000-memory.dmp

Filesize
808KB

Download
memory/2160-120-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-121-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-123-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-125-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-127-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-129-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-131-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-133-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-135-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-137-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-139-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-141-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-143-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-145-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-147-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-149-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-151-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-153-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-157-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-155-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-159-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-161-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-163-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-165-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-167-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-169-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-171-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-173-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-175-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-179-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-177-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-183-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-181-0x0000000007EC0000-0x0000000007F84000-memory.dmp

Filesize
784KB

Download
memory/2160-1196-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2160-1197-0x00000000080E0000-0x0000000008126000-memory.dmp

Filesize
280KB

Download
memory/2160-1198-0x0000000008310000-0x000000000835C000-memory.dmp

Filesize
304KB

Download
memory/2160-1210-0x00000000744C0000-0x0000000074BAE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-1214-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-1215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2168-1216-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download
memory/2168-1218-0x0000000074460000-0x0000000074B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2168-1219-0x0000000004A60000-0x0000000004AA0000-memory.dmp

Filesize
256KB

Download