8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327

Analysis

max time kernel
57s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe
Size

271KB
MD5

99fd61930b6098a58fbffbe3707667c8
SHA1

202adc49f9b705a9935b5f78f6a2e9b3e920c530
SHA256

8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327
SHA512

d2dd989e73b96fb0ee4419adbcce17f066248b109fbf6d8320374b2c714846e82bbec77a30f358fc69e87210c54747876129a5341c9ccc443a13ac505d5d06d0
SSDEEP

6144:nl51orRJXlDixHkUXe35rGcEOkCybEaQRXr9HNdvOa:JqXUHkUXe39sOkx2LIa

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\VIhhlOk.sys	netbtugc.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe

Executes dropped EXE 2 IoCs

pid	Process
3924	b9c47cfa
4488	netbtugc.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4844-0-0x0000000000990000-0x0000000000A19000-memory.dmp	upx
behavioral2/memory/4844-1-0x0000000000990000-0x0000000000A19000-memory.dmp	upx
behavioral2/files/0x0009000000023080-3.dat	upx
behavioral2/files/0x0009000000023080-5.dat	upx
behavioral2/memory/3924-4-0x0000000000BC0000-0x0000000000C49000-memory.dmp	upx
behavioral2/memory/4844-9-0x0000000000990000-0x0000000000A19000-memory.dmp	upx
behavioral2/memory/3924-10-0x0000000000BC0000-0x0000000000C49000-memory.dmp	upx
behavioral2/memory/3924-19-0x0000000000BC0000-0x0000000000C49000-memory.dmp	upx
behavioral2/memory/3924-69-0x0000000000BC0000-0x0000000000C49000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_DD02D25E799024F48A93E8EE3BDDA41A	b9c47cfa
File created	C:\Windows\SysWOW64\b9c47cfa	8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	b9c47cfa
File created	C:\Windows\system32\ \Windows\System32\YmJsXqfgW.sys	netbtugc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DED9969D7ED2C6E555C5C9254A43EDE4	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	b9c47cfa
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DED9969D7ED2C6E555C5C9254A43EDE4	b9c47cfa

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\netbtugc.exe	Explorer.EXE
File opened for modification	C:\Program Files\Common Files\netbtugc.exe	Explorer.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\432e28	b9c47cfa
File created	C:\Windows\54jlGrV.sys	netbtugc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	netbtugc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	netbtugc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	netbtugc.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4340	timeout.exe
3572	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	netbtugc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\www.hao774.com	netbtugc.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	b9c47cfa
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	b9c47cfa
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	b9c47cfa
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	b9c47cfa
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	b9c47cfa
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	b9c47cfa
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	b9c47cfa
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	b9c47cfa
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	b9c47cfa

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3924	b9c47cfa
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3180	Explorer.EXE
3924	b9c47cfa
3924	b9c47cfa
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4844	8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe
Token: SeTcbPrivilege	4844	8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe
Token: SeDebugPrivilege	3924	b9c47cfa
Token: SeTcbPrivilege	3924	b9c47cfa
Token: SeDebugPrivilege	3924	b9c47cfa
Token: SeDebugPrivilege	3180	Explorer.EXE
Token: SeDebugPrivilege	3180	Explorer.EXE
Token: SeIncBasePriorityPrivilege	4844	8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe
Token: SeDebugPrivilege	3924	b9c47cfa
Token: SeDebugPrivilege	4488	netbtugc.exe
Token: SeDebugPrivilege	4488	netbtugc.exe
Token: SeDebugPrivilege	4488	netbtugc.exe
Token: SeDebugPrivilege	4488	netbtugc.exe
Token: SeIncBasePriorityPrivilege	3924	b9c47cfa

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe
4488	netbtugc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4488	netbtugc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3180	3924	b9c47cfa	54
PID 3924 wrote to memory of 3180	3924	b9c47cfa	54
PID 3924 wrote to memory of 3180	3924	b9c47cfa	54
PID 3924 wrote to memory of 3180	3924	b9c47cfa	54
PID 3924 wrote to memory of 3180	3924	b9c47cfa	54
PID 3180 wrote to memory of 4488	3180	Explorer.EXE	91
PID 3180 wrote to memory of 4488	3180	Explorer.EXE	91
PID 3180 wrote to memory of 4488	3180	Explorer.EXE	91
PID 3180 wrote to memory of 4488	3180	Explorer.EXE	91
PID 3180 wrote to memory of 4488	3180	Explorer.EXE	91
PID 3180 wrote to memory of 4488	3180	Explorer.EXE	91
PID 3180 wrote to memory of 4488	3180	Explorer.EXE	91
PID 3924 wrote to memory of 636	3924	b9c47cfa	5
PID 3924 wrote to memory of 636	3924	b9c47cfa	5
PID 3924 wrote to memory of 636	3924	b9c47cfa	5
PID 3924 wrote to memory of 636	3924	b9c47cfa	5
PID 3924 wrote to memory of 636	3924	b9c47cfa	5
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54
PID 4488 wrote to memory of 3180	4488	netbtugc.exe	54

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe
  "C:\Users\Admin\AppData\Local\Temp\8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\8e3ed763b574108169ac02553db2190b1d5040056ef2fd7be11fd7e2daa4d327.exe"
    3⤵
    PID:3776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:4340
- C:\Program Files\Common Files\netbtugc.exe
  "C:\Program Files\Common Files\netbtugc.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4488

C:\Windows\Syswow64\b9c47cfa
C:\Windows\Syswow64\b9c47cfa
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Windows\Syswow64\b9c47cfa"
  2⤵
  PID:1508
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\netbtugc.exe

Filesize
26KB

MD5
fdb4e1cab952959af7cb2de2d587fa0e

SHA1
61e807277eeb87545259a00c1b5dab487110aa77

SHA256
8c04f0f006f4b441b288cb1735dec8a2396294fa75b4b027ffbd6a3256de1de1

SHA512
b157985ed0b2bee58c12d8626de1b0345a5702973959fb2b192b4eaad9bae88553a6e25e33c80ef5544b84fe8149c7d43a21ebf5cb7b5b5ed0fd00c0da97c598

Download Submit
C:\Windows\SysWOW64\b9c47cfa

Filesize
271KB

MD5
aa75203ddb8c2954c65bdab915254a4c

SHA1
5943e427f7264ccdcceda790d45ec257c0595ed4

SHA256
f1f6f81da32ef5babca3e7f4f6c1881dcf29ddc7aef13bff077cd6cdf8c84977

SHA512
2738deb3f0f7a346b8625c9642b0aa229c66069038ec3fa96308baaa42d75928b51a3d62f87e69756bcb1b632647d1721d8542ddb2c9fa67f4f5f4f414536040

Download Submit
C:\Windows\SysWOW64\b9c47cfa

Filesize
271KB

MD5
aa75203ddb8c2954c65bdab915254a4c

SHA1
5943e427f7264ccdcceda790d45ec257c0595ed4

SHA256
f1f6f81da32ef5babca3e7f4f6c1881dcf29ddc7aef13bff077cd6cdf8c84977

SHA512
2738deb3f0f7a346b8625c9642b0aa229c66069038ec3fa96308baaa42d75928b51a3d62f87e69756bcb1b632647d1721d8542ddb2c9fa67f4f5f4f414536040

Download Submit
memory/636-31-0x000002744F540000-0x000002744F543000-memory.dmp

Filesize
12KB

Download
memory/636-33-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/3180-16-0x00000000011D0000-0x00000000011D3000-memory.dmp

Filesize
12KB

Download
memory/3180-14-0x00000000011D0000-0x00000000011D3000-memory.dmp

Filesize
12KB

Download
memory/3180-17-0x00000000011D0000-0x00000000011D3000-memory.dmp

Filesize
12KB

Download
memory/3180-47-0x0000000008EE0000-0x0000000008FD7000-memory.dmp

Filesize
988KB

Download
memory/3180-18-0x0000000008EE0000-0x0000000008FD7000-memory.dmp

Filesize
988KB

Download
memory/3924-10-0x0000000000BC0000-0x0000000000C49000-memory.dmp

Filesize
548KB

Download
memory/3924-19-0x0000000000BC0000-0x0000000000C49000-memory.dmp

Filesize
548KB

Download
memory/3924-4-0x0000000000BC0000-0x0000000000C49000-memory.dmp

Filesize
548KB

Download
memory/3924-69-0x0000000000BC0000-0x0000000000C49000-memory.dmp

Filesize
548KB

Download
memory/4488-63-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-83-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-29-0x00007FFC4AE70000-0x00007FFC4AE80000-memory.dmp

Filesize
64KB

Download
memory/4488-26-0x000001528E5D0000-0x000001528E69B000-memory.dmp

Filesize
812KB

Download
memory/4488-24-0x000001528E320000-0x000001528E323000-memory.dmp

Filesize
12KB

Download
memory/4488-97-0x00000152904D0000-0x00000152904D1000-memory.dmp

Filesize
4KB

Download
memory/4488-57-0x00007FFC4AE70000-0x00007FFC4AE80000-memory.dmp

Filesize
64KB

Download
memory/4488-58-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-60-0x000001528E5D0000-0x000001528E69B000-memory.dmp

Filesize
812KB

Download
memory/4488-61-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-95-0x0000015290430000-0x00000152904D0000-memory.dmp

Filesize
640KB

Download
memory/4488-62-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-64-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-65-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-66-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-67-0x000001528E5D0000-0x000001528E69B000-memory.dmp

Filesize
812KB

Download
memory/4488-68-0x0000015290430000-0x00000152904D0000-memory.dmp

Filesize
640KB

Download
memory/4488-91-0x00000152904F0000-0x00000152904F2000-memory.dmp

Filesize
8KB

Download
memory/4488-70-0x00000152904E0000-0x00000152904EF000-memory.dmp

Filesize
60KB

Download
memory/4488-71-0x000001528FF90000-0x000001528FF92000-memory.dmp

Filesize
8KB

Download
memory/4488-78-0x000001528FF90000-0x000001528FF92000-memory.dmp

Filesize
8KB

Download
memory/4488-79-0x00000152904D0000-0x00000152904D1000-memory.dmp

Filesize
4KB

Download
memory/4488-80-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-81-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-82-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-28-0x000001528E5D0000-0x000001528E69B000-memory.dmp

Filesize
812KB

Download
memory/4488-84-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-85-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-86-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-87-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-88-0x000002744F550000-0x000002744F578000-memory.dmp

Filesize
160KB

Download
memory/4488-89-0x00000152904D0000-0x00000152904D1000-memory.dmp

Filesize
4KB

Download
memory/4488-90-0x00000152904F0000-0x00000152904F1000-memory.dmp

Filesize
4KB

Download
memory/4844-1-0x0000000000990000-0x0000000000A19000-memory.dmp

Filesize
548KB

Download
memory/4844-0-0x0000000000990000-0x0000000000A19000-memory.dmp

Filesize
548KB

Download
memory/4844-9-0x0000000000990000-0x0000000000A19000-memory.dmp

Filesize
548KB

Download