d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762

Analysis

max time kernel
177s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Size

536KB
MD5

46fd8fc7865ac89b6bfe276b104d87d6
SHA1

af73c435c1927659c6856e3c5fcf4a74ccd92a07
SHA256

d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762
SHA512

d28cf792001190166e7687fcdc3455941b6883f73da61524ee826107edd2531ef086a8021e47a4273170b49bedefd00b68af698da847bcc62d5fbbf5b2ffb121
SSDEEP

12288:8hf0Bs9bDDq9huzJgIJzgXaEw9Stu/aB9a/Okx2LIa:8dQyDLzJTveuK0/Okx2LF

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3172 created 620	3172	Explorer.EXE	10

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\WNtira0qY.sys	tskill.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	tskill.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1760-0-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1760-26-0x0000000000310000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/1760-34-0x0000000000310000-0x0000000000412000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	114.114.114.114

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\ \Windows\System32\PC62BJ.sys	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B	tskill.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3	tskill.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\1e21c0	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
File created	C:\Windows\2ZKueTsQ7.sys	tskill.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tskill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tskill.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	tskill.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3684	timeout.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	tskill.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	tskill.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	tskill.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	tskill.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	tskill.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tskill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
3172	Explorer.EXE
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe
2684	tskill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3172	Explorer.EXE

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeTcbPrivilege	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeDebugPrivilege	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeTcbPrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeDebugPrivilege	3172	Explorer.EXE
Token: SeIncBasePriorityPrivilege	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
Token: SeDebugPrivilege	2684	tskill.exe
Token: SeDebugPrivilege	2684	tskill.exe
Token: SeDebugPrivilege	2684	tskill.exe
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE
Token: SeShutdownPrivilege	3172	Explorer.EXE
Token: SeCreatePagefilePrivilege	3172	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3172	Explorer.EXE
3172	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 3172	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	66
PID 1760 wrote to memory of 3172	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	66
PID 1760 wrote to memory of 3172	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	66
PID 3172 wrote to memory of 2684	3172	Explorer.EXE	89
PID 3172 wrote to memory of 2684	3172	Explorer.EXE	89
PID 3172 wrote to memory of 2684	3172	Explorer.EXE	89
PID 3172 wrote to memory of 2684	3172	Explorer.EXE	89
PID 3172 wrote to memory of 2684	3172	Explorer.EXE	89
PID 3172 wrote to memory of 2684	3172	Explorer.EXE	89
PID 3172 wrote to memory of 2684	3172	Explorer.EXE	89
PID 3172 wrote to memory of 620	3172	Explorer.EXE	10
PID 3172 wrote to memory of 620	3172	Explorer.EXE	10
PID 3172 wrote to memory of 620	3172	Explorer.EXE	10
PID 3172 wrote to memory of 620	3172	Explorer.EXE	10
PID 3172 wrote to memory of 620	3172	Explorer.EXE	10
PID 1760 wrote to memory of 2936	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	93
PID 1760 wrote to memory of 2936	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	93
PID 1760 wrote to memory of 2936	1760	d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe	93
PID 2936 wrote to memory of 3684	2936	cmd.exe	95
PID 2936 wrote to memory of 3684	2936	cmd.exe	95
PID 2936 wrote to memory of 3684	2936	cmd.exe	95

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:620
- C:\ProgramData\Microsoft\tskill.exe
  "C:\ProgramData\Microsoft\tskill.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe
  "C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\d91b999125c1bb8daefbe8ed0542219c621b6ad2bc05e82f97e307ac9fb7f762.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\tskill.exe

Filesize
24KB

MD5
2393d4f762fb671d92a59388109c24d4

SHA1
2e27346b7cff97619923c3e3199e68e7b91d142b

SHA256
8d9373ebd69f42153b0b47dbda2174811599db91630651ca01627ac1795f8d56

SHA512
9eaa9cd2813f8864244547fbc81ba6759f63e32f73ed2394dfa311ff60a9727e47dbdcf42d1aafb5e6c5a40a43a83ae32f5fa443083319f5b6b1e73457c59758

Download Submit
C:\ProgramData\Microsoft\tskill.exe

Filesize
24KB

MD5
2393d4f762fb671d92a59388109c24d4

SHA1
2e27346b7cff97619923c3e3199e68e7b91d142b

SHA256
8d9373ebd69f42153b0b47dbda2174811599db91630651ca01627ac1795f8d56

SHA512
9eaa9cd2813f8864244547fbc81ba6759f63e32f73ed2394dfa311ff60a9727e47dbdcf42d1aafb5e6c5a40a43a83ae32f5fa443083319f5b6b1e73457c59758

Download Submit
C:\Users\Admin\AppData\Local\Temp\834f73d3.tmp

Filesize
11.6MB

MD5
5244c87dbafa1f764b258766005dea73

SHA1
84cb8b4fb3e0910cfecfb31b6fa54c16d940e703

SHA256
077035f93ddc3ac5a8b5631d43826baf7722256eb1c4716b3c2567f07379bc40

SHA512
54d64d32e73e2752cdf9a110db17ad64574eb072df0ed0dc34a7e4bc469c03aa79ef7d45465e279ef85d5fc6b33a1b750b181476cdea7ea98898ddba9aa60438

Download Submit
C:\Users\Admin\AppData\Local\Temp\8359506e.tmp

Filesize
14.8MB

MD5
b1057fccc9bf7a0976c173bed8c7e2a0

SHA1
fa7023b9e81f80adf10721ae995ec07ba0edd2f2

SHA256
3ee17398c1784dac54e2a218aacf3e64819dab2e809040ffc261d0444e768582

SHA512
04d4e64b137163ff9ffa8692495a2f91d80340ee6470c987e4413be3774ca5b344db8ea69d110642e10017e7868a086086f297441f3bc91038dee942d2b84a12

Download Submit
memory/620-27-0x00000172C94E0000-0x00000172C9508000-memory.dmp

Filesize
160KB

Download
memory/620-74-0x00000172C9620000-0x00000172C9621000-memory.dmp

Filesize
4KB

Download
memory/1760-0-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/1760-34-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/1760-26-0x0000000000310000-0x0000000000412000-memory.dmp

Filesize
1.0MB

Download
memory/2684-22-0x00007FF9037C0000-0x00007FF9037D0000-memory.dmp

Filesize
64KB

Download
memory/2684-108-0x000002A342050000-0x000002A342051000-memory.dmp

Filesize
4KB

Download
memory/2684-18-0x000002A340130000-0x000002A3401FB000-memory.dmp

Filesize
812KB

Download
memory/2684-21-0x000002A33FF50000-0x000002A33FF51000-memory.dmp

Filesize
4KB

Download
memory/2684-20-0x000002A340130000-0x000002A3401FB000-memory.dmp

Filesize
812KB

Download
memory/2684-109-0x000002A342920000-0x000002A342921000-memory.dmp

Filesize
4KB

Download
memory/2684-111-0x000002A342920000-0x000002A342921000-memory.dmp

Filesize
4KB

Download
memory/2684-113-0x000002A3429D0000-0x000002A342B95000-memory.dmp

Filesize
1.8MB

Download
memory/2684-114-0x000002A342800000-0x000002A342802000-memory.dmp

Filesize
8KB

Download
memory/2684-110-0x000002A342060000-0x000002A342061000-memory.dmp

Filesize
4KB

Download
memory/2684-60-0x00007FF9037C0000-0x00007FF9037D0000-memory.dmp

Filesize
64KB

Download
memory/2684-17-0x000002A33FE90000-0x000002A33FE93000-memory.dmp

Filesize
12KB

Download
memory/2684-62-0x000002A342030000-0x000002A342032000-memory.dmp

Filesize
8KB

Download
memory/2684-107-0x000002A342800000-0x000002A342802000-memory.dmp

Filesize
8KB

Download
memory/2684-106-0x000002A3429D0000-0x000002A342B95000-memory.dmp

Filesize
1.8MB

Download
memory/2684-105-0x000002A342040000-0x000002A342041000-memory.dmp

Filesize
4KB

Download
memory/2684-104-0x000002A342050000-0x000002A342051000-memory.dmp

Filesize
4KB

Download
memory/2684-103-0x000002A342060000-0x000002A342061000-memory.dmp

Filesize
4KB

Download
memory/2684-68-0x000002A340130000-0x000002A3401FB000-memory.dmp

Filesize
812KB

Download
memory/2684-102-0x000002A342040000-0x000002A342041000-memory.dmp

Filesize
4KB

Download
memory/2684-70-0x000002A33FF50000-0x000002A33FF51000-memory.dmp

Filesize
4KB

Download
memory/2684-162-0x000002A3429D0000-0x000002A342B95000-memory.dmp

Filesize
1.8MB

Download
memory/3172-97-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-6-0x0000000003320000-0x0000000003323000-memory.dmp

Filesize
12KB

Download
memory/3172-76-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-77-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-78-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-79-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-80-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-82-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-81-0x0000000008CB0000-0x0000000008CC0000-memory.dmp

Filesize
64KB

Download
memory/3172-86-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-84-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-88-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-90-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

Filesize
64KB

Download
memory/3172-91-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-89-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-92-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-94-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-93-0x0000000008CB0000-0x0000000008CC0000-memory.dmp

Filesize
64KB

Download
memory/3172-96-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-95-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-98-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-72-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-100-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-101-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-69-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-66-0x0000000008CA0000-0x0000000008CB0000-memory.dmp

Filesize
64KB

Download
memory/3172-67-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-65-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-64-0x0000000009850000-0x0000000009949000-memory.dmp

Filesize
996KB

Download
memory/3172-63-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-61-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/3172-35-0x0000000003650000-0x00000000036C9000-memory.dmp

Filesize
484KB

Download
memory/3172-12-0x0000000009850000-0x0000000009949000-memory.dmp

Filesize
996KB

Download
memory/3172-11-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/3172-9-0x0000000008C80000-0x0000000008C83000-memory.dmp

Filesize
12KB

Download
memory/3172-7-0x0000000003650000-0x00000000036C9000-memory.dmp

Filesize
484KB

Download
memory/3172-4-0x0000000003320000-0x0000000003323000-memory.dmp

Filesize
12KB

Download
memory/3172-73-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-122-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-123-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-124-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-126-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-127-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-125-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-128-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-130-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-132-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-133-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-134-0x0000000008330000-0x0000000008340000-memory.dmp

Filesize
64KB

Download
memory/3172-135-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-136-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-140-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-142-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-141-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/3172-139-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-138-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-137-0x0000000008330000-0x0000000008340000-memory.dmp

Filesize
64KB

Download
memory/3172-146-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-144-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-147-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-148-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-150-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-152-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-154-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-5-0x0000000003650000-0x00000000036C9000-memory.dmp

Filesize
484KB

Download
memory/3172-3-0x0000000003320000-0x0000000003323000-memory.dmp

Filesize
12KB

Download
memory/3172-168-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-171-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-173-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-175-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-182-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-185-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-187-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-196-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download
memory/3172-200-0x0000000008340000-0x0000000008350000-memory.dmp

Filesize
64KB

Download