f444a97206d7d0a931249df0989486856010c2aa3db1d44382925b3afd323da0

Analysis

max time kernel
157s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
Size

1.7MB
MD5

86e5bf5f49d8fcf02addad1089af2040
SHA1

cceb213a8dd473716244cc093a1d5615d6e279b1
SHA256

f444a97206d7d0a931249df0989486856010c2aa3db1d44382925b3afd323da0
SHA512

8f9fc9636c956b279fc323fa494f3e91e54e981ff5aeb690dd7a885ebae70866369a70ed6bdf37ebc1e057a9f43caf656be6b97e78eed3b7f78421e3b0090c47
SSDEEP

49152:DpPNiqTVoiCVsqSMRrQFTAm4o24TduMpwNRn:NNiqpcsFCrQFEm40vpwj

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe

Executes dropped EXE 4 IoCs

pid	Process
2348	explorer.exe
1048	spoolsv.exe
4736	svchost.exe
2180	spoolsv.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Wine	spoolsv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Wine	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Wine	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Wine	spoolsv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Wine	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
2348	explorer.exe
1048	spoolsv.exe
4736	svchost.exe
2180	spoolsv.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe
2348	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2348	explorer.exe
4736	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
2348	explorer.exe
2348	explorer.exe
1048	spoolsv.exe
1048	spoolsv.exe
4736	svchost.exe
4736	svchost.exe
2180	spoolsv.exe
2180	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 2348	364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe	91
PID 364 wrote to memory of 2348	364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe	91
PID 364 wrote to memory of 2348	364	NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe	91
PID 2348 wrote to memory of 1048	2348	explorer.exe	92
PID 2348 wrote to memory of 1048	2348	explorer.exe	92
PID 2348 wrote to memory of 1048	2348	explorer.exe	92
PID 1048 wrote to memory of 4736	1048	spoolsv.exe	93
PID 1048 wrote to memory of 4736	1048	spoolsv.exe	93
PID 1048 wrote to memory of 4736	1048	spoolsv.exe	93
PID 4736 wrote to memory of 2180	4736	svchost.exe	94
PID 4736 wrote to memory of 2180	4736	svchost.exe	94
PID 4736 wrote to memory of 2180	4736	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.86e5bf5f49d8fcf02addad1089af2040_JC.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:364
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4736
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
1.7MB

MD5
2bfa209029a602cdc7129c1aec719fdf

SHA1
1d6b3937b7ff0e2f0ee8df979e6f9cba1c7b4c43

SHA256
ffde7c1373066ddd83fe1d075575ef82587c6ecee4b87a12f3966ad25dad1ceb

SHA512
acc0e97e8c44f73cfde28ca6a53c8ebcad3c43c428feb7511a8839919e733e77d6ed913673fb5a90eb9319211813524c34aa191af6adc2cb8a455a912b1354d8

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.7MB

MD5
8fdc4779bee656ecc2f91d421bd64694

SHA1
e4466a672e99118c1e2ef89176469f0be030e648

SHA256
3a77ca84848dd0315f24ca4c2e8940dd9f5633229f81c3d3e1b5610279644ab4

SHA512
507c596609de896fb76cece047a3d340ee5da0ea1482713f72fd7cd41008776d89d74541ac9137501e79b1d95df28f8e5434ad3394544fd98463108e7d4f49b7

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.7MB

MD5
8fdc4779bee656ecc2f91d421bd64694

SHA1
e4466a672e99118c1e2ef89176469f0be030e648

SHA256
3a77ca84848dd0315f24ca4c2e8940dd9f5633229f81c3d3e1b5610279644ab4

SHA512
507c596609de896fb76cece047a3d340ee5da0ea1482713f72fd7cd41008776d89d74541ac9137501e79b1d95df28f8e5434ad3394544fd98463108e7d4f49b7

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
1.7MB

MD5
8fdc4779bee656ecc2f91d421bd64694

SHA1
e4466a672e99118c1e2ef89176469f0be030e648

SHA256
3a77ca84848dd0315f24ca4c2e8940dd9f5633229f81c3d3e1b5610279644ab4

SHA512
507c596609de896fb76cece047a3d340ee5da0ea1482713f72fd7cd41008776d89d74541ac9137501e79b1d95df28f8e5434ad3394544fd98463108e7d4f49b7

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
1.7MB

MD5
1e5bf9801d4cebbba7e56bee9b2716c3

SHA1
8268a864f22bb1afd594810ecb4de806860ba25d

SHA256
35f558252d27827e9e5b8a9be1c88f59197a6495cfa8c8336b03ab8a6d3ccf26

SHA512
412d7b2676656f8558398ed44c88f27820bd4ff930f72d1749cd01951e28747a4c43230144f78a7c703446b056c8cfa56feb14e0e7691a9764d51ea4ecc71e3f

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
1.7MB

MD5
8fdc4779bee656ecc2f91d421bd64694

SHA1
e4466a672e99118c1e2ef89176469f0be030e648

SHA256
3a77ca84848dd0315f24ca4c2e8940dd9f5633229f81c3d3e1b5610279644ab4

SHA512
507c596609de896fb76cece047a3d340ee5da0ea1482713f72fd7cd41008776d89d74541ac9137501e79b1d95df28f8e5434ad3394544fd98463108e7d4f49b7

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
1.7MB

MD5
1e5bf9801d4cebbba7e56bee9b2716c3

SHA1
8268a864f22bb1afd594810ecb4de806860ba25d

SHA256
35f558252d27827e9e5b8a9be1c88f59197a6495cfa8c8336b03ab8a6d3ccf26

SHA512
412d7b2676656f8558398ed44c88f27820bd4ff930f72d1749cd01951e28747a4c43230144f78a7c703446b056c8cfa56feb14e0e7691a9764d51ea4ecc71e3f

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
1.7MB

MD5
2bfa209029a602cdc7129c1aec719fdf

SHA1
1d6b3937b7ff0e2f0ee8df979e6f9cba1c7b4c43

SHA256
ffde7c1373066ddd83fe1d075575ef82587c6ecee4b87a12f3966ad25dad1ceb

SHA512
acc0e97e8c44f73cfde28ca6a53c8ebcad3c43c428feb7511a8839919e733e77d6ed913673fb5a90eb9319211813524c34aa191af6adc2cb8a455a912b1354d8

Download Submit
memory/364-15-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/364-104-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/364-13-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/364-14-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/364-10-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/364-16-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/364-11-0x0000000004F00000-0x0000000004F02000-memory.dmp

Filesize
8KB

Download
memory/364-9-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/364-22-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/364-12-0x0000000004FC0000-0x0000000004FC2000-memory.dmp

Filesize
8KB

Download
memory/364-0-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/364-25-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download
memory/364-7-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/364-29-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/364-8-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/364-3-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/364-66-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/364-2-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download
memory/364-1-0x0000000077844000-0x0000000077846000-memory.dmp

Filesize
8KB

Download
memory/1048-103-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1048-49-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download
memory/1048-62-0x0000000004E10000-0x0000000004E12000-memory.dmp

Filesize
8KB

Download
memory/1048-65-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/1048-63-0x0000000004EB0000-0x0000000004EB2000-memory.dmp

Filesize
8KB

Download
memory/1048-90-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1048-89-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download
memory/1048-59-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/1048-77-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1048-67-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1048-48-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1048-64-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1048-51-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1048-61-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1048-57-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1048-58-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1048-60-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2180-88-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2180-91-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download
memory/2180-93-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2180-106-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-68-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-121-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-54-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download
memory/2348-34-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2348-111-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-32-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/2348-30-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/2348-133-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-131-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-47-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-129-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-127-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-125-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-28-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-123-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-33-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/2348-35-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2348-119-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-117-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-115-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-36-0x0000000004E00000-0x0000000004E02000-memory.dmp

Filesize
8KB

Download
memory/2348-43-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2348-42-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2348-41-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2348-37-0x0000000004E90000-0x0000000004E92000-memory.dmp

Filesize
8KB

Download
memory/2348-102-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-24-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download
memory/2348-23-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-40-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2348-113-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/2348-109-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-84-0x0000000005280000-0x0000000005282000-memory.dmp

Filesize
8KB

Download
memory/4736-110-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-112-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-108-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-114-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-87-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/4736-116-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-86-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4736-118-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-83-0x00000000051F0000-0x00000000051F2000-memory.dmp

Filesize
8KB

Download
memory/4736-120-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-85-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4736-122-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-81-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4736-124-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-80-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4736-126-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-79-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4736-128-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-78-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4736-130-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-73-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-132-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/4736-72-0x0000000074C10000-0x0000000074D6D000-memory.dmp

Filesize
1.4MB

Download