8ae56fd12244d0c8403a76405f898afc276e0e4ebcbc3bfce7e9994f2bbcc2ff

Analysis

max time kernel
152s
max time network
121s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
02/11/2023, 21:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
Size

257KB
MD5

f8c431385b26359e8a88ae72b0812650
SHA1

a6a2aae10c4c5dc8572b2657bfa167c158f927f0
SHA256

8ae56fd12244d0c8403a76405f898afc276e0e4ebcbc3bfce7e9994f2bbcc2ff
SHA512

eff6fda763f2adad93329cddd92ca01222f195f10f73d09f5fd3459655646372219580ee266b5d8b790ea25ab8a5dd9045ef619cff36d9b3c600b5942e6c61fe
SSDEEP

6144:Lottw6sbF2RaA1B+BwXj+G0ZRGP1dJiGNmOdT2GusIKpvVAOv/5T3Eoj7FAqibO/:cRsbFaL1BDpZj

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1696	datafli.exe
1748	datafli.exe

Loads dropped DLL 6 IoCs

pid	Process
2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1296-703-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1296-710-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1296-788-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1296-1593-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1748-1595-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key Name = "C:\\Users\\Admin\\AppData\\Roaming\\FolderName\\datafli.exe"	reg.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 set thread context of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 1696 set thread context of 816	1696	datafli.exe	36
PID 1696 set thread context of 1748	1696	datafli.exe	37
PID 1696 set thread context of 0	1696	datafli.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
1936	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe
816	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe
Token: SeDebugPrivilege	1748	datafli.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1936	svchost.exe
1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
1696	datafli.exe
816	svchost.exe
1748	datafli.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1936	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	28
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 2256 wrote to memory of 1296	2256	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	29
PID 1296 wrote to memory of 844	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	30
PID 1296 wrote to memory of 844	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	30
PID 1296 wrote to memory of 844	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	30
PID 1296 wrote to memory of 844	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	30
PID 844 wrote to memory of 840	844	cmd.exe	32
PID 844 wrote to memory of 840	844	cmd.exe	32
PID 844 wrote to memory of 840	844	cmd.exe	32
PID 844 wrote to memory of 840	844	cmd.exe	32
PID 1296 wrote to memory of 1696	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	33
PID 1296 wrote to memory of 1696	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	33
PID 1296 wrote to memory of 1696	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	33
PID 1296 wrote to memory of 1696	1296	NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe	33
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 816	1696	datafli.exe	36
PID 1696 wrote to memory of 1748	1696	datafli.exe	37
PID 1696 wrote to memory of 1748	1696	datafli.exe	37
PID 1696 wrote to memory of 1748	1696	datafli.exe	37
PID 1696 wrote to memory of 1748	1696	datafli.exe	37
PID 1696 wrote to memory of 1748	1696	datafli.exe	37
PID 1696 wrote to memory of 1748	1696	datafli.exe	37
PID 1696 wrote to memory of 1748	1696	datafli.exe	37
PID 1696 wrote to memory of 1748	1696	datafli.exe	37

C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\system32\svchost.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\MLYFO.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Key Name" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe" /f
      4⤵
      Adds Run key to start application
      PID:840
- - C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
    "C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:816
  - - C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe
      "C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MLYFO.bat

Filesize
148B

MD5
cad4294c9f78a2359f70ea09f0f56325

SHA1
1d02ee76821a5b6fe45aa4f12bac8f86b0043691

SHA256
48eb38071c5a2a5c40b3110fcbcb52f6ad0849c3ec20b1cf1be5fa223ac0aaf4

SHA512
cd62dd9423a3224d2c4d27853554e0574212cf48a824d562ab3e17231bb839f1dadb12067a7ca39c0cf8ddd5b0e3e8c1dbf601f9822567957e7c29e51fe1693d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLYFO.bat

Filesize
148B

MD5
cad4294c9f78a2359f70ea09f0f56325

SHA1
1d02ee76821a5b6fe45aa4f12bac8f86b0043691

SHA256
48eb38071c5a2a5c40b3110fcbcb52f6ad0849c3ec20b1cf1be5fa223ac0aaf4

SHA512
cd62dd9423a3224d2c4d27853554e0574212cf48a824d562ab3e17231bb839f1dadb12067a7ca39c0cf8ddd5b0e3e8c1dbf601f9822567957e7c29e51fe1693d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe

Filesize
257KB

MD5
f8c431385b26359e8a88ae72b0812650

SHA1
a6a2aae10c4c5dc8572b2657bfa167c158f927f0

SHA256
8ae56fd12244d0c8403a76405f898afc276e0e4ebcbc3bfce7e9994f2bbcc2ff

SHA512
eff6fda763f2adad93329cddd92ca01222f195f10f73d09f5fd3459655646372219580ee266b5d8b790ea25ab8a5dd9045ef619cff36d9b3c600b5942e6c61fe

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
C:\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
\Users\Admin\AppData\Local\Temp\NEAS.f8c431385b26359e8a88ae72b0812650_JC.exe

Filesize
257KB

MD5
f8c431385b26359e8a88ae72b0812650

SHA1
a6a2aae10c4c5dc8572b2657bfa167c158f927f0

SHA256
8ae56fd12244d0c8403a76405f898afc276e0e4ebcbc3bfce7e9994f2bbcc2ff

SHA512
eff6fda763f2adad93329cddd92ca01222f195f10f73d09f5fd3459655646372219580ee266b5d8b790ea25ab8a5dd9045ef619cff36d9b3c600b5942e6c61fe

Download Submit
\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
\Users\Admin\AppData\Roaming\FolderName\datafli.exe

Filesize
257KB

MD5
8dcec24cbe58c74990bca5121fe4c6af

SHA1
78c36aadc13a922d9eae4737799f820953966b69

SHA256
e99b6551465a72e3335bc430c7eb9781bb2bfc27322a8ab988776da265b30bde

SHA512
c23ef7202ef1cf38a9191c34df122707db6a9eadb2cbc77e91a436d01b56cf04187d914c423fe7051cefb78a528d9fbcfbc287feceb2f67aa86d8f7c54f7a792

Download Submit
memory/816-1594-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1296-703-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1296-710-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1296-1593-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1296-788-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1748-1595-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1936-787-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1936-675-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2256-14-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2256-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2256-57-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2256-20-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2256-8-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2256-4-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2256-28-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2256-32-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download