2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
11/12/2023, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.exe
Size

7.5MB
MD5

1be7af9f67b28c1e31354bf0abc0d8f5
SHA1

7f3f959ddbebc904056e10a103874ed02f5daba6
SHA256

2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214
SHA512

4bd4a854785a49156642f79573654b9135df474cb5c4f1dd1c7e7aea5b1c2de1568748909093d70deba05a93cbbfbb8ec0603448cd90f8ddafd26ebfd28f2202
SSDEEP

196608:xpVDDR8SZqepbLqwjKpDf/NIpEpDqfBrT0/WViLFfzj:xpVBtvpbL/+vVYBrTTefzj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
1952	gifplayer.exe
4656	gifplayer.exe

Loads dropped DLL 3 IoCs

pid	Process
4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214
Destination IP	194.49.94.194
Destination IP	81.31.197.38

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-VHFHB.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GUDNC.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2R3DR.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ED6UP.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-N157T.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-4H3B0.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-E3BHL.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-DFUB6.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PK96K.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-RJHPH.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GG7B4.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3SHR8.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\gifplayer.exe	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K52TR.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-CIJJM.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MF5RC.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-57NLF.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2DNV2.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-3K4EG.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-H0FOS.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-9MPIB.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-D02JA.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-75T35.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-1L0EA.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-P1FJ4.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-0L8CK.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-O3VCO.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\uninstall\is-4E7I3.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-MH38R.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BQVJS.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-OH02A.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-S442R.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\lessmsi\is-GD7V7.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-5LFMK.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\plugins\internal\is-ALQ0K.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-CRDU6.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-2HUUQ.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-OFKSD.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-766J9.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-LGPOU.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EHNPJ.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-FT2KM.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-7FBE7.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ONL7S.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\is-K7QTN.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-EGCEM.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-ROU0M.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K0O2V.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PHLNA.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-38U4U.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\stuff\is-NA5GU.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-K6DMN.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-G4PRT.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-GGS5Q.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File opened for modification	C:\Program Files (x86)\PlayGIF\uninstall\unins000.dat	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-5NQT3.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PDIOF.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-OSUSO.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-BU8IU.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-R1FI3.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-L1LRH.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
File created	C:\Program Files (x86)\PlayGIF\bin\x86\is-PS01H.tmp	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 4552	3276	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.exe	85
PID 3276 wrote to memory of 4552	3276	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.exe	85
PID 3276 wrote to memory of 4552	3276	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.exe	85
PID 4552 wrote to memory of 4652	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	89
PID 4552 wrote to memory of 4652	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	89
PID 4552 wrote to memory of 4652	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	89
PID 4552 wrote to memory of 1952	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	91
PID 4552 wrote to memory of 1952	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	91
PID 4552 wrote to memory of 1952	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	91
PID 4552 wrote to memory of 2320	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	92
PID 4552 wrote to memory of 2320	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	92
PID 4552 wrote to memory of 2320	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	92
PID 4552 wrote to memory of 4656	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	93
PID 4552 wrote to memory of 4656	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	93
PID 4552 wrote to memory of 4656	4552	2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp	93
PID 2320 wrote to memory of 4252	2320	net.exe	95
PID 2320 wrote to memory of 4252	2320	net.exe	95
PID 2320 wrote to memory of 4252	2320	net.exe	95

C:\Users\Admin\AppData\Local\Temp\2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.exe
"C:\Users\Admin\AppData\Local\Temp\2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Users\Admin\AppData\Local\Temp\is-JV08L.tmp\2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-JV08L.tmp\2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp" /SL5="$70102,7565670,68096,C:\Users\Admin\AppData\Local\Temp\2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:4652
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1952
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 11
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 11
      4⤵
      PID:4252
- - C:\Program Files (x86)\PlayGIF\gifplayer.exe
    "C:\Program Files (x86)\PlayGIF\gifplayer.exe" -s
    3⤵
    - Executes dropped EXE
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
1.8MB

MD5
252781dc120541d9f889e237b2455516

SHA1
9e1db7243905c666db9fcae96a9afc9caaf27bda

SHA256
216ddf8b460d3c9dd57cab21ffe8888ca8e63ffe5ecd0d6909a419b5951bfc05

SHA512
9a551ebdf7a038c0f7c6736d7129251e564d3782bb9e27d0a106e70043a9794c49def8db3f2f7253f8b44f893196cc94316dd8f230576e67f4703ac168f70d40

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
891KB

MD5
e2686e3ec6c601b927c86637bc56ae87

SHA1
bd6b48e7bda96add63378461665a2bf9cbb39eef

SHA256
823cb5c9af327c12a6c2e54573f21f0b161b9d511f20841253d485cc5512f2a6

SHA512
7030582706af7bb22bc4526fb90ac5ae5e3c396e8252130acd138039ca8baf5b068cb0e64c3ea8aa1c7b6f0315b61b772b8ba060854d613305b8a49f293e72a3

Download Submit
C:\Program Files (x86)\PlayGIF\gifplayer.exe

Filesize
744KB

MD5
1d0cb36675d8d65a67facd74f10a2365

SHA1
08045e79479a158945bb3fc3d11cd219af207be3

SHA256
c37cdf52ffb94d6835a7b189948e1ba01f78061a55e4a31f7931749d95dae06e

SHA512
2e6b4d95ac0b0bb28659bed74e5582f85eea5aee1f92102a216be823cf94590e32eada79488d732e144b4162c12ac3e10ea0b30ba1d91701e33e14fbd9d7e36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GJOFR.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GJOFR.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JV08L.tmp\2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp

Filesize
294KB

MD5
71ba601dc4428c68b1831060adb7ef2e

SHA1
0efa0cd4696a29a341fab74992cb9e13fdcc0cd2

SHA256
662aa056d30f5ae0f8c8c5ab75533bc8835e169488e47cb857d2cf0dd3c2f0ca

SHA512
98d6fdb9055f494f0e12d85c9e7b8177e3836840cc38b0a4c993a441737d5e80c2b23efab048fa2c205b04381342963d2ee2ad2670d7ac5376853434c849a237

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JV08L.tmp\2041669c537560579e337c7417bfb057cd4584f5a00c8aa3572bcc33768a0214.tmp

Filesize
377KB

MD5
b090459d1b7272edeacc7a27c0d15d5c

SHA1
66ad7938dc0b12bfb2645227c84f9063ebc152b5

SHA256
43e0afd4ee78fbb6039714bacc4470642b7e6a6cb8305af7f36ae26417a7241a

SHA512
13c95cce1f5473959cd0d2dfeaa72220078e7b6b1b2b3580023dd27c6ad2ee1024edd21175930667c86cd6202e9647cee8fac1ec1f5a0c44c1642c3506adf32c

Download Submit
memory/1952-151-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1952-152-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1952-154-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/1952-155-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/3276-2-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3276-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3276-160-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4552-161-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4552-7-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4552-163-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/4656-162-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-180-0x00000000008D0000-0x000000000096E000-memory.dmp

Filesize
632KB

Download
memory/4656-157-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-166-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-167-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-170-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-173-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-176-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-179-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-159-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-181-0x00000000008D0000-0x000000000096E000-memory.dmp

Filesize
632KB

Download
memory/4656-186-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-189-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-190-0x00000000008D0000-0x000000000096E000-memory.dmp

Filesize
632KB

Download
memory/4656-193-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-196-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-199-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-202-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-205-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download
memory/4656-208-0x0000000000400000-0x0000000000666000-memory.dmp

Filesize
2.4MB

Download