d8450b72d767c68655bc4e8482f3b887f3e68b5643127a6836e84a11e4082161

Analysis

max time kernel
10s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f4cefde786d2d2fe0f061cfcceca68f.exe
Size

4.1MB
MD5

4f4cefde786d2d2fe0f061cfcceca68f
SHA1

1f1371328250d3857500b5c8a727aa676e1c95f5
SHA256

d8450b72d767c68655bc4e8482f3b887f3e68b5643127a6836e84a11e4082161
SHA512

313b48009362960ce9745021006ddbdaacd9b3699f0289bc7bf124d74b0a9cd7571d10d7dce5677dda494ea6f476a82f73f72d3c2657e22894797b00f3ea790d
SSDEEP

49152:ISlNHydXboE+2pKWTvP6p9kB/GS0fsXCFzSlNHydXboE+2pKWTvP6p9kB/GS0fsR:ISjydNCYn0+WSjydNCYn0+B

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4f4cefde786d2d2fe0f061cfcceca68f.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4f4cefde786d2d2fe0f061cfcceca68f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4f4cefde786d2d2fe0f061cfcceca68f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
4296	explorer.exe
4740	spoolsv.exe
1704	svchost.exe
4752	spoolsv.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	4f4cefde786d2d2fe0f061cfcceca68f.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	spoolsv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
4296	explorer.exe
4740	spoolsv.exe
1704	svchost.exe
4752	spoolsv.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	4f4cefde786d2d2fe0f061cfcceca68f.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe
4296	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4296	explorer.exe
1704	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
2764	4f4cefde786d2d2fe0f061cfcceca68f.exe
4296	explorer.exe
4296	explorer.exe
4740	spoolsv.exe
4740	spoolsv.exe
1704	svchost.exe
1704	svchost.exe
4752	spoolsv.exe
4752	spoolsv.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4296	2764	4f4cefde786d2d2fe0f061cfcceca68f.exe	27
PID 2764 wrote to memory of 4296	2764	4f4cefde786d2d2fe0f061cfcceca68f.exe	27
PID 2764 wrote to memory of 4296	2764	4f4cefde786d2d2fe0f061cfcceca68f.exe	27
PID 4296 wrote to memory of 4740	4296	explorer.exe	28
PID 4296 wrote to memory of 4740	4296	explorer.exe	28
PID 4296 wrote to memory of 4740	4296	explorer.exe	28
PID 4740 wrote to memory of 1704	4740	spoolsv.exe	29
PID 4740 wrote to memory of 1704	4740	spoolsv.exe	29
PID 4740 wrote to memory of 1704	4740	spoolsv.exe	29
PID 1704 wrote to memory of 4752	1704	svchost.exe	30
PID 1704 wrote to memory of 4752	1704	svchost.exe	30
PID 1704 wrote to memory of 4752	1704	svchost.exe	30

C:\Users\Admin\AppData\Local\Temp\4f4cefde786d2d2fe0f061cfcceca68f.exe
"C:\Users\Admin\AppData\Local\Temp\4f4cefde786d2d2fe0f061cfcceca68f.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- \??\c:\windows\resources\themes\explorer.exe
  c:\windows\resources\themes\explorer.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4296
- - \??\c:\windows\resources\spoolsv.exe
    c:\windows\resources\spoolsv.exe SE
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - \??\c:\windows\resources\svchost.exe
      c:\windows\resources\svchost.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1704
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
30KB

MD5
b3dfe20074ec51c442f2d135a20db156

SHA1
73014f4fb18a27052c19f0c2427bc647c079a233

SHA256
d12b3cf03a0800862fe975c1d20f0957a41d684da7c2a187bb981a5e61b7f4a8

SHA512
c76d5abceb0268809abf6f208d254a412be516d8a5cc744fb9372c158e7c06fd23ade8720a8d200b13de69e08e8b98ac47137b0c52a5cf640d906972c886ecd7

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
73KB

MD5
8a1ca71c03cbaada7786a248a5dc5b25

SHA1
80daaf87d316a86ddbd0eeaef4b122e8e060f88a

SHA256
0364f4867c2d6e15f60c223339b4943a6a6e7f700badd44f87090f8763542406

SHA512
01c7503cfbd607dde6e4a7e9ddef87c515e01bc98dbedd2b60b88eadceddddb9c4319d19c7211ee4ca9a286054e3ef9505a3e99490d4741e4e5e0c60a75d76d2

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
14KB

MD5
9486e4f42e4537979fb842fc8a72f40f

SHA1
bf75df2762aa32bdc47aa9c58ba53a6dc9b9d80c

SHA256
b358460314cc5dd6c4a6611194d98ccadf3be4b66b6bbd58319d5b3858ce7e34

SHA512
9e787d82798c27ada3b3bc1c1d81937683d49bc3ac8696796499ef858ca653ded6a1c0021abfb697d6375f53e224244cb1b2d64b58f05f9be1066fa7ce22142e

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
21KB

MD5
6b07ed81a8b4d0733d914bb1c928cc74

SHA1
80af68074c83cbc1cb6ea5d6a9fafddfdf93133c

SHA256
6e4528af9face1381594806f256f8a667e11317c6d2c5cd5492d695bbbc9d8df

SHA512
9e00a0cb34aa410582182365ed067b9207b6c5dd188cb8c546aca21bef22149cfad7b2e047d785defe4d64b1701cef153be0b56a0ae9b4787d576ffdb0482188

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
15KB

MD5
2944197f8597ed254662a0c509ab39c8

SHA1
020b1a855afaf82c4abcade9bd9a1b442f77fa0a

SHA256
cf932ed70927903f779e2a0303d3a408eaac0884f8cc15942f8c0429443646b2

SHA512
43a6640b9c519fbdc105a8e3b1392a3919ab2b0018b66866f74e5864f95924644a47663539073319c36311b530968db255ee7fcf39192011a71726db9430d80c

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
41KB

MD5
690937c8d248a29d93bd0f64066a08cb

SHA1
5778a59bcef0f5882711020f6a5d44edf77357f6

SHA256
22ef26da660006b487a76562ec435ac569522371cf87e930005399eca2f77365

SHA512
e285d17190d6d512d3dae0292f1968ca9aad99547fe6f511514aceec2c3a9f25cd084d7613e26cb4ca43d5f2720fd2808c8c9d99496b13a37cd710e21d8f0784

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
21KB

MD5
5ee7150a9e41744f1b559ba44bfd07e3

SHA1
cf7ed8c9498e7dbb692bf821de48447ec76196c7

SHA256
5db1d42cb85edc7244cbab9ec93787cd132283aa30912b5322f236363ee6fe35

SHA512
ebce047614f8589cc03474c19278854d8b49fc06244b15fc83625289f5f9f240f7fba1e9728cf892eb9e4ff9eb4bd00e2a9ab9bb57ec409c61a325d3f820f445

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
91KB

MD5
7b6ccd5da8d135ca0a21e92a0c90ea69

SHA1
823a8c4aa9665fbc29993b2a8e77f0daabe219fd

SHA256
b015adc61767c6adf5cab6430eef3400711bad214a1ea2dcc1ea94a8f895a820

SHA512
dd7b1b8829a84bc8984f5080a14e479822deb693a269e6bf2d15c565289da380e56b09ebc3a0021d04d70b7994f7c72952aff6fe885b569c3dc713a0ce2b1d02

Download Submit
memory/1704-106-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-114-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-83-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/1704-84-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1704-82-0x0000000005300000-0x0000000005302000-memory.dmp

Filesize
8KB

Download
memory/1704-80-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/1704-77-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/1704-75-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-130-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-128-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-78-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1704-124-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-79-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/1704-122-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-126-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-68-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-69-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/1704-120-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-118-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-76-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1704-116-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-81-0x0000000005260000-0x0000000005262000-memory.dmp

Filesize
8KB

Download
memory/1704-112-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-110-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-108-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/1704-102-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2764-0-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2764-17-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2764-4-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2764-2-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/2764-8-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/2764-40-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2764-1-0x0000000077D64000-0x0000000077D66000-memory.dmp

Filesize
8KB

Download
memory/2764-95-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/2764-7-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/2764-18-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2764-44-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/2764-9-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2764-10-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2764-11-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2764-12-0x0000000004E70000-0x0000000004E72000-memory.dmp

Filesize
8KB

Download
memory/2764-13-0x0000000004F10000-0x0000000004F12000-memory.dmp

Filesize
8KB

Download
memory/2764-14-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4296-105-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-119-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-25-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/4296-129-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-37-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4296-27-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-127-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-28-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4296-125-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-41-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/4296-123-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-22-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-121-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-39-0x0000000004EA0000-0x0000000004EA2000-memory.dmp

Filesize
8KB

Download
memory/4296-73-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/4296-111-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-38-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4296-35-0x0000000004E60000-0x0000000004E62000-memory.dmp

Filesize
8KB

Download
memory/4296-34-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4296-33-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4296-30-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4296-29-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/4296-117-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-101-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-36-0x0000000004F00000-0x0000000004F02000-memory.dmp

Filesize
8KB

Download
memory/4296-67-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-115-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-107-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-113-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4296-109-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4740-58-0x0000000004E70000-0x0000000004E72000-memory.dmp

Filesize
8KB

Download
memory/4740-57-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4740-49-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4740-47-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/4740-62-0x0000000004EB0000-0x0000000004EB2000-memory.dmp

Filesize
8KB

Download
memory/4740-61-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4740-90-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4740-60-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/4740-51-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4740-59-0x0000000004F00000-0x0000000004F02000-memory.dmp

Filesize
8KB

Download
memory/4740-54-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4740-55-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4740-56-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/4740-96-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4740-63-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/4740-97-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/4752-94-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/4752-93-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4752-92-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download
memory/4752-86-0x00000000752B0000-0x000000007540D000-memory.dmp

Filesize
1.4MB

Download
memory/4752-85-0x0000000000400000-0x0000000000873000-memory.dmp

Filesize
4.4MB

Download