c9b3414ddd02dbd1ba0efa264b21133b45eac505e9abd551cb235647c4bf519d

Analysis

max time kernel
299s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Size

16.8MB
MD5

7d275755c8016baf66a2de364b5b9b3b
SHA1

f72d3c3578022614c6d5c8c9b5fede688e4a0b5b
SHA256

f593ab3d9d28ed29c7e65afe5d5c3d234e13a7d2552723565e80d954d5e15da1
SHA512

55f3a335bb6641c8ca1f480ed38cc85953ef85ba42b6f6cc91c01a5a5357fcf1336719fd04937d49f2bc93cfadc861fd935967ec0535e87543b0cdadb859b249
SSDEEP

393216:TJntyWPo+h06gwTU0eByBBpfJsB7Ja2gn9uG6DEWbSAY02znM0/JkGp5Ai:3yWPrnrXsBcvuG6AWvUndJpqi

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs

pid	Process
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID\Certificate Number (456002392) = 1e312f0587bda7507d85bb28	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.tey06g	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder\CLSID\{a3e64b62-5871-1e2b-c158-bc065d7a} = 2efeea8bb5bc170aabae9965	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder\CLSID	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder\CLSID\Compression Type (ikle6805y) = 5df886484d1baab82fa0175e	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.tey06g\Extension (rd506) = 96a711eb845b432c	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID\Request ID (138vd2tvt87) = cbc19348036181f6c20aba66	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder\CLSID\{a3e64b62-5871-1e2b-c158-bc065d7a} = 2ec632efb5bc170aabae9965	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID\Request ID (138vd2tvt87) = dbc2db74036181f6c20aba66	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{032e991d-529e-70a3-62c2-4963a0b1}	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder\CLSID\{a3e64b62-5871-1e2b-c158-bc065d7a} = be175f7ebabc170ab0ae9965	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder\CLSID\{a3e64b62-5871-1e2b-c158-bc065d7a} = 4e0e6753b5bc170aabae9965	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{9824cd1e-70e2-0184-dd31-a59e6880}\LocalizedString = 7fd100e64c2912124debfaca	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID\Request ID (138vd2tvt87) = 5b2826bd0c6181f6cb0aba66	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID\Request ID (138vd2tvt87) = 5b9f21bd0c6181f6cb0aba66	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID\Request ID (138vd2tvt87) = ab311e90036181f6c20aba66	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CompressedFolder\CLSID\{a3e64b62-5871-1e2b-c158-bc065d7a} = 3efda2b7b5bc170aabae9965	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{032e991d-529e-70a3-62c2-4963a0b1}\oihlslom = 7fb8e6394a29d25c4b261e88	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{9824cd1e-70e2-0184-dd31-a59e6880}	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\CertificateAuthority.Request\CLSID\Request ID (138vd2tvt87) = cbf94b2c036181f6c20aba66	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeShutdownPrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
Token: SeCreatePagefilePrivilege	1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1420	F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe

C:\Users\Admin\AppData\Local\Temp\F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe
"C:\Users\Admin\AppData\Local\Temp\F593AB3D9D28ED29C7E65AFE5D5C3D234E13A7D2552723565E80D954D5E15DA1.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rupsvhrr.teq

Filesize
12B

MD5
dc8ab9c2bff307e4a9545b87ffdb4899

SHA1
3fa9d2adfd5f8244d93e69507739b5d51bbc5677

SHA256
b841da0ac26fc81e103a374fe3c1aab945a14ea9ae0437335d37e28b1f171e66

SHA512
d0110d9c9077c1e8da1782afa596df39dbca237102beb0b70ea7b913d681e3cab406d238ae63e92c0ae9b5797bbdf1d82c92f561c3be675fc1bee12e1348a809

Download Submit
C:\ProgramData\udmjoyld.fho

Filesize
12B

MD5
d1c51696009b459ebfd677742b0fe0fb

SHA1
8896f8773e2ac35011fd3b4cff015d6ff91c4ff4

SHA256
c990accbc1247d1a873a39783f5a6082e51d666f62c4e9d549dbfd36bfa255e9

SHA512
8aabb0a4d571364eefa0bfc12a4297ef074d0f44c07403be928e1e49bd5f285ed24447b592f85c7f205d3e5ed57cbc9d65f46fee6fef9bb6a1630717bbbf4a95

Download Submit
memory/1420-0-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-1-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/1420-2-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1420-3-0x0000000077392000-0x0000000077393000-memory.dmp

Filesize
4KB

Download
memory/1420-4-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-5-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-6-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-7-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-8-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-9-0x0000000076D00000-0x0000000076F15000-memory.dmp

Filesize
2.1MB

Download
memory/1420-21-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-26-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-27-0x0000000077394000-0x0000000077396000-memory.dmp

Filesize
8KB

Download
memory/1420-28-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-29-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-30-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-31-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-32-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-33-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-34-0x000000007FA70000-0x000000007FE41000-memory.dmp

Filesize
3.8MB

Download
memory/1420-35-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-36-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-37-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-38-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-39-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-40-0x0000000076D00000-0x0000000076F15000-memory.dmp

Filesize
2.1MB

Download
memory/1420-41-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-42-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-43-0x0000000075E90000-0x0000000075F80000-memory.dmp

Filesize
960KB

Download
memory/1420-44-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-45-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-46-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-47-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-52-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-53-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-54-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-55-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-56-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-61-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-62-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-63-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-64-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-65-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-66-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-67-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-72-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-73-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-74-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-75-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-76-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-77-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-82-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-83-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-84-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-85-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download
memory/1420-86-0x0000000000400000-0x00000000033D3000-memory.dmp

Filesize
47.8MB

Download