Overview

overview

10

Static

static

3

870b37e024...cf.exe

windows7-x64

10

870b37e024...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 23:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe

  • Size

    4.4MB

  • MD5

    93bf1a918b8ea7bfd4d53f7f54de6282

  • SHA1

    b8aea380163f1a82bee3b41d1042261c06f70e04

  • SHA256

    870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf

  • SHA512

    ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066

  • SSDEEP

    1536:MNyqVAb8dnlAUTFTgKDzRDVE4jt5HMCceGzcfdRTgYtSp1C7Sqbz67:sZVAIBlAUJTznR7qCVGzcf7g2Sq67

Score
10/10
salitybackdoorevasionpersistencetrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 6 IoCs
    evasion
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 12 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 17 IoCs
  • UPX dump on OEP (original entry point) 18 IoCs
  • Disables RegEdit via registry modification 4 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
    persistence
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 14 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 6 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 1 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 26 IoCs
  • Runs .reg file with regedit 44 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1040
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1148
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1192
          • C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe
            "C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1904
            • C:\Windows\SysWOW64\explorer.exe
              explorer C:\Users\Admin\AppData\Local\Temp\870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf
              3⤵
                PID:2748
              • C:\Windows\SysWOW64\regedit.exe
                regedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg
                3⤵
                • Modifies visibility of file extensions in Explorer
                • Disables RegEdit via registry modification
                • Modifies system executable filetype association
                • Adds Run key to start application
                • Modifies registry class
                • Runs .reg file with regedit
                PID:2620
              • C:\Windows\SysWOW64\scvhost.exe
                C:\Windows\System32\scvhost.exe
                3⤵
                • Modifies firewall policy service
                • UAC bypass
                • Windows security bypass
                • Deletes itself
                • Executes dropped EXE
                • Windows security modification
                • Checks whether UAC is enabled
                • Enumerates connected drives
                • Drops autorun.inf file
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:2916
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Modifies system executable filetype association
                  • Adds Run key to start application
                  • Modifies registry class
                  • Runs .reg file with regedit
                  PID:1328
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Modifies system executable filetype association
                  • Adds Run key to start application
                  • Modifies registry class
                  • Runs .reg file with regedit
                  PID:2552
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Modifies visibility of file extensions in Explorer
                  • Disables RegEdit via registry modification
                  • Modifies system executable filetype association
                  • Adds Run key to start application
                  • Modifies registry class
                  • Runs .reg file with regedit
                  PID:1068
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2732
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2308
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:3044
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1496
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:864
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2296
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2316
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1660
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2140
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2236
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2716
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2820
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2676
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2192
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2636
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1360
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2524
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1720
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2144
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2344
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1232
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2188
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1880
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1220
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:3028
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2808
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1624
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:528
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1312
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:840
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1744
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:408
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:2328
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1888
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1628
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1688
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:696
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1644
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:3008
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s C:\Windows\SysWOW64\Funny!.reg
                  4⤵
                  • Runs .reg file with regedit
                  PID:1792
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:2376
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
              1⤵
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              PID:2128

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Replication Through Removable Media

            1
            T1091

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Change Default File Association

            1
            T1546.001

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Change Default File Association

            1
            T1546.001

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Hide Artifacts

            1
            T1564

            Hidden Files and Directories

            1
            T1564.001

            Impair Defenses

            3
            T1562

            Disable or Modify Tools

            3
            T1562.001

            Modify Registry

            9
            T1112

            Credential Access

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Replication Through Removable Media

            1
            T1091

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Funny!.reg
              Filesize

              649B

              MD5

              ca7cc4fbc1b64aca44aa87e06bdfb37c

              SHA1

              bf7b81080a8268a0370cada6f9123de4583be83a

              SHA256

              cd1763b9cf7b6064f2627f6f44fe057b339de6388475e97ecfa3e3423386b840

              SHA512

              6c20ea4830c6732a1a2c84dd070f9ac90ae394c1dc891310fe615bc1991b99ff47c95d142d6e88fbc0ea84eea1842624cfbf9fc20144785cbe445c15826f0437

              Download Submit

            • C:\Windows\SYSTEM.INI
              Filesize

              257B

              MD5

              2541422c2df73d3294e1887654b3d5c6

              SHA1

              3fb207821b55c3e60c9b367af848ceddc5eb5dfe

              SHA256

              e7a365827332c4a8845e7215924e6dc03c83407bb178d397ac72962b059ad033

              SHA512

              384d9cd07ffe3e09a222240818dc87b31a637c601f552d8c45943fdcedda0f308de1d3000d6d3ef4e89503344f0dde6af07de35f5c001188e3c9dacf0a931eba

              Download Submit

            • C:\Windows\SysWOW64\Funny!.reg
              Filesize

              575B

              MD5

              3d12304930d03f2cbbc4b7fc6fbe4994

              SHA1

              3270ce4fc3f7be8f318d5d88abbe04f412efb259

              SHA256

              c9c584407078a606b868fcbf5ccdf2648724969f6c79b882f15ec0a8773ec826

              SHA512

              d1014cafffe5f509986b9c0769563648d13db32b2a6247dda5beb5cadc8a11589c643c96da2ff6f8801a8581e0c5e8ee3550ad810af4d3658fe95a42efd6dabb

              Download Submit

            • C:\Windows\SysWOW64\scvhost.exe
              Filesize

              4.4MB

              MD5

              93bf1a918b8ea7bfd4d53f7f54de6282

              SHA1

              b8aea380163f1a82bee3b41d1042261c06f70e04

              SHA256

              870b37e02431b79bfe5debcb2a6f27f67a255a96b5ce0b7cf270720cb0f7a3cf

              SHA512

              ecfae311b2782766deabba0828e962e3211b2b355797a23568f51b500af0365f488afd2a69a0b915dd03129551bc527c047d183286cb337fdcffa9d0d8996066

              Download Submit

            • C:\autorun.inf
              Filesize

              272B

              MD5

              45ba818e996f339032a55885dcc84e33

              SHA1

              4af8a3e2594637f916e2967378b8d618fd7cd90a

              SHA256

              71a17ebeb1257b5f9d9e4d7b9dfd2a9385873b6d70795ecd30f1d60cb01401ea

              SHA512

              958f3368481e75866beba49ae4efb403daa8fe5aa77c2e30122807b1db676f2c7c8624f2bb74316e6c36d4185edd994fadb99072a4c2c041845f5b88561fb8e0

              Download Submit

            • C:\yyvue.pif
              Filesize

              100KB

              MD5

              818c3dd912f5417e6fcd61372c83013f

              SHA1

              2ef4c94a3f7404ba7a5d80b337af8952ac782003

              SHA256

              440a873cb9aa5d0080e3b5be89b546b0ceab270e314743235efae52ad5a5d0c7

              SHA512

              0af897468bbef87eaa5f89fa0b527d4b654abc98104d758d3ccd8edb90ae5dec2f124253122c0dee93efedf45c3b7703d0cc346cdab7932dc870cbd118afb90f

              Download Submit

            • memory/1040-10-0x00000000021B0000-0x00000000021B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1904-55-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-51-0x00000000058B0000-0x00000000058CE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1904-4-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-32-0x00000000004B0000-0x00000000004B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1904-6-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-29-0x00000000004B0000-0x00000000004B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1904-8-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-27-0x00000000025B0000-0x00000000025B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1904-18-0x00000000025B0000-0x00000000025B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1904-17-0x00000000004B0000-0x00000000004B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1904-35-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-7-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-34-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-31-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-74-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-26-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-50-0x00000000058B0000-0x00000000058CE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1904-9-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-73-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/1904-56-0x0000000002620000-0x00000000036AE000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/1904-0-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2128-58-0x0000000003AE0000-0x0000000003AF0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2748-41-0x00000000002F0000-0x00000000002F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2748-28-0x0000000000340000-0x0000000000341000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2748-30-0x00000000002F0000-0x00000000002F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2748-33-0x00000000002F0000-0x00000000002F2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/2916-52-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2916-94-0x0000000003A10000-0x0000000004A9E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2916-91-0x0000000003A10000-0x0000000004A9E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2916-93-0x0000000003A10000-0x0000000004A9E000-memory.dmp

              Filesize

              16.6MB

              Download

            • memory/2916-110-0x00000000004C0000-0x00000000004C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2916-96-0x0000000003A10000-0x0000000004A9E000-memory.dmp

              Filesize

              16.6MB

              Download