2ef38ea449b172cef5e1015bc4b5e37de8ece7d4be087b6bdded5a992493e7aa

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kopiya_skrinchot_1C.pdf.scr
Size

89KB
MD5

41d7820cf6e3b3ce7596d3be4288342f
SHA1

a2e55e3699e86ecaa4114aca86e91031f7ad68dc
SHA256

7a79bb8b4c55f11b463efee0c8cbfaf24c85daac04b67f4f4c25f6851dda57df
SHA512

f45ade0d30134680100664987dcc887b0062c9f9f31fb22606050b23d4df542e3050309ba9a4b2a2dc84141f35f3349d4a2e0fc5a9770a3278f29159461e9e61
SSDEEP

1536:ur/2Yr5qt36/v1jq8zE8z2dyqlVWIsPW3oqjHNgCx:uz2u8k1G8zE8F7qRrx

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wuapihost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\USBSafeManager\Parameters\ServiceDLL = "C:\\ProgramData\\TektonIT\\Image\\msimg32.dll"	wuapihost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

kopiya_skrinchot_1C.pdf.scrrmsvnc.exewuapihost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	kopiya_skrinchot_1C.pdf.scr
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	rmsvnc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	wuapihost.exe

Executes dropped EXE 6 IoCs

Processes:

rmsvnc.exeBUILD14052024.exermsvnc.exeBUILD14052024.tmpSilverlight.Configuration.exewuapihost.exe

pid process

4900 rmsvnc.exe
4680 BUILD14052024.exe
4008 rmsvnc.exe
2000 BUILD14052024.tmp
2256 Silverlight.Configuration.exe
440 wuapihost.exe
Loads dropped DLL 5 IoCs

Processes:

Silverlight.Configuration.exewuapihost.exesvchost.exe

pid process

2256 Silverlight.Configuration.exe
440 wuapihost.exe
440 wuapihost.exe
440 wuapihost.exe
4168 svchost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4900	rmsvnc.exe
4680	BUILD14052024.exe
4008	rmsvnc.exe
2000	BUILD14052024.tmp
2256	Silverlight.Configuration.exe
440	wuapihost.exe

pid	process
2256	Silverlight.Configuration.exe
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe
4168	svchost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kopiya_skrinchot_1C.pdf.scrrmsvnc.exewuapihost.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Akyidu = "C:\\Users\\Admin\\AppData\\Roaming\\Akyidu.exe"	kopiya_skrinchot_1C.pdf.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wctobptok = "C:\\Users\\Admin\\AppData\\Roaming\\Wctobptok.exe"	rmsvnc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Silverlight.Configuration.exe = "\"C:\\ProgramData\\TektonIT\\Image\\Silverlight.Configuration.exe\""	wuapihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rmsvnc = "C:\\Users\\Admin\\AppData\\Roaming\\rmsvnc.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

kopiya_skrinchot_1C.pdf.scrrmsvnc.exe

description	pid	process	target process
PID 1404 set thread context of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 4900 set thread context of 4008	4900	rmsvnc.exe	rmsvnc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

kopiya_skrinchot_1C.pdf.scrpowershell.exewuapihost.exe

pid	process
4528	kopiya_skrinchot_1C.pdf.scr
3480	powershell.exe
3480	powershell.exe
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

kopiya_skrinchot_1C.pdf.scrrmsvnc.exekopiya_skrinchot_1C.pdf.scrrmsvnc.exepowershell.exewuapihost.exe

description	pid	process
Token: SeDebugPrivilege	1404	kopiya_skrinchot_1C.pdf.scr
Token: SeDebugPrivilege	1404	kopiya_skrinchot_1C.pdf.scr
Token: SeDebugPrivilege	4900	rmsvnc.exe
Token: SeDebugPrivilege	4528	kopiya_skrinchot_1C.pdf.scr
Token: SeBackupPrivilege	4528	kopiya_skrinchot_1C.pdf.scr
Token: SeSecurityPrivilege	4528	kopiya_skrinchot_1C.pdf.scr
Token: SeSecurityPrivilege	4528	kopiya_skrinchot_1C.pdf.scr
Token: SeSecurityPrivilege	4528	kopiya_skrinchot_1C.pdf.scr
Token: SeSecurityPrivilege	4528	kopiya_skrinchot_1C.pdf.scr
Token: SeDebugPrivilege	4900	rmsvnc.exe
Token: SeDebugPrivilege	4008	rmsvnc.exe
Token: SeDebugPrivilege	3480	powershell.exe
Token: SeTakeOwnershipPrivilege	440	wuapihost.exe
Token: SeTcbPrivilege	440	wuapihost.exe
Token: SeTcbPrivilege	440	wuapihost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

wuapihost.exe

pid process

440 wuapihost.exe
440 wuapihost.exe
440 wuapihost.exe
440 wuapihost.exe
440 wuapihost.exe

pid	process
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe
440	wuapihost.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

kopiya_skrinchot_1C.pdf.scrrmsvnc.exeBUILD14052024.exermsvnc.exeSilverlight.Configuration.exe

description	pid	process	target process
PID 1404 wrote to memory of 4900	1404	kopiya_skrinchot_1C.pdf.scr	rmsvnc.exe
PID 1404 wrote to memory of 4900	1404	kopiya_skrinchot_1C.pdf.scr	rmsvnc.exe
PID 1404 wrote to memory of 4900	1404	kopiya_skrinchot_1C.pdf.scr	rmsvnc.exe
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 1404 wrote to memory of 4528	1404	kopiya_skrinchot_1C.pdf.scr	kopiya_skrinchot_1C.pdf.scr
PID 4900 wrote to memory of 4680	4900	rmsvnc.exe	BUILD14052024.exe
PID 4900 wrote to memory of 4680	4900	rmsvnc.exe	BUILD14052024.exe
PID 4900 wrote to memory of 4680	4900	rmsvnc.exe	BUILD14052024.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4900 wrote to memory of 4008	4900	rmsvnc.exe	rmsvnc.exe
PID 4680 wrote to memory of 2000	4680	BUILD14052024.exe	BUILD14052024.tmp
PID 4680 wrote to memory of 2000	4680	BUILD14052024.exe	BUILD14052024.tmp
PID 4680 wrote to memory of 2000	4680	BUILD14052024.exe	BUILD14052024.tmp
PID 4008 wrote to memory of 3480	4008	rmsvnc.exe	powershell.exe
PID 4008 wrote to memory of 3480	4008	rmsvnc.exe	powershell.exe
PID 4008 wrote to memory of 3480	4008	rmsvnc.exe	powershell.exe
PID 2256 wrote to memory of 440	2256	Silverlight.Configuration.exe	wuapihost.exe
PID 2256 wrote to memory of 440	2256	Silverlight.Configuration.exe	wuapihost.exe
PID 2256 wrote to memory of 440	2256	Silverlight.Configuration.exe	wuapihost.exe

C:\Users\Admin\AppData\Local\Temp\kopiya_skrinchot_1C.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\kopiya_skrinchot_1C.pdf.scr" /S
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\rmsvnc.exe
"C:\Users\Admin\AppData\Local\Temp\rmsvnc.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\BUILD14052024.exe
"C:\Users\Admin\AppData\Local\Temp\BUILD14052024.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\AppData\Local\Temp\is-N3II6.tmp\BUILD14052024.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N3II6.tmp\BUILD14052024.tmp" /SL5="$5024E,6664945,57856,C:\Users\Admin\AppData\Local\Temp\BUILD14052024.exe"
4⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Local\Temp\rmsvnc.exe
"C:\Users\Admin\AppData\Local\Temp\rmsvnc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'rmsvnc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'rmsvnc' -Value '"C:\Users\Admin\AppData\Roaming\rmsvnc.exe"' -PropertyType 'String'
4⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Users\Admin\AppData\Local\Temp\kopiya_skrinchot_1C.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\kopiya_skrinchot_1C.pdf.scr"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4204

C:\ProgramData\TektonIT\Image\Silverlight.Configuration.exe
C:\ProgramData\TektonIT\Image\Silverlight.Configuration.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256

C:\ProgramData\TektonIT\Image\wuapihost.exe
"C:\ProgramData\TektonIT\Image\wuapihost.exe"
2⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "USBSafeManagerGrp" -svcr "wuapihost.exe" -s USBSafeManager
1⤵
- Loads dropped DLL
PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TektonIT\Image\Silverlight.Configuration.exe
Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
C:\ProgramData\TektonIT\Image\libeay32.dll
Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
C:\ProgramData\TektonIT\Image\msimg32.dll
Filesize
190KB

MD5
2c49f46aceb1c8b62f8c47711b381f5c

SHA1
b8a9479f9031b7106915d40a0a1ec733e192be0a

SHA256
702db5ce9f9ce7af433146796263c795dfdf065b10e914bc54fd23af5d33e793

SHA512
ee6746ce4ff210747dea520d4e9a0525a139bfd331dcb885a8a4bb7f758a526ffe6ae1403df8dbc2846016eddab2e79be4f27aaa71b48284377d0f6f1dce6205

Download Submit
C:\ProgramData\TektonIT\Image\settings.dat
Filesize
5KB

MD5
0e7ba2cb293b0068f7016063f1724d50

SHA1
0a1fbad5c284cde95559e2ceb1a59579336337ff

SHA256
d36aa23d6d4d64937fb02f67da38a03f51221ed68917e7148ff005ba8bc4454d

SHA512
eb1a7309846c0cd614bb0de519248a2c17a3cbc6f06f8f45df4b1d04786687e1923c0ff2cdf08e7cf74a1071687160445ee6e76be8364b4a27befccab7e4fe5e

Download Submit
C:\ProgramData\TektonIT\Image\ssleay32.dll
Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
C:\ProgramData\TektonIT\Image\wuapihost.exe
Filesize
19.8MB

MD5
31c0bafc3f6e6c7322a7a32ac1bd87da

SHA1
42fd1a41e1eef5998de674ec068c702f1ee3b4f3

SHA256
f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

SHA512
ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kopiya_skrinchot_1C.pdf.scr.log
Filesize
1KB

MD5
489c7565f9b029ba9fadff774073cc98

SHA1
56c05089b33ee7e7dfa9e6a2d098164efd8e1150

SHA256
10bf6242da02dad8b2e1208b9dab9a7303cf986320e05e5ef20b99c9b71326d4

SHA512
ddea09c011a8d4f85905842c2f34c98add0110a0b6b3b2709718c3614a2c42dec5f4f5d5b9442cfd3c6c23e9a90c8c0b25c14c3dbd42faea9cc8dd232cace1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUILD14052024.exe
Filesize
6.6MB

MD5
396457dacbfd2a64e92e331fc0fdf668

SHA1
bed38e377263954e5948193ccd55e8ba59e5372a

SHA256
92d65e200d729beac212563a7559fbdc657a4832d462e02dab4d937b5571983c

SHA512
55a081bf9346a04c80d3e6490ee3889823fba4e08067fd1fc8e0820ee0074ee2dda768cb455069aba0eebf55cf13141b8e47058c241b83849e0d037edd157526

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exe22cnt.vl4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N3II6.tmp\BUILD14052024.tmp
Filesize
697KB

MD5
832dab307e54aa08f4b6cdd9b9720361

SHA1
ebd007fb7482040ecf34339e4bf917209c1018df

SHA256
cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3

SHA512
358d43522fd460eb1511708e4df22ea454a95e5bc3c4841931027b5fa3fb1dda05d496d8ad0a8b9279b99e6be74220fe243db8f08ef49845e9fb35c350ef4b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmsvnc.exe
Filesize
89KB

MD5
cb66d957827558cf1da14a7b1540be18

SHA1
1244a28c79de7b7c7397f5528ca61bb70063616c

SHA256
20a77d76f250b75309e8ccaf1470d9729dc99b95168085ff30b1e46be6ce2138

SHA512
a4c8518b9f1202e160b3ca407a840b180afa4c3479c25568453ecd0f9aac88507de7a0a40c7114b47ec2ddec8f2168e5b0d7b7b0171c90b683abde1c0c949619

Download Submit
memory/1404-45-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-4891-0x0000000005BB0000-0x0000000005C44000-memory.dmp

Filesize
592KB

Download
memory/1404-51-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-49-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-47-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-55-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-43-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-42-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-37-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-35-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-31-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-27-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-25-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-21-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-19-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-30-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-15-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-13-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-11-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-9-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-5-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-65-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-63-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-61-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-67-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-59-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-4890-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1404-53-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-4892-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download
memory/1404-57-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-4905-0x0000000008020000-0x00000000085C4000-memory.dmp

Filesize
5.6MB

Download
memory/1404-4906-0x00000000060F0000-0x0000000006144000-memory.dmp

Filesize
336KB

Download
memory/1404-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/1404-1-0x0000000000850000-0x000000000086C000-memory.dmp

Filesize
112KB

Download
memory/1404-2-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1404-39-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-33-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-23-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-4914-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/1404-3-0x0000000006430000-0x000000000668A000-memory.dmp

Filesize
2.4MB

Download
memory/1404-7-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-17-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/1404-4-0x0000000006430000-0x0000000006683000-memory.dmp

Filesize
2.3MB

Download
memory/3480-16106-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/3480-16090-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/3480-16107-0x0000000006760000-0x00000000067AC000-memory.dmp

Filesize
304KB

Download
memory/3480-16076-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/3480-16074-0x0000000005E90000-0x0000000005EB2000-memory.dmp

Filesize
136KB

Download
memory/3480-16073-0x0000000005830000-0x0000000005E58000-memory.dmp

Filesize
6.2MB

Download
memory/3480-16069-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/3480-16116-0x0000000006C10000-0x0000000006C2A000-memory.dmp

Filesize
104KB

Download
memory/3480-16115-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/3480-16117-0x0000000006C60000-0x0000000006C82000-memory.dmp

Filesize
136KB

Download
memory/4008-9838-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4008-9839-0x00000000051E0000-0x00000000052BC000-memory.dmp

Filesize
880KB

Download
memory/4528-4923-0x0000000007AA0000-0x0000000007AEC000-memory.dmp

Filesize
304KB

Download
memory/4528-4927-0x0000000009610000-0x00000000097D2000-memory.dmp

Filesize
1.8MB

Download
memory/4528-4921-0x0000000006770000-0x0000000006782000-memory.dmp

Filesize
72KB

Download
memory/4528-4922-0x0000000007A60000-0x0000000007A9C000-memory.dmp

Filesize
240KB

Download
memory/4528-5305-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4528-4928-0x0000000009D10000-0x000000000A23C000-memory.dmp

Filesize
5.2MB

Download
memory/4528-4926-0x0000000008000000-0x000000000801E000-memory.dmp

Filesize
120KB

Download
memory/4528-4925-0x00000000086E0000-0x0000000008756000-memory.dmp

Filesize
472KB

Download
memory/4528-4920-0x0000000007B30000-0x0000000007C3A000-memory.dmp

Filesize
1.0MB

Download
memory/4528-4916-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4528-4915-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4528-4913-0x0000000000370000-0x00000000003F0000-memory.dmp

Filesize
512KB

Download
memory/4528-4924-0x0000000007D20000-0x0000000007D86000-memory.dmp

Filesize
408KB

Download
memory/4528-4919-0x0000000008040000-0x0000000008658000-memory.dmp

Filesize
6.1MB

Download
memory/4528-4918-0x0000000004C70000-0x0000000004C7A000-memory.dmp

Filesize
40KB

Download
memory/4528-4917-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4900-4929-0x000000000AD10000-0x000000000B62A000-memory.dmp

Filesize
9.1MB

Download
memory/4900-4907-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4900-9817-0x0000000009D10000-0x000000000A466000-memory.dmp

Filesize
7.3MB

Download
memory/4900-4904-0x0000000000E60000-0x0000000000E7C000-memory.dmp

Filesize
112KB

Download
memory/4900-4908-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4900-9856-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download