8736514ffd25ec6121a53f017e6bd524bdc840f54f246d10953ed129905a828a

Resubmissions

24/07/2024, 09:18

240724-k9p5ws1fmf 7

24/07/2024, 09:00

240724-kybs5a1bka 7

Analysis

max time kernel
55s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
24/07/2024, 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runme.exe
Size

6.2MB
MD5

89f99b96ddd54a813fb0719f972ce962
SHA1

a37b8e8579a21deb4fece12f6d9a8538d7293f14
SHA256

8736514ffd25ec6121a53f017e6bd524bdc840f54f246d10953ed129905a828a
SHA512

57d4c3eabd9baba5b89c6a22e66cb5fb472e98cd0ceb6b3f300d85d00c5f0070d0c449243ef7bfee1c932231068758fc4f427465d8259706ba5b82132901f5f4
SSDEEP

98304:hTcD5a29JQu1lfjFzjtQZzN+aKHtv+5iUyB2:+M2X/VHQHb5iUyB2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5688	Bt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2280 set thread context of 5048	2280	tcpsvcs.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchIndexer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tcpsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\PFBVTLVOCYH"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\PFBVTLVOCYH\\Bt.exe"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GcDownload\\PFBVTLVOCYH\\Bt.exe"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	Bt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib	Bt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	Bt.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2280	tcpsvcs.exe
2280	tcpsvcs.exe
5048	more.com
5048	more.com

Suspicious behavior: MapViewOfSection 16 IoCs

pid	Process
2280	tcpsvcs.exe
2280	tcpsvcs.exe
2280	tcpsvcs.exe
5688	Bt.exe
5688	Bt.exe
5688	Bt.exe
5688	Bt.exe
5688	Bt.exe
5688	Bt.exe
5048	more.com
5048	more.com
2280	tcpsvcs.exe
5672	SearchIndexer.exe
5672	SearchIndexer.exe
5672	SearchIndexer.exe
5048	more.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5688	Bt.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 4936 wrote to memory of 2280	4936	runme.exe	81
PID 2280 wrote to memory of 5688	2280	tcpsvcs.exe	83
PID 2280 wrote to memory of 5688	2280	tcpsvcs.exe	83
PID 2280 wrote to memory of 5688	2280	tcpsvcs.exe	83
PID 2280 wrote to memory of 5688	2280	tcpsvcs.exe	83
PID 2280 wrote to memory of 5688	2280	tcpsvcs.exe	83
PID 2280 wrote to memory of 5688	2280	tcpsvcs.exe	83
PID 2280 wrote to memory of 5688	2280	tcpsvcs.exe	83
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 2280 wrote to memory of 5048	2280	tcpsvcs.exe	86
PID 5048 wrote to memory of 5672	5048	more.com	88
PID 5048 wrote to memory of 5672	5048	more.com	88
PID 5048 wrote to memory of 5672	5048	more.com	88
PID 5048 wrote to memory of 5672	5048	more.com	88
PID 5048 wrote to memory of 5672	5048	more.com	88
PID 5048 wrote to memory of 5672	5048	more.com	88
PID 5048 wrote to memory of 5672	5048	more.com	88

C:\Users\Admin\AppData\Local\Temp\runme.exe
"C:\Users\Admin\AppData\Local\Temp\runme.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\SysWOW64\tcpsvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\runme.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Users\Admin\AppData\Roaming\GcDownload\PFBVTLVOCYH\Bt.exe
    C:\Users\Admin\AppData\Roaming\GcDownload\PFBVTLVOCYH\Bt.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    PID:5688
- - C:\Windows\SysWOW64\more.com
    C:\Windows\SysWOW64\more.com
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\SearchIndexer.exe
      C:\Windows\SysWOW64\SearchIndexer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4ff58f52

Filesize
1.1MB

MD5
ac4a10b816c297d3a174eb4b79b8cb42

SHA1
361eb91e1ea336618e7ba8a8c1fb9ea00ec73d0f

SHA256
10744cf17f16df02bbd89923ac5d7172c6d77249263897d78827686d57330f38

SHA512
1b1c7b3f5b47fd2f52d56fc643343f82b210495db5c74b555b300951b6cf92742677fc81f465dae0e997d1a758e1e26103da117831ffdb244d94f584d9132983

Download Submit
C:\Users\Admin\AppData\Roaming\GcDownload\PFBVTLVOCYH\Bt.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
memory/2280-942-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2280-952-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/2280-933-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2280-934-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2280-935-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2280-936-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/2280-937-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/2280-931-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2280-938-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/2280-939-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/2280-940-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/2280-941-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2280-932-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2280-930-0x0000000010000000-0x0000000010116000-memory.dmp

Filesize
1.1MB

Download
memory/2280-948-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/2280-945-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/2280-946-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/2280-947-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/2280-944-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2280-949-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2280-950-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2280-951-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2280-943-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/2280-953-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/2280-954-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/2280-955-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/4936-929-0x0000000000400000-0x0000000000A3B000-memory.dmp

Filesize
6.2MB

Download
memory/4936-2-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-38-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-37-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-36-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-35-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-34-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-33-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-32-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-31-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-30-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-29-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-28-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-27-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-26-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-25-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-23-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-22-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-21-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-20-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-19-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-18-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-17-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-16-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-14-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-13-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-12-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-11-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-10-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-8-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-56-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-44-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-3-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-39-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-1-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-24-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-4-0x0000000000400000-0x0000000000A3B000-memory.dmp

Filesize
6.2MB

Download
memory/4936-0-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-40-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-41-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-956-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4936-42-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-43-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-45-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-9-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-46-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-47-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-48-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-49-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-50-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-51-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-52-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-53-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-54-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-55-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-7-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-57-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-59-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-60-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-61-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-62-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-63-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-64-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-65-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download
memory/4936-58-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/4936-15-0x0000000002760000-0x0000000002876000-memory.dmp

Filesize
1.1MB

Download