Overview

overview

10

Static

static

3

spf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 06:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spf.exe

  • Size

    92.8MB

  • MD5

    90b6f7548041c7bc7544cb8639beecb5

  • SHA1

    a31fff67409ee1babe4876f77a17c866762a7fbc

  • SHA256

    ed9a7ff6e6bc2cc42bd856a288c04b2e353e5f0542f6d6389097afb4fcaca9e6

  • SHA512

    56e8d9ad782733277a0c2564cab40f830245cce69dc751e8f53399fc41ecfe5423a1f054aef223758da967b126241e634ea8af6fbe2cb160ca27c51d6a924f47

  • SSDEEP

    1572864:n5fI9tOXCWdgpb17D+SUCnpZIRxupEfi/+AbjCrzvJwQipn4avCiXk:5fIDCq7SSUCnpZISplvbjUipXk

Score
10/10
adwarediscoveryevasionexecutionpersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Blocklisted process makes network request 3 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Drops desktop.ini file(s) 1 IoCs
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Power Settings 1 TTPs 14 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\spf.exe
    "C:\Users\Admin\AppData\Local\Temp\spf.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C sc stop bam
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3912
      • C:\Windows\system32\sc.exe
        sc stop bam
        3⤵
        • Launches sc.exe
        PID:4508
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C SC CONFIG "bam" START= DISABLED
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\system32\sc.exe
        SC CONFIG "bam" START= DISABLED
        3⤵
        • Launches sc.exe
        PID:1792
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C fsutil behavior set DisableLastAccess 3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\system32\fsutil.exe
        fsutil behavior set DisableLastAccess 3
        3⤵
          PID:2236
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /hibernate off
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:4168
        • C:\Windows\system32\powercfg.exe
          powercfg /hibernate off
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4048
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:936
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2224
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -hibernate-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\system32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3288
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:3292
        • C:\Windows\system32\powercfg.exe
          powercfg /x -disk-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:1100
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -disk-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:2432
        • C:\Windows\system32\powercfg.exe
          powercfg /x -disk-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:3584
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-ac 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2548
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C powercfg /x -standby-timeout-dc 0
        2⤵
        • Power Settings
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\system32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:2556
      • C:\Windows\SYSTEM32\w32tm.exe
        w32tm /resync
        2⤵
          PID:336
        • C:\Windows\SYSTEM32\taskkill.exe
          taskkill /F /IM agent.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4580
        • C:\Windows\SYSTEM32\taskkill.exe
          taskkill /F /IM battle.net.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1400
          • C:\Windows\System32\Conhost.exe
            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            3⤵
              PID:3912
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4164
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
          1⤵
          • Blocklisted process makes network request
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:372
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlq3pcyq\xlq3pcyq.cmdline"
            2⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1376
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1A3.tmp" "c:\Users\Admin\AppData\Local\Temp\xlq3pcyq\CSCCB03D5A7B45C4FB1AB9E5A346C2A5156.TMP"
              3⤵
              • System Location Discovery: System Language Discovery
              PID:4908
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\system32\netsh.exe" interface teredo set state disabled
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Location Discovery: System Language Discovery
            PID:2640
          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --uninstall --msedge --system-level --verbose-logging --force-uninstall --delete-profile
            2⤵
            • Boot or Logon Autostart Execution: Active Setup
            • Drops desktop.ini file(s)
            • Installs/modifies Browser Helper Object
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:3156
            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6b1455460,0x7ff6b1455470,0x7ff6b1455480
              3⤵
                PID:1560
              • C:\Windows\system32\wermgr.exe
                "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3156" "2108" "2072" "2112" "0" "0" "0" "0" "0" "0" "0" "0"
                3⤵
                • Checks processor information in registry
                • Enumerates system info in registry
                PID:1180
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe
            1⤵
              PID:3068
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k UnistackSvcGroup
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4408

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            System Services

            2
            T1569

            Service Execution

            2
            T1569.002

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Active Setup

            1
            T1547.014

            Browser Extensions

            1
            T1176

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Event Triggered Execution

            2
            T1546

            Component Object Model Hijacking

            1
            T1546.015

            Netsh Helper DLL

            1
            T1546.007

            Power Settings

            1
            T1653

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Active Setup

            1
            T1547.014

            Create or Modify System Process

            2
            T1543

            Windows Service

            2
            T1543.003

            Event Triggered Execution

            2
            T1546

            Component Object Model Hijacking

            1
            T1546.015

            Netsh Helper DLL

            1
            T1546.007

            Defense Evasion

            Impair Defenses

            1
            T1562

            Modify Registry

            3
            T1112

            Credential Access

            Discovery

            Browser Information Discovery

            1
            T1217

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            3
            T1012

            System Information Discovery

            3
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Service Stop

            2
            T1489

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
              Filesize

              2KB

              MD5

              6e6d88960a2258f4590e97c382884634

              SHA1

              244736513d2d071227c3df04532e67c818e7c9cd

              SHA256

              84cc5d85e71eed874541bd9724ebec8827a12b730b72bd8040fec29ab8a37a50

              SHA512

              d2d5d9aa3fb3b9ac0984f2d06da26c857f6d5479a41caa6b54e04e59b9682283219223a7b217cb9e719bad57381030aa87a9b92a6ed15d865f6d6b1eb96bce2b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RESD1A3.tmp
              Filesize

              1KB

              MD5

              f7073016e504791eff2ee3c97cda0896

              SHA1

              ab3796054349ddb102b7721ed9e351c5e53a2d0b

              SHA256

              7800379dc141eb588f35253af98a15fd8291281ec63308409fdb0d78ac30711f

              SHA512

              6232fd1791dc4c6f153a913a3050335f626da189b08a7914a2fb346b7fac5122db56fd2b7db76496dca5cedb9808adf19e91c307bdbfddeabfb072f0e45931c9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djjyo5el.ipx.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\xlq3pcyq\xlq3pcyq.dll
              Filesize

              3KB

              MD5

              b7a87f97f45d9494a16dda564d237268

              SHA1

              006d65dc14a08952e8327d53195cea33b01005dc

              SHA256

              84fe25df07c2be58c0662c122741415f958e7b8b8b7532af66ec3dc35e90fae2

              SHA512

              fec5c701d7fd0c043c5686a77035ac32e2f1eb38f8ac6106360762e187c1fc637e9c0b8c1cf017fb8fe08894dba70578dfb3499099be7591affa4a08a1288c42

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
              Filesize

              2KB

              MD5

              2e9bee5374c507c82bb75d05b1554d03

              SHA1

              151d1a89e516906f391929f1aea63bb2311f7622

              SHA256

              ec27dc8ed77f4c04f2f075923d93730e5e9b55a53a3288f4447a3fcf4be73c97

              SHA512

              076246035261ab4353899f51110349cda7fd9269252a6bb29d7585fb599712bd1a3a2b1ae1d7a98c9566cd8aa36ea0784072d6647c584d429e006fa606e1b8ce

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\xlq3pcyq\CSCCB03D5A7B45C4FB1AB9E5A346C2A5156.TMP
              Filesize

              652B

              MD5

              aa305497bef607703d7d74a81bff45fd

              SHA1

              cf349a7dba4f3621d80f2f047a41393065407552

              SHA256

              fda43982670fc6f238d880c135ae8ae5d6cd5c3067237e920e1c7907354de0a2

              SHA512

              96db679718a0999f6656ac6632ad1c85edb0c900c39dcb7418a6fdfe7d4ed62a66ffff6e34a310f6a6d4143aa62b5d33e61f53c0e6fcaef7b8c301001ce0867b

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\xlq3pcyq\xlq3pcyq.0.cs
              Filesize

              1KB

              MD5

              66ca8de746bd5bc09574b9b5d72a91bb

              SHA1

              ae5b33f83239264d6202d1b9fdff566e851b85e4

              SHA256

              8221e96e5aef72f45e31a858a97638c7f2fc0bad68f6a21d92edb26cfba20f2b

              SHA512

              80d6b675b08acc1bdd65da19938c2a30a0bdb4ba75459d2677e56345720a5ce5590ace5aae48f2ca1bb14315cd73c40adb841af0ff917799a6a8e5963871e74a

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\xlq3pcyq\xlq3pcyq.cmdline
              Filesize

              369B

              MD5

              6dc84511e2025c90e8ece9f77e4a63a3

              SHA1

              4eee4a057da3afcc0a4448b77fa207be474205e5

              SHA256

              1052b665069a4dbceb773cf40732648f97a39d92b07c74b1872966671ced721f

              SHA512

              8b3f464fb7ae8eb87d1961861991566061c877feffa298a2f9a49482a7f7a1e2dcccff16052b2bf7c3d94cc23795f3b3f05e4549c49c342ed16d89c5e1606084

              Download Submit

            • memory/372-75-0x00000000097C0000-0x00000000097F8000-memory.dmp

              Filesize

              224KB

              Download

            • memory/372-89-0x000000000D1C0000-0x000000000D1C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/372-31-0x0000000005B90000-0x0000000005BF6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/372-41-0x00000000062A0000-0x00000000065F4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/372-29-0x0000000005980000-0x00000000059A2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/372-43-0x0000000006810000-0x000000000682E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/372-44-0x0000000006850000-0x000000000689C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/372-45-0x0000000007970000-0x00000000079B4000-memory.dmp

              Filesize

              272KB

              Download

            • memory/372-46-0x0000000007B20000-0x0000000007B96000-memory.dmp

              Filesize

              472KB

              Download

            • memory/372-47-0x0000000008220000-0x000000000889A000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/372-48-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/372-51-0x0000000008E50000-0x00000000093F4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/372-52-0x0000000008180000-0x00000000081B2000-memory.dmp

              Filesize

              200KB

              Download

            • memory/372-53-0x0000000070E60000-0x0000000070EAC000-memory.dmp

              Filesize

              304KB

              Download

            • memory/372-54-0x0000000070FD0000-0x0000000071324000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/372-64-0x00000000081C0000-0x00000000081DE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/372-65-0x00000000088A0000-0x0000000008943000-memory.dmp

              Filesize

              652KB

              Download

            • memory/372-66-0x0000000008960000-0x000000000896A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/372-67-0x0000000008A40000-0x0000000008AD6000-memory.dmp

              Filesize

              600KB

              Download

            • memory/372-68-0x00000000089A0000-0x00000000089B1000-memory.dmp

              Filesize

              68KB

              Download

            • memory/372-69-0x0000000009400000-0x00000000095C2000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/372-70-0x0000000009B00000-0x000000000A02C000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/372-71-0x0000000008B10000-0x0000000008B32000-memory.dmp

              Filesize

              136KB

              Download

            • memory/372-72-0x0000000008B90000-0x0000000008BDA000-memory.dmp

              Filesize

              296KB

              Download

            • memory/372-73-0x0000000008D40000-0x0000000008DD2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/372-74-0x0000000009710000-0x0000000009718000-memory.dmp

              Filesize

              32KB

              Download

            • memory/372-28-0x0000000005C70000-0x0000000006298000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/372-76-0x0000000009730000-0x000000000973E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/372-27-0x0000000005490000-0x00000000054C6000-memory.dmp

              Filesize

              216KB

              Download

            • memory/372-30-0x0000000005B20000-0x0000000005B86000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4008-20-0x00007FFDD5460000-0x00007FFDD5470000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4008-2-0x00007FF68EC70000-0x00007FF68FC70000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4008-17-0x00007FFDD5460000-0x00007FFDD5470000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4008-0-0x00007FFE155B0000-0x00007FFE155B2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4008-21-0x00007FFDD5460000-0x00007FFDD5470000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4164-12-0x0000027C6B880000-0x0000027C6B8A2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4164-18-0x0000027C6AD20000-0x0000027C6AD64000-memory.dmp

              Filesize

              272KB

              Download

            • memory/4164-19-0x0000027C6ADF0000-0x0000027C6AE66000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4408-143-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-147-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-138-0x000001C89CE90000-0x000001C89CE91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-139-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-140-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-141-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-142-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-122-0x000001C8948A0000-0x000001C8948B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4408-144-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-146-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-145-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-106-0x000001C8947A0000-0x000001C8947B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4408-148-0x000001C89CEC0000-0x000001C89CEC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-149-0x000001C89CAE0000-0x000001C89CAE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-150-0x000001C89CAD0000-0x000001C89CAD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-155-0x000001C89CAD0000-0x000001C89CAD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-158-0x000001C89CA10000-0x000001C89CA11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-170-0x000001C89CC10000-0x000001C89CC11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-152-0x000001C89CAE0000-0x000001C89CAE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-172-0x000001C89CC20000-0x000001C89CC21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-173-0x000001C89CC20000-0x000001C89CC21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4408-174-0x000001C89CD30000-0x000001C89CD31000-memory.dmp

              Filesize

              4KB

              Download