Overview

overview

10

Static

static

3

c497fb31de...9e.exe

windows7-x64

10

c497fb31de...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe

  • Size

    1013KB

  • MD5

    84138dffdbd652ba89baed49cc815b6a

  • SHA1

    841af40691b900f06217dc0b0af28d4fef0245a4

  • SHA256

    c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e

  • SHA512

    9aff34103afc917c1e1fbef62a4639a2a6249a295bc05e0fb812d1f64821e3929142a5b51c626aca66668bda9a05a08c8ea037c5b56c298eaf3e424916c20b1b

  • SSDEEP

    24576:BgVo+DZba0sLgKNCAZlcLMP8VoapQrUDz/JOop+mHDTOe51K:So+DKtCAZlzPYeUxO2hKez

Score
10/10
bdaejecaspackv2backdoordiscoveryevasionexecutiontrojanupx

Malware Config

Extracted

Family

bdaejec

C2

ddos.dnsnb8.net

Signatures

  • Bdaejec

    Bdaejec is a backdoor written in C++.

    backdoorbdaejec
  • Bdaejec family
    bdaejec
  • Detects Bdaejec Backdoor. 2 IoCs

    Bdaejec is backdoor written in C++.

  • Modifies security service 2 TTPs 6 IoCs
    evasion
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 2 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{31642bbe-7e67-41b8-9014-c7577a550918}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2528
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Modifies security service
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        2⤵
          PID:608
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            3⤵
              PID:1696
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe
              3⤵
                PID:1924
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2556
                • C:\Program Files\Windows Defender\MSASCui.exe
                  "C:\Program Files\Windows Defender\MSASCui.exe"
                  4⤵
                    PID:1668
                • C:\Windows\system32\wbem\wmiprvse.exe
                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  3⤵
                    PID:2884
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS
                  2⤵
                    PID:688
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                    2⤵
                    • Modifies security service
                    PID:764
                  • C:\Windows\System32\svchost.exe
                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                    2⤵
                      PID:828
                      • C:\Windows\system32\Dwm.exe
                        "C:\Windows\system32\Dwm.exe"
                        3⤵
                          PID:1220
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:864
                          • C:\Windows\system32\taskeng.exe
                            taskeng.exe {201B4AD9-F82B-46DE-A186-5C4ADBE2EB3B} S-1-5-18:NT AUTHORITY\System:Service:
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3000
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](119)+''+[Char](119)+''+[Char](119)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                              4⤵
                              • Suspicious use of NtCreateUserProcessOtherParentProcess
                              • Command and Scripting Interpreter: PowerShell
                              • Drops file in System32 directory
                              • Suspicious use of SetThreadContext
                              • Modifies data under HKEY_USERS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1972
                          • C:\Windows\system32\gpscript.exe
                            gpscript.exe /RefreshSystemParam
                            3⤵
                              PID:2240
                            • C:\Windows\system32\gpscript.exe
                              gpscript.exe /RefreshSystemParam
                              3⤵
                                PID:2808
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              2⤵
                                PID:1004
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k NetworkService
                                2⤵
                                  PID:332
                                • C:\Windows\System32\spoolsv.exe
                                  C:\Windows\System32\spoolsv.exe
                                  2⤵
                                    PID:392
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                    2⤵
                                      PID:1052
                                    • C:\Windows\system32\taskhost.exe
                                      "taskhost.exe"
                                      2⤵
                                        PID:1128
                                      • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                        2⤵
                                          PID:1108
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                          2⤵
                                            PID:1196
                                          • C:\Windows\system32\sppsvc.exe
                                            C:\Windows\system32\sppsvc.exe
                                            2⤵
                                              PID:528
                                            • C:\Windows\servicing\TrustedInstaller.exe
                                              C:\Windows\servicing\TrustedInstaller.exe
                                              2⤵
                                                PID:1156
                                                • C:\Windows\system32\makecab.exe
                                                  "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241115020355.log C:\Windows\Logs\CBS\CbsPersist_20241115020355.cab
                                                  3⤵
                                                  • Drops file in Windows directory
                                                  PID:2912
                                              • C:\Windows\System32\svchost.exe
                                                C:\Windows\System32\svchost.exe -k secsvcs
                                                2⤵
                                                • Modifies data under HKEY_USERS
                                                PID:2552
                                            • C:\Windows\system32\lsass.exe
                                              C:\Windows\system32\lsass.exe
                                              1⤵
                                                PID:484
                                              • C:\Windows\system32\lsm.exe
                                                C:\Windows\system32\lsm.exe
                                                1⤵
                                                  PID:492
                                                • C:\Windows\Explorer.EXE
                                                  C:\Windows\Explorer.EXE
                                                  1⤵
                                                    PID:1268
                                                    • C:\Users\Admin\AppData\Local\Temp\c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\c497fb31def2da64cc0d027cf9355cbcbf22fd7c255e7cbcde9d80efb9937a9e.exe"
                                                      2⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:2376
                                                      • C:\Users\Public\dControl.exe
                                                        "C:\Users\Public\dControl.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2168
                                                        • C:\Users\Public\dControl.exe
                                                          C:\Users\Public\dControl.exe
                                                          4⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:268
                                                          • C:\Users\Public\dControl.exe
                                                            "C:\Users\Public\dControl.exe" /TI
                                                            5⤵
                                                            • Modifies security service
                                                            • Executes dropped EXE
                                                            • Windows security modification
                                                            • Drops file in System32 directory
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:1176
                                                            • C:\Windows\Explorer.exe
                                                              "C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exe
                                                              6⤵
                                                                PID:2216
                                                              • C:\Users\Public\dControl.exe
                                                                "C:\Users\Public\dControl.exe" /EXP |1268|
                                                                6⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:972
                                                        • C:\Users\Public\www.rotkit.exe
                                                          "C:\Users\Public\www.rotkit.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:1644
                                                          • C:\Users\Admin\AppData\Local\Temp\KktXMQ.exe
                                                            C:\Users\Admin\AppData\Local\Temp\KktXMQ.exe
                                                            4⤵
                                                            • Executes dropped EXE
                                                            • Drops file in Program Files directory
                                                            • System Location Discovery: System Language Discovery
                                                            PID:2288
                                                        • C:\Users\Public\www.XClient.exe
                                                          "C:\Users\Public\www.XClient.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:2864
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\www.XClient.exe'
                                                            4⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2508
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.XClient.exe'
                                                            4⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2540
                                                    • C:\Windows\system32\conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe "1230768309123318015911933547982072644801-1281397342-626997755-5050359891397374683"
                                                      1⤵
                                                        PID:3008
                                                      • C:\Windows\system32\conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe "-920755507-2376786541660806136-1743545549-19072453492069433951-614233662-1643902594"
                                                        1⤵
                                                          PID:236
                                                        • C:\Windows\system32\conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe "-2130167108-573407129-5003652641010545763967081448802486604261491378-202197800"
                                                          1⤵
                                                            PID:2900

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Temp\57E9422F.exe
                                                            Filesize

                                                            4B

                                                            MD5

                                                            d3b07384d113edec49eaa6238ad5ff00

                                                            SHA1

                                                            f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

                                                            SHA256

                                                            b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

                                                            SHA512

                                                            0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\KktXMQ.exe
                                                            Filesize

                                                            15KB

                                                            MD5

                                                            56b2c3810dba2e939a8bb9fa36d3cf96

                                                            SHA1

                                                            99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

                                                            SHA256

                                                            4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

                                                            SHA512

                                                            27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                                                            Filesize

                                                            7KB

                                                            MD5

                                                            14275b16f595d4be6ec8c446f2d251a3

                                                            SHA1

                                                            939a7b36028ff8d5d2553b461764340103b4575a

                                                            SHA256

                                                            b524d9c3b4df769b9ffab8f1744a074393c8a7d3c9bb5770d3e617b6b262903f

                                                            SHA512

                                                            46b6ec84d29aba325333607bff13c4d826f9c5b6613d9b552bc77515f572a8abae489a0d53639ca14012f992abf0fe2cf7385b9fc14d4ae98a098da1b87c3a55

                                                            Download Submit

                                                          • C:\Users\Public\dControl.exe
                                                            Filesize

                                                            447KB

                                                            MD5

                                                            58008524a6473bdf86c1040a9a9e39c3

                                                            SHA1

                                                            cb704d2e8df80fd3500a5b817966dc262d80ddb8

                                                            SHA256

                                                            1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

                                                            SHA512

                                                            8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

                                                            Download Submit

                                                          • C:\Users\Public\dControl.ini
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            da36d056daced94e517e9b7146ce1169

                                                            SHA1

                                                            45da9e124d2b56c0b4d0e87ebb23594ff82eadc3

                                                            SHA256

                                                            ddd2da00f126960a588809e89bfbf62680442603cf259b8af3ff054a5d628e67

                                                            SHA512

                                                            b9e0362e91a00d1107c73f88cb53b911d833136bc3b36e45ec0608d3e71180eb2f61b6cacfc6504bcf4d0e259134c077a570e289746ed3d1fded0aba37b74237

                                                            Download Submit

                                                          • C:\Users\Public\www.XClient.exe
                                                            Filesize

                                                            270KB

                                                            MD5

                                                            e517c44a1d94b26482966357955ae862

                                                            SHA1

                                                            61427663e8ad9dcc2e1338511fa934f22a2dfa6f

                                                            SHA256

                                                            e07015ea88987078352d3c581f636fdafd14dd620d85f55a1abf83b45bd29c9c

                                                            SHA512

                                                            985d4137ed1849261aa588082b8afd5e7ce49ab1458283e5bf06850ab5c15b4d4342156fafaef35e969199c5007009220e089fd9d9544c55ef5212b0b2195c8e

                                                            Download Submit

                                                          • C:\Users\Public\www.rotkit.exe
                                                            Filesize

                                                            181KB

                                                            MD5

                                                            8d4a383b2c666be4f33695921263bb73

                                                            SHA1

                                                            9f565101a95a28a9b11f861306d3092417eb006d

                                                            SHA256

                                                            30bbd62a849b00c878ec5a30d66923d9c247623f385e9891874966761f284535

                                                            SHA512

                                                            ac8abd9461577cb9dec411d4e47dab666635c99e3ba2ca42834c9ce502a8892bec6254bf9564dd530aa3cf53de72773a258778d7eef22882c6ee3e57d6602edc

                                                            Download Submit

                                                          • C:\Windows\System32\GroupPolicy\Machine\Registry.pol
                                                            Filesize

                                                            160B

                                                            MD5

                                                            58f8eb09a822c09fc11f5a42baae36f1

                                                            SHA1

                                                            9e7063eeee62c8588e0020bef3a116e9379966aa

                                                            SHA256

                                                            6509c7fc4fa70391399831bbc3d66206d3f6f8f2bb20ffcac4e04844861d733a

                                                            SHA512

                                                            53806780934bd86bb032ee4a515dfc0e8464a5ecc5f4c8c593304fcd969c1058d443bdec54e7ae21469adb942b16693cc9eaf997217adc69d3618ab0ec99dc1e

                                                            Download Submit

                                                          • C:\Windows\System32\GroupPolicy\gpt.ini
                                                            Filesize

                                                            233B

                                                            MD5

                                                            cd4326a6fd01cd3ca77cfd8d0f53821b

                                                            SHA1

                                                            a1030414d1f8e5d5a6e89d5a309921b8920856f9

                                                            SHA256

                                                            1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

                                                            SHA512

                                                            29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

                                                            Download Submit

                                                          • C:\Windows\Temp\8jot2p6f.tmp
                                                            Filesize

                                                            37KB

                                                            MD5

                                                            3bc9acd9c4b8384fb7ce6c08db87df6d

                                                            SHA1

                                                            936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

                                                            SHA256

                                                            a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

                                                            SHA512

                                                            f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

                                                            Download Submit

                                                          • C:\Windows\Temp\aut83DF.tmp
                                                            Filesize

                                                            14KB

                                                            MD5

                                                            9d5a0ef18cc4bb492930582064c5330f

                                                            SHA1

                                                            2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

                                                            SHA256

                                                            8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

                                                            SHA512

                                                            1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

                                                            Download Submit

                                                          • C:\Windows\Temp\aut83E0.tmp
                                                            Filesize

                                                            12KB

                                                            MD5

                                                            efe44d9f6e4426a05e39f99ad407d3e7

                                                            SHA1

                                                            637c531222ee6a56780a7fdcd2b5078467b6e036

                                                            SHA256

                                                            5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

                                                            SHA512

                                                            8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

                                                            Download Submit

                                                          • C:\Windows\Temp\aut83F1.tmp
                                                            Filesize

                                                            7KB

                                                            MD5

                                                            ecffd3e81c5f2e3c62bcdc122442b5f2

                                                            SHA1

                                                            d41567acbbb0107361c6ee1715fe41b416663f40

                                                            SHA256

                                                            9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

                                                            SHA512

                                                            7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

                                                            Download Submit

                                                          • memory/268-85-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/268-54-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/972-461-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/972-438-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/1176-467-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/1176-86-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/1644-17-0x0000000001240000-0x0000000001271000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/1644-29-0x00000000009E0000-0x00000000009E9000-memory.dmp

                                                            Filesize

                                                            36KB

                                                            Download

                                                          • memory/1644-136-0x00000000009E0000-0x00000000009E9000-memory.dmp

                                                            Filesize

                                                            36KB

                                                            Download

                                                          • memory/1644-30-0x00000000009E0000-0x00000000009E9000-memory.dmp

                                                            Filesize

                                                            36KB

                                                            Download

                                                          • memory/1972-459-0x000000001A050000-0x000000001A07A000-memory.dmp

                                                            Filesize

                                                            168KB

                                                            Download

                                                          • memory/1972-423-0x0000000000E10000-0x0000000000E18000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/1972-422-0x0000000019B60000-0x0000000019E42000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                            Download

                                                          • memory/2168-9-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/2168-56-0x0000000000400000-0x00000000004CD000-memory.dmp

                                                            Filesize

                                                            820KB

                                                            Download

                                                          • memory/2288-741-0x00000000009E0000-0x00000000009E9000-memory.dmp

                                                            Filesize

                                                            36KB

                                                            Download

                                                          • memory/2288-31-0x00000000009E0000-0x00000000009E9000-memory.dmp

                                                            Filesize

                                                            36KB

                                                            Download

                                                          • memory/2376-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

                                                            Filesize

                                                            4KB

                                                            Download

                                                          • memory/2376-1-0x0000000001210000-0x0000000001314000-memory.dmp

                                                            Filesize

                                                            1.0MB

                                                            Download

                                                          • memory/2864-198-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-156-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-192-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-190-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-188-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-186-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-184-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-182-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-178-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-174-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-172-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-170-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-168-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-166-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-164-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-160-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-158-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-196-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-154-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-150-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-148-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-146-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-144-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-200-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-202-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-141-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-142-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-153-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-162-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-177-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-180-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-195-0x00000000021D0000-0x0000000002201000-memory.dmp

                                                            Filesize

                                                            196KB

                                                            Download

                                                          • memory/2864-137-0x00000000021D0000-0x0000000002208000-memory.dmp

                                                            Filesize

                                                            224KB

                                                            Download

                                                          • memory/2864-82-0x00000000020B0000-0x00000000020E8000-memory.dmp

                                                            Filesize

                                                            224KB

                                                            Download