strrat | fe02be2dc318367898f962aa9c3415ff96d95526aa6f6efd72764a732f3b745c

Resubmissions

10-02-2025 06:12

250210-gyapaasnam 10

10-02-2025 02:31

250210-czrxqsyncp 10

Analysis

max time kernel
446s
max time network
444s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-02-2025 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TT Payment.jar
Size

267KB
MD5

b4bc577b9b011c29d04f7e3797f5b4c0
SHA1

dd5f810d906cd61a8ec78c28841a121fbaa88d6f
SHA256

fe02be2dc318367898f962aa9c3415ff96d95526aa6f6efd72764a732f3b745c
SHA512

12eba3aacb580eaf11dc9a9aec39ad5e926d053fc8e6fb6871153e22bfb2627628a64f3e931855ff772e63bb152862b7c59292345489085068e8e5c3263ecfa4
SSDEEP

3072:fIMXATbZOaBKsPUVx4lboHQMg5CBklnIVSPxk/ISc6iTpoP6vBum4ggH9AoGa+:gAATbZiDPPqlISPW/IlFg6ZuZ+a+

Score

10^/10

strrat discovery persistence stealer trojan

Malware Config

Extracted

Family

strrat

195.211.190.213:1663

Attributes

license_id
WYAA-QBJT-QQ16-FF21-N4O2
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Strrat family
strrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
34	2748	Process not Found

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TT Payment.jar	java.exe

Loads dropped DLL 1 IoCs

pid	Process
2504	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3793211311-3630375320-1682890903-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TT Payment = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TT Payment.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TT Payment = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TT Payment.jar\""	java.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4100	MicrosoftEdgeUpdate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1356	WMIC.exe
1356	WMIC.exe
1356	WMIC.exe
1356	WMIC.exe
888	WMIC.exe
888	WMIC.exe
888	WMIC.exe
888	WMIC.exe
2640	WMIC.exe
2640	WMIC.exe
2640	WMIC.exe
2640	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe
2332	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1356	WMIC.exe
Token: SeSecurityPrivilege	1356	WMIC.exe
Token: SeTakeOwnershipPrivilege	1356	WMIC.exe
Token: SeLoadDriverPrivilege	1356	WMIC.exe
Token: SeSystemProfilePrivilege	1356	WMIC.exe
Token: SeSystemtimePrivilege	1356	WMIC.exe
Token: SeProfSingleProcessPrivilege	1356	WMIC.exe
Token: SeIncBasePriorityPrivilege	1356	WMIC.exe
Token: SeCreatePagefilePrivilege	1356	WMIC.exe
Token: SeBackupPrivilege	1356	WMIC.exe
Token: SeRestorePrivilege	1356	WMIC.exe
Token: SeShutdownPrivilege	1356	WMIC.exe
Token: SeDebugPrivilege	1356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1356	WMIC.exe
Token: SeRemoteShutdownPrivilege	1356	WMIC.exe
Token: SeUndockPrivilege	1356	WMIC.exe
Token: SeManageVolumePrivilege	1356	WMIC.exe
Token: 33	1356	WMIC.exe
Token: 34	1356	WMIC.exe
Token: 35	1356	WMIC.exe
Token: 36	1356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1356	WMIC.exe
Token: SeSecurityPrivilege	1356	WMIC.exe
Token: SeTakeOwnershipPrivilege	1356	WMIC.exe
Token: SeLoadDriverPrivilege	1356	WMIC.exe
Token: SeSystemProfilePrivilege	1356	WMIC.exe
Token: SeSystemtimePrivilege	1356	WMIC.exe
Token: SeProfSingleProcessPrivilege	1356	WMIC.exe
Token: SeIncBasePriorityPrivilege	1356	WMIC.exe
Token: SeCreatePagefilePrivilege	1356	WMIC.exe
Token: SeBackupPrivilege	1356	WMIC.exe
Token: SeRestorePrivilege	1356	WMIC.exe
Token: SeShutdownPrivilege	1356	WMIC.exe
Token: SeDebugPrivilege	1356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1356	WMIC.exe
Token: SeRemoteShutdownPrivilege	1356	WMIC.exe
Token: SeUndockPrivilege	1356	WMIC.exe
Token: SeManageVolumePrivilege	1356	WMIC.exe
Token: 33	1356	WMIC.exe
Token: 34	1356	WMIC.exe
Token: 35	1356	WMIC.exe
Token: 36	1356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	888	WMIC.exe
Token: SeSecurityPrivilege	888	WMIC.exe
Token: SeTakeOwnershipPrivilege	888	WMIC.exe
Token: SeLoadDriverPrivilege	888	WMIC.exe
Token: SeSystemProfilePrivilege	888	WMIC.exe
Token: SeSystemtimePrivilege	888	WMIC.exe
Token: SeProfSingleProcessPrivilege	888	WMIC.exe
Token: SeIncBasePriorityPrivilege	888	WMIC.exe
Token: SeCreatePagefilePrivilege	888	WMIC.exe
Token: SeBackupPrivilege	888	WMIC.exe
Token: SeRestorePrivilege	888	WMIC.exe
Token: SeShutdownPrivilege	888	WMIC.exe
Token: SeDebugPrivilege	888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	888	WMIC.exe
Token: SeRemoteShutdownPrivilege	888	WMIC.exe
Token: SeUndockPrivilege	888	WMIC.exe
Token: SeManageVolumePrivilege	888	WMIC.exe
Token: 33	888	WMIC.exe
Token: 34	888	WMIC.exe
Token: 35	888	WMIC.exe
Token: 36	888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	888	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 384	2804	java.exe	92
PID 2804 wrote to memory of 384	2804	java.exe	92
PID 384 wrote to memory of 1064	384	java.exe	94
PID 384 wrote to memory of 1064	384	java.exe	94
PID 384 wrote to memory of 2504	384	java.exe	95
PID 384 wrote to memory of 2504	384	java.exe	95
PID 1064 wrote to memory of 1644	1064	cmd.exe	98
PID 1064 wrote to memory of 1644	1064	cmd.exe	98
PID 2504 wrote to memory of 216	2504	java.exe	99
PID 2504 wrote to memory of 216	2504	java.exe	99
PID 216 wrote to memory of 1356	216	cmd.exe	101
PID 216 wrote to memory of 1356	216	cmd.exe	101
PID 2504 wrote to memory of 4060	2504	java.exe	103
PID 2504 wrote to memory of 4060	2504	java.exe	103
PID 4060 wrote to memory of 888	4060	cmd.exe	105
PID 4060 wrote to memory of 888	4060	cmd.exe	105
PID 2504 wrote to memory of 3180	2504	java.exe	106
PID 2504 wrote to memory of 3180	2504	java.exe	106
PID 3180 wrote to memory of 2640	3180	cmd.exe	108
PID 3180 wrote to memory of 2640	3180	cmd.exe	108
PID 2504 wrote to memory of 2636	2504	java.exe	109
PID 2504 wrote to memory of 2636	2504	java.exe	109
PID 2636 wrote to memory of 2332	2636	cmd.exe	111
PID 2636 wrote to memory of 2332	2636	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\TT Payment.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\TT Payment.jar"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:384
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TT Payment.jar"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TT Payment.jar"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1644
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\TT Payment.jar"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTBBREVCQTctMjBENi00NkRELUI4NEItMUIyODQxMzlBOTU1fSIgdXNlcmlkPSJ7MEE3RDI0NUYtODAwOC00RjEwLTlEQTQtNUFBRTBFMEY0MzU5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTBBOUI4RjEtQTUyRS00RDJGLTg2OTQtQkU1MTJBQzVFREFEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NzE3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDgwMTg1NTAwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI4ODI4NjAwMyIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1cc03cbdea6e27ba93ad7d148f7fe42f

SHA1
f64672045166f3b369d72f90faf8a2df48c73ccd

SHA256
42cf13d31fc3467e08916278982530a2fbf385cac04aa250f77279e9cc089a07

SHA512
6450338e45615f8c2eb75e33b6a6b8aca24c6912f77b14c608666bbb4df1b358e7f1385a5f8f30d4b25e9e5d7079f1bbb1b619c5632f7d0296b2291ff0fdef34

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
0a07420f586c2546a105aae6ba1da80d

SHA1
ca96885f78c4012216243ff4d657c145378aec83

SHA256
d6a7a4f4fa518e18e9c96f2fbecb7fa759e15cd5ddae2dd7bd464ea52db722b1

SHA512
45d55151a328a55d1f14bfb70c2c46a35675f35088ee4891d216b6bd8e34bf42875ed7b4228622a4db00f0ef55bc1f7c50a7c9f1ff2a9033e6be512dcddbd24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna4162936539463571288.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3793211311-3630375320-1682890903-1000\83aa4cc77f591dfc2374580bbd95f6ba_77f2a27f-62b9-4b24-8224-1ea5267b8f47

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\TT Payment.jar

Filesize
267KB

MD5
b4bc577b9b011c29d04f7e3797f5b4c0

SHA1
dd5f810d906cd61a8ec78c28841a121fbaa88d6f

SHA256
fe02be2dc318367898f962aa9c3415ff96d95526aa6f6efd72764a732f3b745c

SHA512
12eba3aacb580eaf11dc9a9aec39ad5e926d053fc8e6fb6871153e22bfb2627628a64f3e931855ff772e63bb152862b7c59292345489085068e8e5c3263ecfa4

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/384-232-0x0000013A470D0000-0x0000013A470D1000-memory.dmp

Filesize
4KB

Download
memory/2504-300-0x00000282C2530000-0x00000282C2531000-memory.dmp

Filesize
4KB

Download
memory/2504-277-0x00000282C2530000-0x00000282C2531000-memory.dmp

Filesize
4KB

Download
memory/2804-109-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-20-0x0000025A82FF0000-0x0000025A83000000-memory.dmp

Filesize
64KB

Download
memory/2804-32-0x0000025A83020000-0x0000025A83030000-memory.dmp

Filesize
64KB

Download
memory/2804-43-0x0000025A83050000-0x0000025A83060000-memory.dmp

Filesize
64KB

Download
memory/2804-41-0x0000025A83040000-0x0000025A83050000-memory.dmp

Filesize
64KB

Download
memory/2804-45-0x0000025A83080000-0x0000025A83090000-memory.dmp

Filesize
64KB

Download
memory/2804-44-0x0000025A82FB0000-0x0000025A82FC0000-memory.dmp

Filesize
64KB

Download
memory/2804-40-0x0000025A83070000-0x0000025A83080000-memory.dmp

Filesize
64KB

Download
memory/2804-39-0x0000025A83060000-0x0000025A83070000-memory.dmp

Filesize
64KB

Download
memory/2804-38-0x0000025A82D40000-0x0000025A82FB0000-memory.dmp

Filesize
2.4MB

Download
memory/2804-35-0x0000025A83030000-0x0000025A83040000-memory.dmp

Filesize
64KB

Download
memory/2804-47-0x0000025A82FC0000-0x0000025A82FD0000-memory.dmp

Filesize
64KB

Download
memory/2804-54-0x0000025A82FE0000-0x0000025A82FF0000-memory.dmp

Filesize
64KB

Download
memory/2804-53-0x0000025A830B0000-0x0000025A830C0000-memory.dmp

Filesize
64KB

Download
memory/2804-52-0x0000025A82FD0000-0x0000025A82FE0000-memory.dmp

Filesize
64KB

Download
memory/2804-51-0x0000025A830A0000-0x0000025A830B0000-memory.dmp

Filesize
64KB

Download
memory/2804-50-0x0000025A83090000-0x0000025A830A0000-memory.dmp

Filesize
64KB

Download
memory/2804-57-0x0000025A82FF0000-0x0000025A83000000-memory.dmp

Filesize
64KB

Download
memory/2804-58-0x0000025A830C0000-0x0000025A830D0000-memory.dmp

Filesize
64KB

Download
memory/2804-60-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-116-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-63-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-65-0x0000025A830D0000-0x0000025A830E0000-memory.dmp

Filesize
64KB

Download
memory/2804-64-0x0000025A83010000-0x0000025A83020000-memory.dmp

Filesize
64KB

Download
memory/2804-70-0x0000025A830E0000-0x0000025A830F0000-memory.dmp

Filesize
64KB

Download
memory/2804-69-0x0000025A83020000-0x0000025A83030000-memory.dmp

Filesize
64KB

Download
memory/2804-73-0x0000025A83030000-0x0000025A83040000-memory.dmp

Filesize
64KB

Download
memory/2804-79-0x0000025A83050000-0x0000025A83060000-memory.dmp

Filesize
64KB

Download
memory/2804-78-0x0000025A83100000-0x0000025A83110000-memory.dmp

Filesize
64KB

Download
memory/2804-77-0x0000025A83040000-0x0000025A83050000-memory.dmp

Filesize
64KB

Download
memory/2804-76-0x0000025A830F0000-0x0000025A83100000-memory.dmp

Filesize
64KB

Download
memory/2804-75-0x0000025A83070000-0x0000025A83080000-memory.dmp

Filesize
64KB

Download
memory/2804-74-0x0000025A83060000-0x0000025A83070000-memory.dmp

Filesize
64KB

Download
memory/2804-90-0x0000025A830A0000-0x0000025A830B0000-memory.dmp

Filesize
64KB

Download
memory/2804-89-0x0000025A83090000-0x0000025A830A0000-memory.dmp

Filesize
64KB

Download
memory/2804-88-0x0000025A83140000-0x0000025A83150000-memory.dmp

Filesize
64KB

Download
memory/2804-87-0x0000025A83130000-0x0000025A83140000-memory.dmp

Filesize
64KB

Download
memory/2804-86-0x0000025A83120000-0x0000025A83130000-memory.dmp

Filesize
64KB

Download
memory/2804-85-0x0000025A83110000-0x0000025A83120000-memory.dmp

Filesize
64KB

Download
memory/2804-84-0x0000025A83080000-0x0000025A83090000-memory.dmp

Filesize
64KB

Download
memory/2804-95-0x0000025A83150000-0x0000025A83160000-memory.dmp

Filesize
64KB

Download
memory/2804-97-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-99-0x0000025A830B0000-0x0000025A830C0000-memory.dmp

Filesize
64KB

Download
memory/2804-100-0x0000025A83160000-0x0000025A83170000-memory.dmp

Filesize
64KB

Download
memory/2804-103-0x0000025A83170000-0x0000025A83180000-memory.dmp

Filesize
64KB

Download
memory/2804-102-0x0000025A830C0000-0x0000025A830D0000-memory.dmp

Filesize
64KB

Download
memory/2804-105-0x0000025A83180000-0x0000025A83190000-memory.dmp

Filesize
64KB

Download
memory/2804-107-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-23-0x0000025A83000000-0x0000025A83010000-memory.dmp

Filesize
64KB

Download
memory/2804-110-0x0000025A830D0000-0x0000025A830E0000-memory.dmp

Filesize
64KB

Download
memory/2804-111-0x0000025A830E0000-0x0000025A830F0000-memory.dmp

Filesize
64KB

Download
memory/2804-112-0x0000025A83190000-0x0000025A831A0000-memory.dmp

Filesize
64KB

Download
memory/2804-155-0x0000025A831F0000-0x0000025A83200000-memory.dmp

Filesize
64KB

Download
memory/2804-29-0x0000025A83010000-0x0000025A83020000-memory.dmp

Filesize
64KB

Download
memory/2804-61-0x0000025A83000000-0x0000025A83010000-memory.dmp

Filesize
64KB

Download
memory/2804-117-0x0000025A83100000-0x0000025A83110000-memory.dmp

Filesize
64KB

Download
memory/2804-120-0x0000025A83120000-0x0000025A83130000-memory.dmp

Filesize
64KB

Download
memory/2804-119-0x0000025A83110000-0x0000025A83120000-memory.dmp

Filesize
64KB

Download
memory/2804-121-0x0000025A83130000-0x0000025A83140000-memory.dmp

Filesize
64KB

Download
memory/2804-122-0x0000025A83140000-0x0000025A83150000-memory.dmp

Filesize
64KB

Download
memory/2804-123-0x0000025A831B0000-0x0000025A831C0000-memory.dmp

Filesize
64KB

Download
memory/2804-125-0x0000025A83150000-0x0000025A83160000-memory.dmp

Filesize
64KB

Download
memory/2804-127-0x0000025A83160000-0x0000025A83170000-memory.dmp

Filesize
64KB

Download
memory/2804-128-0x0000025A83170000-0x0000025A83180000-memory.dmp

Filesize
64KB

Download
memory/2804-130-0x0000025A83180000-0x0000025A83190000-memory.dmp

Filesize
64KB

Download
memory/2804-131-0x0000025A83190000-0x0000025A831A0000-memory.dmp

Filesize
64KB

Download
memory/2804-132-0x0000025A831A0000-0x0000025A831B0000-memory.dmp

Filesize
64KB

Download
memory/2804-133-0x0000025A831B0000-0x0000025A831C0000-memory.dmp

Filesize
64KB

Download
memory/2804-134-0x0000025A831C0000-0x0000025A831D0000-memory.dmp

Filesize
64KB

Download
memory/2804-137-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-140-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-142-0x0000025A831C0000-0x0000025A831D0000-memory.dmp

Filesize
64KB

Download
memory/2804-143-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-144-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-147-0x0000025A831D0000-0x0000025A831E0000-memory.dmp

Filesize
64KB

Download
memory/2804-150-0x0000025A831E0000-0x0000025A831F0000-memory.dmp

Filesize
64KB

Download
memory/2804-152-0x0000025A831D0000-0x0000025A831E0000-memory.dmp

Filesize
64KB

Download
memory/2804-153-0x0000025A831E0000-0x0000025A831F0000-memory.dmp

Filesize
64KB

Download
memory/2804-114-0x0000025A830F0000-0x0000025A83100000-memory.dmp

Filesize
64KB

Download
memory/2804-176-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-181-0x0000025A82FE0000-0x0000025A82FF0000-memory.dmp

Filesize
64KB

Download
memory/2804-180-0x0000025A82FD0000-0x0000025A82FE0000-memory.dmp

Filesize
64KB

Download
memory/2804-183-0x0000025A83000000-0x0000025A83010000-memory.dmp

Filesize
64KB

Download
memory/2804-185-0x0000025A83020000-0x0000025A83030000-memory.dmp

Filesize
64KB

Download
memory/2804-197-0x0000025A830E0000-0x0000025A830F0000-memory.dmp

Filesize
64KB

Download
memory/2804-196-0x0000025A830D0000-0x0000025A830E0000-memory.dmp

Filesize
64KB

Download
memory/2804-195-0x0000025A830C0000-0x0000025A830D0000-memory.dmp

Filesize
64KB

Download
memory/2804-194-0x0000025A830A0000-0x0000025A830B0000-memory.dmp

Filesize
64KB

Download
memory/2804-193-0x0000025A82FC0000-0x0000025A82FD0000-memory.dmp

Filesize
64KB

Download
memory/2804-192-0x0000025A83090000-0x0000025A830A0000-memory.dmp

Filesize
64KB

Download
memory/2804-191-0x0000025A83080000-0x0000025A83090000-memory.dmp

Filesize
64KB

Download
memory/2804-190-0x0000025A82D40000-0x0000025A82FB0000-memory.dmp

Filesize
2.4MB

Download
memory/2804-189-0x0000025A83070000-0x0000025A83080000-memory.dmp

Filesize
64KB

Download
memory/2804-188-0x0000025A83060000-0x0000025A83070000-memory.dmp

Filesize
64KB

Download
memory/2804-187-0x0000025A83050000-0x0000025A83060000-memory.dmp

Filesize
64KB

Download
memory/2804-186-0x0000025A83100000-0x0000025A83110000-memory.dmp

Filesize
64KB

Download
memory/2804-184-0x0000025A83010000-0x0000025A83020000-memory.dmp

Filesize
64KB

Download
memory/2804-24-0x0000025A814E0000-0x0000025A814E1000-memory.dmp

Filesize
4KB

Download
memory/2804-115-0x0000025A831A0000-0x0000025A831B0000-memory.dmp

Filesize
64KB

Download
memory/2804-18-0x0000025A82FE0000-0x0000025A82FF0000-memory.dmp

Filesize
64KB

Download
memory/2804-16-0x0000025A82FD0000-0x0000025A82FE0000-memory.dmp

Filesize
64KB

Download
memory/2804-14-0x0000025A82FC0000-0x0000025A82FD0000-memory.dmp

Filesize
64KB

Download
memory/2804-12-0x0000025A82FB0000-0x0000025A82FC0000-memory.dmp

Filesize
64KB

Download
memory/2804-2-0x0000025A82D40000-0x0000025A82FB0000-memory.dmp

Filesize
2.4MB

Download
memory/2804-182-0x0000025A82FF0000-0x0000025A83000000-memory.dmp

Filesize
64KB

Download
memory/2804-179-0x0000025A830B0000-0x0000025A830C0000-memory.dmp

Filesize
64KB

Download
memory/2804-178-0x0000025A82FB0000-0x0000025A82FC0000-memory.dmp

Filesize
64KB

Download
memory/2804-177-0x0000025A83040000-0x0000025A83050000-memory.dmp

Filesize
64KB

Download