cryptbot | b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
Size

4.5MB
MD5

79d775433be505a57ae175f5e6f427af
SHA1

32b9ac8255c3076841e658eabe581586ecdd8c8b
SHA256

b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
SHA512

2c74529531c163ba9f768bf9aae97464aa5ddf2935c4085eb80d372a4e15d853bdfa46fc616b7b9b2e30730f4a484dfe3ba8b64188a3921faca589ffd379e7f7
SSDEEP

98304:GAUlwbKKobLmzt3iOah1NBR595arTOLQZsxpzYazTd9e:GjCzViOSNL590r6Lys/zYuO

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

biss01.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exeSetupres.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setupres.exe
Blocklisted process makes network request 3 IoCs

Processes:

CScript.exe

flow pid process

8 4216 CScript.exe
10 4216 CScript.exe
12 4216 CScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setupres.exe

flow	pid	process
8	4216	CScript.exe
10	4216	CScript.exe
12	4216	CScript.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetupres.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setupres.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setupres.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setupres.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Setupres.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 2 IoCs

Processes:

Setup.exeSetupres.exe

pid process

4832 Setup.exe
2320 Setupres.exe

pid	process
4832	Setup.exe
2320	Setupres.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup.exeSetupres.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	Setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Wine	Setupres.exe

Loads dropped DLL 2 IoCs

Processes:

79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe

pid process

1120 79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
1120 79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

49 bitbucket.org
101 bitbucket.org
7 iplogger.org
8 iplogger.org
48 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exeSetupres.exe

pid process

4832 Setup.exe
2320 Setupres.exe

pid	process
1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe

flow	ioc
49	bitbucket.org
101	bitbucket.org
7	iplogger.org
8	iplogger.org
48	bitbucket.org

flow	ioc
21	ip-api.com

pid	process
4832	Setup.exe
2320	Setupres.exe

Drops file in Program Files directory 18 IoCs

Processes:

79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\SX\bin\superb.ovpn	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\SX\bin\test.ovpn	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\addtap.bat	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\countries.tsv	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\SX\bin\ssleay32.dll	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemWin2k.inf	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.cat	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\tap0901.sys	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\SX\bin\vpn850936802.ovpn	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\deltapall.bat	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\devcon.exe	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\bin\tapinstall.exe	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\TAP-Windows\driver\OemVista.inf	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\vpnpro.PTB.lng	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ferr\SEDA\vpnpro.RUS.lng	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2436 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exeSetupres.exe

pid process

4832 Setup.exe
4832 Setup.exe
2320 Setupres.exe
2320 Setupres.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Setup.exe

pid process

4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe
4832 Setup.exe

pid	process
2436	timeout.exe

pid	process
4832	Setup.exe
4832	Setup.exe
2320	Setupres.exe
2320	Setupres.exe

pid	process
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe
4832	Setup.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

79d775433be505a57ae175f5e6f427af_JaffaCakes118.exeSetup.execmd.exe

description	pid	process	target process
PID 1120 wrote to memory of 4832	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	Setup.exe
PID 1120 wrote to memory of 4832	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	Setup.exe
PID 1120 wrote to memory of 4832	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	Setup.exe
PID 1120 wrote to memory of 4216	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	CScript.exe
PID 1120 wrote to memory of 4216	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	CScript.exe
PID 1120 wrote to memory of 4216	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	CScript.exe
PID 1120 wrote to memory of 2320	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	Setupres.exe
PID 1120 wrote to memory of 2320	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	Setupres.exe
PID 1120 wrote to memory of 2320	1120	79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe	Setupres.exe
PID 4832 wrote to memory of 2132	4832	Setup.exe	cmd.exe
PID 4832 wrote to memory of 2132	4832	Setup.exe	cmd.exe
PID 4832 wrote to memory of 2132	4832	Setup.exe	cmd.exe
PID 2132 wrote to memory of 2436	2132	cmd.exe	timeout.exe
PID 2132 wrote to memory of 2436	2132	cmd.exe	timeout.exe
PID 2132 wrote to memory of 2436	2132	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\uttu5eEZ & timeout 2 & del /f /q "C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:2436

C:\Windows\SysWOW64\CScript.exe
"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs" //e:vbscript //B //NOLOGO
2⤵
- Blocklisted process makes network request
PID:4216

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
"C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3608,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:1228

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setup.exe
Filesize
2.2MB

MD5
b5861c96767caed4fce1473ac338d1bf

SHA1
c9575e657706a01a28aa63943f39018377a5dfe1

SHA256
883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161

SHA512
388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240

Download Submit
C:\Program Files (x86)\Ferr\SEDA\SX\bin\Setupres.exe
Filesize
2.1MB

MD5
c9638374b6732d9756d9a6ae50061747

SHA1
7952f8225a6cf692ce226bfaf8112260e4ac2b71

SHA256
34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e

SHA512
428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa

Download Submit
C:\Program Files (x86)\Ferr\SEDA\SX\bin\ipras.vbs
Filesize
126B

MD5
b802ff9244875f69db2fae0f78e92b10

SHA1
49385a89cd575894a29fbda969b99cc1f5cf8076

SHA256
a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8

SHA512
609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

Download Submit
C:\ProgramData\uttu5eEZ\14PcgqU0dS5b.zip
Filesize
47KB

MD5
66b80dbd8ea371f0fed332432377035d

SHA1
fd891f8512372ef593022d6034f8a1cc6630586e

SHA256
71ad63312eff1ccbc723ea0660254434531b867ff704daed3b1581f830ba3bb9

SHA512
e517cdae937dfd7648d950510f843e4c0d392a91311c44c633927bca918ca24eabe2fe0a94cb3b2bfccc2333922a213a5d384a186c265a859aac94cd79cec684

Download Submit
C:\ProgramData\uttu5eEZ\47283761.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\uttu5eEZ\Files\_Info.txt
Filesize
8KB

MD5
34d4c625433fcf25bb95dd5e442cac9e

SHA1
b49380e41e41cf17e9dbb472408bfb7bca84d398

SHA256
f42624c37d484c085efd778463ecb3f33aa0b49d0fff981da63c115197a98c3a

SHA512
6edb80091f53e89701c022d56ff2d50d5b13841bb9cb9cb374d2fd28bff0a54cede5e07ec42f8d4c01fe6ac0f9ffd45551ee2980da9f4c09341c90fe7a6cb830

Download Submit
C:\ProgramData\uttu5eEZ\Files\_Screen.jpg
Filesize
52KB

MD5
06f9c68ce742d750c94ab6105d4c4400

SHA1
b4cae31a79e10e71fc761ecb8988a343b261701f

SHA256
2cb350682671f4d406e5fc3dd03a9aca106578a1c6d24abfe105ad2b021f5660

SHA512
e50ebf4dc00c7158294bbcb639377783966dbe53a534e88e6e22b1caa2f87ce1bc9aa5f4ee108c6d0af6fcb2233fa06e13c5482349b9bd3edfdb834db0e3be25

Download Submit
C:\ProgramData\uttu5eEZ\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\nsExec.dll
Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Roaming\tybgrfed.exe
Filesize
13KB

MD5
90d86ca052aef438e3ebb53cec0c1827

SHA1
1a9d61d89d34b5249dbc44e74bd29b87f940549c

SHA256
50c00c2dc47310056acabed01ccaf1aa1ee30da2287091dfd1bf4e31c94773ee

SHA512
44bb05568915c51c0b34736932698763d99665865187545b2936a8451bc7742281f54418414ae44ad89b8180b96dfd0691a293360f2374d0c0e50b6080e48f4e

Download Submit
C:\Users\Admin\AppData\Roaming\yhtgrfecd.exe
Filesize
13KB

MD5
8919ccb3a04477ed428723db39cfb1f2

SHA1
0318e1b85089f22fb0150f9d3953c648907fd341

SHA256
f3920840f32c145cf7b6e009ce042af636da04ef157c93ceeca699925ed6f32a

SHA512
fa445d2572e1f9d8cc9788695f9b3213647b0b98f46e94c0fbf407b66fc8c92b3403ac70f3739a40c0ffe877b4612debafc192eb7c608a9ae176151da49aae4f

Download Submit
memory/2320-250-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-227-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-278-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-270-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-266-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-262-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-258-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-193-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-254-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-235-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-231-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-199-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-57-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-200-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-224-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/2320-209-0x0000000000400000-0x000000000092D000-memory.dmp

Filesize
5.2MB

Download
memory/4832-44-0x00000000008B1000-0x0000000000910000-memory.dmp

Filesize
380KB

Download
memory/4832-60-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-208-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-206-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-226-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-198-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-230-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-197-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-234-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-42-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4832-43-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4832-249-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-41-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4832-212-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-268-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-257-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-192-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-261-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-185-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-265-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-47-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-195-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-48-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-272-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-33-0x0000000077214000-0x0000000077216000-memory.dmp

Filesize
8KB

Download
memory/4832-30-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download
memory/4832-253-0x00000000008B0000-0x0000000000DFF000-memory.dmp

Filesize
5.3MB

Download