d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6

Analysis

max time kernel
153s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12-08-2022 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe
Size

692KB
MD5

4698e3da4899e50dbb70a6dfdb71e506
SHA1

1ed6db89615f4bc647386488482f57a85fb73073
SHA256

d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6
SHA512

fc21eb8c9abf9bb1fb5069dc816c7e1a2681bec7a40c4ee0a0d2d254b32125d5c785d4eb594e4a0127b38041d40ec6acd9448187ecd8cbb7a542f5df0e60ec1c

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

1240 dllhost.exe

pid	process
1240	dllhost.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2800 schtasks.exe
4524 schtasks.exe
4408 schtasks.exe
5080 schtasks.exe

pid	process
2800	schtasks.exe
4524	schtasks.exe
4408	schtasks.exe
5080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exedllhost.exepowershell.exe

pid	process
5104	powershell.exe
5104	powershell.exe
5104	powershell.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
1240	dllhost.exe
96	powershell.exe
1240	dllhost.exe
96	powershell.exe
96	powershell.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe
1240	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exed30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exepowershell.exedllhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3676	d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1240	dllhost.exe
Token: SeDebugPrivilege	96	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.execmd.exedllhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3676 wrote to memory of 1956	3676	d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe	cmd.exe
PID 3676 wrote to memory of 1956	3676	d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe	cmd.exe
PID 3676 wrote to memory of 1956	3676	d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe	cmd.exe
PID 1956 wrote to memory of 5100	1956	cmd.exe	chcp.com
PID 1956 wrote to memory of 5100	1956	cmd.exe	chcp.com
PID 1956 wrote to memory of 5100	1956	cmd.exe	chcp.com
PID 1956 wrote to memory of 5104	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 5104	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 5104	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 1388	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 1388	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 1388	1956	cmd.exe	powershell.exe
PID 3676 wrote to memory of 1240	3676	d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe	dllhost.exe
PID 3676 wrote to memory of 1240	3676	d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe	dllhost.exe
PID 3676 wrote to memory of 1240	3676	d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe	dllhost.exe
PID 1956 wrote to memory of 96	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 96	1956	cmd.exe	powershell.exe
PID 1956 wrote to memory of 96	1956	cmd.exe	powershell.exe
PID 1240 wrote to memory of 1004	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 1004	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 1004	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2712	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2712	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2712	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 4928	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 4928	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 4928	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3552	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3552	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3552	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2520	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2520	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2520	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3848	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3848	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3848	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3832	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3832	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3832	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 4492	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 4492	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 4492	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 388	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 388	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 388	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3796	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3796	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3796	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3432	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3432	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 3432	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2404	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2404	1240	dllhost.exe	cmd.exe
PID 1240 wrote to memory of 2404	1240	dllhost.exe	cmd.exe
PID 3552 wrote to memory of 2800	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 2800	3552	cmd.exe	schtasks.exe
PID 3552 wrote to memory of 2800	3552	cmd.exe	schtasks.exe
PID 2520 wrote to memory of 4524	2520	cmd.exe	schtasks.exe
PID 2520 wrote to memory of 4524	2520	cmd.exe	schtasks.exe
PID 2520 wrote to memory of 4524	2520	cmd.exe	schtasks.exe
PID 4928 wrote to memory of 4408	4928	cmd.exe	schtasks.exe
PID 4928 wrote to memory of 4408	4928	cmd.exe	schtasks.exe
PID 4928 wrote to memory of 4408	4928	cmd.exe	schtasks.exe
PID 2404 wrote to memory of 5080	2404	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe
"C:\Users\Admin\AppData\Local\Temp\d30fc78dbb74a199088c33cc696c2ba3ab37e7443bd97d29e390bfeb5b6f6ab6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
2⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\chcp.com
chcp 1251
3⤵
PID:5100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:96

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4408

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:2800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:4524

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1773" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8264" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk8264" /TR "C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk1824" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk4331" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
3⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:3412

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:4356

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
3⤵
PID:4884

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
796KB

MD5
6dd51b7dfbbdd5edf0b8aca5aca0b7d0

SHA1
339f70f0a104ea184e971d64606b9a4dd3d16c62

SHA256
5a637292050625b4ee5fd45060a159d21c0b3b79e28d077d64b683daf65943d1

SHA512
65b2d80e5473101cac7d182db08c4d6c2a11c9e006088b3139d3243776a490a0268ad81acc1a54029f1744f4bb10ec022306d9243769d33a54bac2c7885a00ea

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
796KB

MD5
6dd51b7dfbbdd5edf0b8aca5aca0b7d0

SHA1
339f70f0a104ea184e971d64606b9a4dd3d16c62

SHA256
5a637292050625b4ee5fd45060a159d21c0b3b79e28d077d64b683daf65943d1

SHA512
65b2d80e5473101cac7d182db08c4d6c2a11c9e006088b3139d3243776a490a0268ad81acc1a54029f1744f4bb10ec022306d9243769d33a54bac2c7885a00ea

Download Submit
C:\ProgramData\HostData\logs.uce
Filesize
497B

MD5
13fda2ab01b83a5130842a5bab3892d3

SHA1
6e18e4b467cde054a63a95d4dfc030f156ecd215

SHA256
76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

SHA512
c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
5bc017cbb2c47e2d884daf85e77118ef

SHA1
6208db31cb6bf4d44c3ef74cfae7238c3956fe4a

SHA256
db24b7562f096e19454e743129d3b01e0da33a708d428619bf586e1ac6f71a51

SHA512
3efcfb3d634bbebc379fd5c7ad03d24d1815b9f4b1a6dcf83699c2876625b3ef046efaa969f989cf551ee74d4c59403c92e9b785dcbc00188245fb53b5668553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
773bbfb21152ed7ad46109993e537487

SHA1
af9e82ec1ea440d63d47cd892a248e2e81a03cd9

SHA256
42ca7998887beafbac967d64d5b457268cf966d0252af19f16a9ee984b959fe4

SHA512
6d2c76677c3f979213bb3aeda31db8dd3dabbba986274f817cf3610a619fee2e05d648f5d30552d2cf10c371d10e8068cda6231949353ebf288fff0ba6dcbb99

Download Submit
memory/96-1117-0x0000000009630000-0x00000000096D5000-memory.dmp

Filesize
660KB

Download
memory/96-862-0x0000000000000000-mapping.dmp

Download
memory/388-961-0x0000000000000000-mapping.dmp

Download
memory/1004-924-0x0000000000000000-mapping.dmp

Download
memory/1240-885-0x0000000000FB0000-0x0000000001060000-memory.dmp

Filesize
704KB

Download
memory/1240-828-0x0000000000000000-mapping.dmp

Download
memory/1388-526-0x0000000000000000-mapping.dmp

Download
memory/1956-176-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-179-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-174-0x0000000000000000-mapping.dmp

Download
memory/1956-178-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-175-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/1956-177-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/2404-979-0x0000000000000000-mapping.dmp

Download
memory/2520-938-0x0000000000000000-mapping.dmp

Download
memory/2712-926-0x0000000000000000-mapping.dmp

Download
memory/2800-1018-0x0000000000000000-mapping.dmp

Download
memory/3412-1389-0x0000000000000000-mapping.dmp

Download
memory/3432-972-0x0000000000000000-mapping.dmp

Download
memory/3432-1395-0x0000000000000000-mapping.dmp

Download
memory/3552-933-0x0000000000000000-mapping.dmp

Download
memory/3676-146-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-138-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-132-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-147-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-148-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-149-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-150-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-151-0x00000000000D0000-0x0000000000178000-memory.dmp

Filesize
672KB

Download
memory/3676-152-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-153-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-154-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-155-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/3676-119-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-157-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-158-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-159-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-160-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-161-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-162-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-163-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-164-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-165-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-166-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-167-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-168-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-169-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-170-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-171-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-172-0x00000000049A0000-0x00000000049AA000-memory.dmp

Filesize
40KB

Download
memory/3676-173-0x0000000004B30000-0x0000000004B96000-memory.dmp

Filesize
408KB

Download
memory/3676-144-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-143-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-118-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-142-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-141-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-120-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-140-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-121-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-131-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-139-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-156-0x00000000049E0000-0x0000000004A72000-memory.dmp

Filesize
584KB

Download
memory/3676-133-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-134-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-122-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-135-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-136-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-123-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-137-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-145-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-124-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-125-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-126-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-127-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-128-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-129-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-130-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/3796-966-0x0000000000000000-mapping.dmp

Download
memory/3832-949-0x0000000000000000-mapping.dmp

Download
memory/3848-943-0x0000000000000000-mapping.dmp

Download
memory/4264-1424-0x0000000000000000-mapping.dmp

Download
memory/4356-1418-0x0000000000000000-mapping.dmp

Download
memory/4408-1023-0x0000000000000000-mapping.dmp

Download
memory/4492-955-0x0000000000000000-mapping.dmp

Download
memory/4524-1020-0x0000000000000000-mapping.dmp

Download
memory/4568-1448-0x0000000000000000-mapping.dmp

Download
memory/4884-1442-0x0000000000000000-mapping.dmp

Download
memory/4928-930-0x0000000000000000-mapping.dmp

Download
memory/5080-1051-0x0000000000000000-mapping.dmp

Download
memory/5100-181-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5100-187-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5100-184-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5100-183-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5100-182-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5100-180-0x0000000000000000-mapping.dmp

Download
memory/5100-185-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5100-186-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5104-253-0x0000000007A60000-0x0000000007A7C000-memory.dmp

Filesize
112KB

Download
memory/5104-296-0x00000000095A0000-0x0000000009645000-memory.dmp

Filesize
660KB

Download
memory/5104-189-0x0000000077A40000-0x0000000077BCE000-memory.dmp

Filesize
1.6MB

Download
memory/5104-254-0x0000000008460000-0x00000000084AB000-memory.dmp

Filesize
300KB

Download
memory/5104-258-0x0000000008290000-0x0000000008306000-memory.dmp

Filesize
472KB

Download
memory/5104-246-0x0000000007850000-0x0000000007872000-memory.dmp

Filesize
136KB

Download
memory/5104-286-0x00000000091C0000-0x00000000091F3000-memory.dmp

Filesize
204KB

Download
memory/5104-188-0x0000000000000000-mapping.dmp

Download
memory/5104-224-0x0000000004AF0000-0x0000000004B26000-memory.dmp

Filesize
216KB

Download
memory/5104-229-0x00000000071F0000-0x0000000007818000-memory.dmp

Filesize
6.2MB

Download
memory/5104-250-0x0000000007BB0000-0x0000000007F00000-memory.dmp

Filesize
3.3MB

Download
memory/5104-249-0x0000000007AD0000-0x0000000007B36000-memory.dmp

Filesize
408KB

Download
memory/5104-287-0x0000000009070000-0x000000000908E000-memory.dmp

Filesize
120KB

Download
memory/5104-508-0x0000000009270000-0x0000000009278000-memory.dmp

Filesize
32KB

Download
memory/5104-503-0x0000000009280000-0x000000000929A000-memory.dmp

Filesize
104KB

Download
memory/5104-300-0x00000000096F0000-0x0000000009784000-memory.dmp

Filesize
592KB

Download