f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e

Analysis

max time kernel
163s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 03:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e.dll
Size

371KB
MD5

61b6d64f7ca14f2bba31c68f10c3cd20
SHA1

2b792503db2cbca825c9a782fff9728a3d080e13
SHA256

f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e
SHA512

4b96c66705b9867f7872b1720fa09c35eebf744148663e1a3540bf6d371c6c5219f7d8554527330df7d24a8571c1b7c98a9ee55bf7cc42224668c3439e85d96a
SSDEEP

6144:4cTsPrjFXNlkArqecU3KmeBKahiom7EIrIczmyHfsip+rGf8xxrKDRwv2o7:4cTs99jKUheBKah2EOX/FktKE2G

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
644	regsvr32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LacoTiqac = "regsvr32.exe \"C:\\ProgramData\\LacoTiqac\\ZerpAxtes.hgq\""	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LacoTiqac = "regsvr32.exe \"C:\\ProgramData\\LacoTiqac\\ZerpAxtes.hgq\""	Explorer.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
216	780	WerFault.exe	8
112	788	WerFault.exe	76
4168	3276	WerFault.exe	52
4740	3364	WerFault.exe	51

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	rundll32.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	Explorer.EXE

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	Explorer.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\{4669553C-733C-4EC3-9CC9-0D5276980A18}	spoolsv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\{4669553C-733C-4EC3-9CC9-0D5276980A18}\foplmafdjhko = 23e1ba11	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
644	regsvr32.exe
644	regsvr32.exe
2312	wmiprvse.exe
2312	wmiprvse.exe
2312	wmiprvse.exe
2312	wmiprvse.exe
2312	wmiprvse.exe
2312	wmiprvse.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3060	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3524	rundll32.exe
Token: SeCreateGlobalPrivilege	644	regsvr32.exe
Token: SeDebugPrivilege	644	regsvr32.exe
Token: SeCreateGlobalPrivilege	1732	spoolsv.exe
Token: SeShutdownPrivilege	1732	spoolsv.exe
Token: SeDebugPrivilege	1732	spoolsv.exe
Token: SeCreateGlobalPrivilege	2376	sihost.exe
Token: SeShutdownPrivilege	2376	sihost.exe
Token: SeDebugPrivilege	2376	sihost.exe
Token: SeCreateGlobalPrivilege	2484	taskhostw.exe
Token: SeShutdownPrivilege	2484	taskhostw.exe
Token: SeDebugPrivilege	2484	taskhostw.exe
Token: SeCreateGlobalPrivilege	2672	OfficeClickToRun.exe
Token: SeShutdownPrivilege	2672	OfficeClickToRun.exe
Token: SeDebugPrivilege	2672	OfficeClickToRun.exe
Token: SeCreateGlobalPrivilege	3060	Explorer.EXE
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeDebugPrivilege	3060	Explorer.EXE
Token: SeCreateGlobalPrivilege	3424	StartMenuExperienceHost.exe
Token: SeShutdownPrivilege	3424	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3424	StartMenuExperienceHost.exe
Token: SeCreateGlobalPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeDebugPrivilege	3508	RuntimeBroker.exe
Token: SeCreateGlobalPrivilege	3812	RuntimeBroker.exe
Token: SeShutdownPrivilege	3812	RuntimeBroker.exe
Token: SeDebugPrivilege	3812	RuntimeBroker.exe
Token: SeCreateGlobalPrivilege	4808	RuntimeBroker.exe
Token: SeShutdownPrivilege	4808	RuntimeBroker.exe
Token: SeDebugPrivilege	4808	RuntimeBroker.exe
Token: SeCreateGlobalPrivilege	2176	SppExtComObj.exe
Token: SeShutdownPrivilege	2176	SppExtComObj.exe
Token: SeDebugPrivilege	2176	SppExtComObj.exe
Token: SeCreateGlobalPrivilege	2312	wmiprvse.exe
Token: SeShutdownPrivilege	2312	wmiprvse.exe
Token: SeDebugPrivilege	2312	wmiprvse.exe
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeDebugPrivilege	2312	wmiprvse.exe
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 3524	1568	rundll32.exe	79
PID 1568 wrote to memory of 3524	1568	rundll32.exe	79
PID 1568 wrote to memory of 3524	1568	rundll32.exe	79
PID 3524 wrote to memory of 644	3524	rundll32.exe	81
PID 3524 wrote to memory of 644	3524	rundll32.exe	81
PID 3524 wrote to memory of 644	3524	rundll32.exe	81
PID 644 wrote to memory of 780	644	regsvr32.exe	8
PID 644 wrote to memory of 780	644	regsvr32.exe	8
PID 644 wrote to memory of 788	644	regsvr32.exe	76
PID 644 wrote to memory of 788	644	regsvr32.exe	76
PID 644 wrote to memory of 1732	644	regsvr32.exe	60
PID 644 wrote to memory of 1732	644	regsvr32.exe	60
PID 644 wrote to memory of 2376	644	regsvr32.exe	21
PID 644 wrote to memory of 2376	644	regsvr32.exe	21
PID 644 wrote to memory of 2484	644	regsvr32.exe	23
PID 644 wrote to memory of 2484	644	regsvr32.exe	23
PID 644 wrote to memory of 2672	644	regsvr32.exe	25
PID 644 wrote to memory of 2672	644	regsvr32.exe	25
PID 644 wrote to memory of 3060	644	regsvr32.exe	54
PID 644 wrote to memory of 3060	644	regsvr32.exe	54
PID 644 wrote to memory of 3276	644	regsvr32.exe	52
PID 644 wrote to memory of 3276	644	regsvr32.exe	52
PID 644 wrote to memory of 3364	644	regsvr32.exe	51
PID 644 wrote to memory of 3364	644	regsvr32.exe	51
PID 644 wrote to memory of 3424	644	regsvr32.exe	32
PID 644 wrote to memory of 3424	644	regsvr32.exe	32
PID 644 wrote to memory of 3508	644	regsvr32.exe	31
PID 644 wrote to memory of 3508	644	regsvr32.exe	31
PID 644 wrote to memory of 3592	644	regsvr32.exe	50
PID 644 wrote to memory of 3592	644	regsvr32.exe	50
PID 644 wrote to memory of 3812	644	regsvr32.exe	49
PID 644 wrote to memory of 3812	644	regsvr32.exe	49
PID 644 wrote to memory of 4808	644	regsvr32.exe	48
PID 644 wrote to memory of 4808	644	regsvr32.exe	48
PID 644 wrote to memory of 2176	644	regsvr32.exe	40
PID 644 wrote to memory of 2176	644	regsvr32.exe	40
PID 644 wrote to memory of 2312	644	regsvr32.exe	82
PID 644 wrote to memory of 2312	644	regsvr32.exe	82

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 780 -s 144
  2⤵
  - Program crash
  PID:216

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3592

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3364
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3364 -s 388
  2⤵
  - Program crash
  PID:4740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3276 -s 1016
  2⤵
  - Program crash
  PID:4168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3060
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e.dll,#1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f5508c57f116baf22d0e1a8114d85797565f09571103a3af1cc12b3ce790364e.dll,#1
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32.exe "C:\Users\Admin\AppData\Local\Temp\\~0E577D4E.tmp"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:644

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 788 -s 140
  2⤵
  - Program crash
  PID:112

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 780 -ip 780
1⤵
PID:4196

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 788 -ip 788
1⤵
PID:1960

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3276 -ip 3276
1⤵
PID:4820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 552 -p 3364 -ip 3364
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\LacoTiqac\ZerpAxtes.hgq

Filesize
316KB

MD5
06ada37de20838002300892a94eca0de

SHA1
8e8f5bf1db0afec749f517293ee4408d5efb134a

SHA256
c544881e6cf47d28c56a5133a3a0e88f14a72e0bfe644ed65ac9824517dbdb85

SHA512
f994a4e14cb77f4027d54e1823f4d94d0283618ad6b2bbef53956530117c18afaf0babe762d72b976b4b7e20efcabd70eb353feda95072b009e557686ed4b974

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E577D4E.tmp

Filesize
316KB

MD5
06ada37de20838002300892a94eca0de

SHA1
8e8f5bf1db0afec749f517293ee4408d5efb134a

SHA256
c544881e6cf47d28c56a5133a3a0e88f14a72e0bfe644ed65ac9824517dbdb85

SHA512
f994a4e14cb77f4027d54e1823f4d94d0283618ad6b2bbef53956530117c18afaf0babe762d72b976b4b7e20efcabd70eb353feda95072b009e557686ed4b974

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0E577D4E.tmp

Filesize
316KB

MD5
06ada37de20838002300892a94eca0de

SHA1
8e8f5bf1db0afec749f517293ee4408d5efb134a

SHA256
c544881e6cf47d28c56a5133a3a0e88f14a72e0bfe644ed65ac9824517dbdb85

SHA512
f994a4e14cb77f4027d54e1823f4d94d0283618ad6b2bbef53956530117c18afaf0babe762d72b976b4b7e20efcabd70eb353feda95072b009e557686ed4b974

Download Submit
memory/644-148-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/644-149-0x0000000010000000-0x0000000010050000-memory.dmp

Filesize
320KB

Download
memory/644-174-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/644-144-0x0000000010000000-0x000000001003B000-memory.dmp

Filesize
236KB

Download
memory/1732-150-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/1732-151-0x00000000012D0000-0x0000000001325000-memory.dmp

Filesize
340KB

Download
memory/1732-153-0x00007FF43A0D0000-0x00007FF43A13D000-memory.dmp

Filesize
436KB

Download
memory/2176-175-0x00007FF458320000-0x00007FF45838D000-memory.dmp

Filesize
436KB

Download
memory/2176-170-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/2176-171-0x00007FF458320000-0x00007FF45838D000-memory.dmp

Filesize
436KB

Download
memory/2312-176-0x00007FF4DB2B0000-0x00007FF4DB31D000-memory.dmp

Filesize
436KB

Download
memory/2312-172-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/2312-173-0x00007FF4DB2B0000-0x00007FF4DB31D000-memory.dmp

Filesize
436KB

Download
memory/2376-154-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/2376-155-0x00007FF4A3A10000-0x00007FF4A3A7D000-memory.dmp

Filesize
436KB

Download
memory/2484-156-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/2484-157-0x00007FF4AD620000-0x00007FF4AD68D000-memory.dmp

Filesize
436KB

Download
memory/2672-158-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/2672-159-0x00007FF4F7590000-0x00007FF4F75FD000-memory.dmp

Filesize
436KB

Download
memory/3060-160-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/3060-161-0x00007FF414E40000-0x00007FF414EAD000-memory.dmp

Filesize
436KB

Download
memory/3424-163-0x00007FF4E8480000-0x00007FF4E84ED000-memory.dmp

Filesize
436KB

Download
memory/3424-162-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/3508-164-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/3508-165-0x00007FF4E4270000-0x00007FF4E42DD000-memory.dmp

Filesize
436KB

Download
memory/3524-140-0x00000000751F0000-0x000000007523F000-memory.dmp

Filesize
316KB

Download
memory/3524-135-0x00000000751F0000-0x000000007523F000-memory.dmp

Filesize
316KB

Download
memory/3524-133-0x00000000751F0000-0x000000007524D000-memory.dmp

Filesize
372KB

Download
memory/3812-167-0x00007FF492370000-0x00007FF4923DD000-memory.dmp

Filesize
436KB

Download
memory/3812-166-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/4808-168-0x00007FFA11CD0000-0x00007FFA11CD2000-memory.dmp

Filesize
8KB

Download
memory/4808-169-0x00007FF415AE0000-0x00007FF415B4D000-memory.dmp

Filesize
436KB

Download