6abf54467c1c8eca444f8ad7aca5a2b1819c8482a0110116bf67f2ebe1021fce

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 05:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

4.8MB
MD5

bff5ad2f9d3b589162a2da7a337a68c2
SHA1

b2879c2d9e6401619f4e2db6470b662685ab7756
SHA256

6abf54467c1c8eca444f8ad7aca5a2b1819c8482a0110116bf67f2ebe1021fce
SHA512

961445f139625d22704758432c1d568b59975948eb7e49fd1acb7ce185296e23f72be37f0bb0d9af1f929eef1ccf8a738a9bef4b2b7a798e21e319bc34bc378d
SSDEEP

49152:JG9RuK1L8CnoJgsv5lpt8xGAckMREkaT5E5gtGQnldHVd+01:yuLD5Xm1EAG8l

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1616	hXahs2wtaL.exe
1704	policyintroductoryov.exe
3444	policyintroductoryov.exe
2444	MIDNAUHE.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	policyintroductoryov.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	MIDNAUHE.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	hXahs2wtaL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	hXahs2wtaL.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1DE39CD2-FB00-4FD0-AC1B-81F45473A2F9}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{30D40F36-6E60-4CBA-997E-22F23CB86AC8}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 3444	1704	policyintroductoryov.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3700	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
364	powershell.exe
364	powershell.exe
3484	powershell.exe
3484	powershell.exe
4352	powershell.exe
4352	powershell.exe
4204	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1868	wmic.exe
Token: SeSecurityPrivilege	1868	wmic.exe
Token: SeTakeOwnershipPrivilege	1868	wmic.exe
Token: SeLoadDriverPrivilege	1868	wmic.exe
Token: SeSystemProfilePrivilege	1868	wmic.exe
Token: SeSystemtimePrivilege	1868	wmic.exe
Token: SeProfSingleProcessPrivilege	1868	wmic.exe
Token: SeIncBasePriorityPrivilege	1868	wmic.exe
Token: SeCreatePagefilePrivilege	1868	wmic.exe
Token: SeBackupPrivilege	1868	wmic.exe
Token: SeRestorePrivilege	1868	wmic.exe
Token: SeShutdownPrivilege	1868	wmic.exe
Token: SeDebugPrivilege	1868	wmic.exe
Token: SeSystemEnvironmentPrivilege	1868	wmic.exe
Token: SeRemoteShutdownPrivilege	1868	wmic.exe
Token: SeUndockPrivilege	1868	wmic.exe
Token: SeManageVolumePrivilege	1868	wmic.exe
Token: 33	1868	wmic.exe
Token: 34	1868	wmic.exe
Token: 35	1868	wmic.exe
Token: 36	1868	wmic.exe
Token: SeIncreaseQuotaPrivilege	1868	wmic.exe
Token: SeSecurityPrivilege	1868	wmic.exe
Token: SeTakeOwnershipPrivilege	1868	wmic.exe
Token: SeLoadDriverPrivilege	1868	wmic.exe
Token: SeSystemProfilePrivilege	1868	wmic.exe
Token: SeSystemtimePrivilege	1868	wmic.exe
Token: SeProfSingleProcessPrivilege	1868	wmic.exe
Token: SeIncBasePriorityPrivilege	1868	wmic.exe
Token: SeCreatePagefilePrivilege	1868	wmic.exe
Token: SeBackupPrivilege	1868	wmic.exe
Token: SeRestorePrivilege	1868	wmic.exe
Token: SeShutdownPrivilege	1868	wmic.exe
Token: SeDebugPrivilege	1868	wmic.exe
Token: SeSystemEnvironmentPrivilege	1868	wmic.exe
Token: SeRemoteShutdownPrivilege	1868	wmic.exe
Token: SeUndockPrivilege	1868	wmic.exe
Token: SeManageVolumePrivilege	1868	wmic.exe
Token: 33	1868	wmic.exe
Token: 34	1868	wmic.exe
Token: 35	1868	wmic.exe
Token: 36	1868	wmic.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeSecurityPrivilege	4220	WMIC.exe
Token: SeTakeOwnershipPrivilege	4220	WMIC.exe
Token: SeLoadDriverPrivilege	4220	WMIC.exe
Token: SeSystemProfilePrivilege	4220	WMIC.exe
Token: SeSystemtimePrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	4220	WMIC.exe
Token: SeBackupPrivilege	4220	WMIC.exe
Token: SeRestorePrivilege	4220	WMIC.exe
Token: SeShutdownPrivilege	4220	WMIC.exe
Token: SeDebugPrivilege	4220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4220	WMIC.exe
Token: SeRemoteShutdownPrivilege	4220	WMIC.exe
Token: SeUndockPrivilege	4220	WMIC.exe
Token: SeManageVolumePrivilege	4220	WMIC.exe
Token: 33	4220	WMIC.exe
Token: 34	4220	WMIC.exe
Token: 35	4220	WMIC.exe
Token: 36	4220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1868	2228	setup.exe	75
PID 2228 wrote to memory of 1868	2228	setup.exe	75
PID 2228 wrote to memory of 1728	2228	setup.exe	78
PID 2228 wrote to memory of 1728	2228	setup.exe	78
PID 1728 wrote to memory of 4220	1728	cmd.exe	80
PID 1728 wrote to memory of 4220	1728	cmd.exe	80
PID 2228 wrote to memory of 2264	2228	setup.exe	81
PID 2228 wrote to memory of 2264	2228	setup.exe	81
PID 2264 wrote to memory of 1520	2264	cmd.exe	83
PID 2264 wrote to memory of 1520	2264	cmd.exe	83
PID 2228 wrote to memory of 364	2228	setup.exe	91
PID 2228 wrote to memory of 364	2228	setup.exe	91
PID 364 wrote to memory of 1616	364	powershell.exe	93
PID 364 wrote to memory of 1616	364	powershell.exe	93
PID 1616 wrote to memory of 1704	1616	hXahs2wtaL.exe	101
PID 1616 wrote to memory of 1704	1616	hXahs2wtaL.exe	101
PID 1704 wrote to memory of 3484	1704	policyintroductoryov.exe	103
PID 1704 wrote to memory of 3484	1704	policyintroductoryov.exe	103
PID 1704 wrote to memory of 3444	1704	policyintroductoryov.exe	108
PID 1704 wrote to memory of 3444	1704	policyintroductoryov.exe	108
PID 1704 wrote to memory of 3444	1704	policyintroductoryov.exe	108
PID 1704 wrote to memory of 3444	1704	policyintroductoryov.exe	108
PID 1704 wrote to memory of 3444	1704	policyintroductoryov.exe	108
PID 1704 wrote to memory of 3444	1704	policyintroductoryov.exe	108
PID 3444 wrote to memory of 4352	3444	policyintroductoryov.exe	109
PID 3444 wrote to memory of 4352	3444	policyintroductoryov.exe	109
PID 3444 wrote to memory of 4452	3444	policyintroductoryov.exe	111
PID 3444 wrote to memory of 4452	3444	policyintroductoryov.exe	111
PID 4452 wrote to memory of 3700	4452	cmd.exe	114
PID 4452 wrote to memory of 3700	4452	cmd.exe	114
PID 4452 wrote to memory of 2444	4452	cmd.exe	115
PID 4452 wrote to memory of 2444	4452	cmd.exe	115
PID 2444 wrote to memory of 4204	2444	MIDNAUHE.exe	117
PID 2444 wrote to memory of 4204	2444	MIDNAUHE.exe	117

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\system32\cmd.exe
  cmd /C "wmic path win32_VideoController get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- C:\Windows\system32\cmd.exe
  cmd /C "wmic cpu get name"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\hXahs2wtaL.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Users\Admin\AppData\Local\Temp\hXahs2wtaL.exe
    "C:\Users\Admin\AppData\Local\Temp\hXahs2wtaL.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3484
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3444
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB20.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3700
        
        C:\ProgramData\Microsoft\MIDNAUHE.exe
        
        "C:\ProgramData\Microsoft\MIDNAUHE.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\MIDNAUHE.exe

Filesize
123.8MB

MD5
28341c8513d9914f4e1bc49f79b48164

SHA1
69101b9895dd8d870d6b2abfaa579c987e2b72bf

SHA256
9f1536ba8b6ddc4516841d80f7f6ed054d8d25382d574daef4fb496866f7d392

SHA512
0c7de5ade84a0b3aeec4b91aa7aada2f0cef9442e06c0f74405ce9b081e33710dd07bf14335f21219efda814d5e1c0b26eb9c90b40e6f408c63d2f795ea159d6

Download Submit
C:\ProgramData\Microsoft\MIDNAUHE.exe

Filesize
131.6MB

MD5
6dacc9065ab27ef25c3711c40b5248aa

SHA1
cdbc3b6fe20c2218a11385a1112bd3c906e45832

SHA256
bd1de624c71bfba383878e856eb459d1c33ebec3c102318588aa4f443a8b632d

SHA512
4a8666ff3a911989efd417b57ce31771d9de1a71c630ef7cc2e52fd30398cb1276d66573fb905687f06e48424056ccaa358d9c3eb00fa5b4fc3e9a31dfcecd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\policyintroductoryov.exe.log

Filesize
1KB

MD5
1d35832a5dffff9f6b8b8bf1afe49e22

SHA1
3e5a0a843a954ee61e78813ede5f9c9e0f22199e

SHA256
cd69818b4c7223a79498e2706cd488ea3619388e6ce3de950bd1cca1ffeb40d3

SHA512
356c3b815a410939b2ab55198ba043125fce24ac2518e56b548d924c4fec1a617169819c76c11188143476d20bc117577fb92b89524ec84dba029d0049b4b784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63e62e02ee9c90b7adfb2eefe7efa04f

SHA1
9bc1eda86f7f95345c2a3901288b6867447dee6b

SHA256
cbafbcef08446541d49da9d11842ab860628a7d317db15f570b7b1e1048ade11

SHA512
3d2bf16c2a9b42e28dc9d2c18d6d697d3749b14f2f6c708ea9e587022aeb5fbbcffaa49c4f4f994f1cd1f6c886b8d8b6ab3a29d3b65fe0659ea0f2fa9d47ba52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe

Filesize
357.6MB

MD5
9cac86ba6401ceec99e64adc76922684

SHA1
2a79d539a701ad8d9f36c931e32a550d29718ac2

SHA256
35695ee171cad89e3378abad9e5fa24c26a8b467ef9d3115277d8d981d23712c

SHA512
097d36d45251b950a6b0e7e8e68fa86dfbdfb8d1cb87832ba81cf47c0cabc6e4e85e9c3b18dfc08078f7c8f9b08ec8787938c0dd096e315a44148d7166f0adce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe

Filesize
357.6MB

MD5
9cac86ba6401ceec99e64adc76922684

SHA1
2a79d539a701ad8d9f36c931e32a550d29718ac2

SHA256
35695ee171cad89e3378abad9e5fa24c26a8b467ef9d3115277d8d981d23712c

SHA512
097d36d45251b950a6b0e7e8e68fa86dfbdfb8d1cb87832ba81cf47c0cabc6e4e85e9c3b18dfc08078f7c8f9b08ec8787938c0dd096e315a44148d7166f0adce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\policyintroductoryov.exe

Filesize
235.7MB

MD5
e69713b8df7937d0bee822ab96446298

SHA1
6fd8a7ad32ed474bb4c44c0f9253ff8114e704f8

SHA256
fbdea7033b58e59e4431420a273f9c69fd5740674cb2a3b72fad5197871a5c8b

SHA512
c8b65e61187bb18cd6207208361aea059c15535945380e18cf90ae9b1264ca4d5defef03ae143aa436118ee7dde2c6261e39cb0d80355d51f7e4e3a4b854af9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hXahs2wtaL.exe

Filesize
1.7MB

MD5
238a69aa001a8f4801f018863fa06a7c

SHA1
809b9edf1e948c7aff5443b446d240d3ee80226c

SHA256
8e24e96e1e87cf00e27c3a3745414636fbf6e148077c0f6815a2b87bacf85c8d

SHA512
60573a5a53bb7f8a3d60efa915a94acb46f17ef4ca8eb1b778ac0719af98f67010aeef964e2afe45c8cb07e946c96546f2a350ab9402efd5ae265d4cdd5a2f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hXahs2wtaL.exe

Filesize
1.7MB

MD5
238a69aa001a8f4801f018863fa06a7c

SHA1
809b9edf1e948c7aff5443b446d240d3ee80226c

SHA256
8e24e96e1e87cf00e27c3a3745414636fbf6e148077c0f6815a2b87bacf85c8d

SHA512
60573a5a53bb7f8a3d60efa915a94acb46f17ef4ca8eb1b778ac0719af98f67010aeef964e2afe45c8cb07e946c96546f2a350ab9402efd5ae265d4cdd5a2f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB20.tmp.bat

Filesize
146B

MD5
a91438047591241163c62590c78e63bf

SHA1
7cac874c507fb207d9780f9406f97a17efadcb4b

SHA256
0d17513a01dec1c3815a27d7caa39b6add501c7e2997d394bb3dffaf7c9192e5

SHA512
4a746fa90ab7248c8fcf5ea6f85d13d0c05a973a228662ecd7728afb72067db9e4f921ea09e80696b4d39cf1966807bd57c68b1becf5dfc07d531f41fc036f67

Download Submit
memory/364-138-0x000001E5F4B40000-0x000001E5F4B62000-memory.dmp

Filesize
136KB

Download
memory/364-142-0x00007FFD6C0C0000-0x00007FFD6CB81000-memory.dmp

Filesize
10.8MB

Download
memory/364-143-0x00007FFD6C0C0000-0x00007FFD6CB81000-memory.dmp

Filesize
10.8MB

Download
memory/1704-160-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/1704-147-0x0000000000B60000-0x0000000001012000-memory.dmp

Filesize
4.7MB

Download
memory/1704-149-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/1704-148-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-193-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/2444-191-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/3444-161-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/3444-156-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-165-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-166-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-168-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-170-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-171-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-174-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-177-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-176-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-179-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-163-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-164-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3444-185-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-152-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-155-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-154-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-195-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-184-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-182-0x00007FFD6B130000-0x00007FFD6BBF1000-memory.dmp

Filesize
10.8MB

Download