f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

Resubmissions

26-11-2022 08:19

221126-j7yhtaed66 10

25-11-2022 12:27

221125-pmxnnsbe8t 8

24-11-2022 09:51

221124-lvp21seh53 10

24-11-2022 09:44

221124-lqgvvahf3x 10

Analysis

max time kernel
967s
max time network
1236s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.4MB
MD5

073a3dc0c60492b618f888c5e603fd05
SHA1

4de52c57f8f032724452e901120bcf0fbee52902
SHA256

f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27
SHA512

4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f
SSDEEP

24576:W+wHtwQBTvwpeNrT2i8k57TujjVx3KClNyOiY:W+sBTopej8Mw3NlNF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

OWT.exeOWT.exeOWT.exe

pid process

1556 OWT.exe
448 OWT.exe
3144 OWT.exe

pid	process
1556	OWT.exe
448	OWT.exe
3144	OWT.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OWT.exeOWT.exeOWT.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	OWT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	OWT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	OWT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4084 1556 WerFault.exe OWT.exe
4124 448 WerFault.exe OWT.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3560 schtasks.exe
1716 schtasks.exe
3648 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4608 timeout.exe

pid	pid_target	process	target process
4084	1556	WerFault.exe	OWT.exe
4124	448	WerFault.exe	OWT.exe

pid	process
3560	schtasks.exe
1716	schtasks.exe
3648	schtasks.exe

pid	process
4608	timeout.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exeOWT.exepowershell.exeOWT.exepowershell.exe

pid	process
3132	file.exe
3132	file.exe
1004	powershell.exe
1004	powershell.exe
1556	OWT.exe
1556	OWT.exe
3188	powershell.exe
3188	powershell.exe
448	OWT.exe
448	OWT.exe
2264	powershell.exe
2264	powershell.exe
3144	OWT.exe
3144	OWT.exe
3144	OWT.exe
1524	powershell.exe
1524	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OWT.exe

pid process

3144 OWT.exe

pid	process
3144	OWT.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

file.exepowershell.exeOWT.exepowershell.exeOWT.exepowershell.exeOWT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3132	file.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1556	OWT.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	448	OWT.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	3144	OWT.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

file.execmd.exeOWT.execmd.exeOWT.execmd.exeOWT.execmd.exe

description	pid	process	target process
PID 3132 wrote to memory of 1004	3132	file.exe	powershell.exe
PID 3132 wrote to memory of 1004	3132	file.exe	powershell.exe
PID 3132 wrote to memory of 4712	3132	file.exe	cmd.exe
PID 3132 wrote to memory of 4712	3132	file.exe	cmd.exe
PID 4712 wrote to memory of 4608	4712	cmd.exe	timeout.exe
PID 4712 wrote to memory of 4608	4712	cmd.exe	timeout.exe
PID 4712 wrote to memory of 1556	4712	cmd.exe	OWT.exe
PID 4712 wrote to memory of 1556	4712	cmd.exe	OWT.exe
PID 1556 wrote to memory of 3188	1556	OWT.exe	powershell.exe
PID 1556 wrote to memory of 3188	1556	OWT.exe	powershell.exe
PID 1556 wrote to memory of 856	1556	OWT.exe	cmd.exe
PID 1556 wrote to memory of 856	1556	OWT.exe	cmd.exe
PID 856 wrote to memory of 3560	856	cmd.exe	schtasks.exe
PID 856 wrote to memory of 3560	856	cmd.exe	schtasks.exe
PID 448 wrote to memory of 2264	448	OWT.exe	powershell.exe
PID 448 wrote to memory of 2264	448	OWT.exe	powershell.exe
PID 448 wrote to memory of 4328	448	OWT.exe	cmd.exe
PID 448 wrote to memory of 4328	448	OWT.exe	cmd.exe
PID 4328 wrote to memory of 1716	4328	cmd.exe	schtasks.exe
PID 4328 wrote to memory of 1716	4328	cmd.exe	schtasks.exe
PID 3144 wrote to memory of 1524	3144	OWT.exe	powershell.exe
PID 3144 wrote to memory of 1524	3144	OWT.exe	powershell.exe
PID 3144 wrote to memory of 3424	3144	OWT.exe	cmd.exe
PID 3144 wrote to memory of 3424	3144	OWT.exe	cmd.exe
PID 3424 wrote to memory of 3648	3424	cmd.exe	schtasks.exe
PID 3424 wrote to memory of 3648	3424	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C9E.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4608
- - C:\ProgramData\winrar\OWT.exe
    "C:\ProgramData\winrar\OWT.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3188
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3560
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1556 -s 1560
      4⤵
      Program crash
      PID:4084

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 1556 -ip 1556
1⤵
PID:4916

C:\ProgramData\winrar\OWT.exe
C:\ProgramData\winrar\OWT.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 448 -s 2168
  2⤵
  - Program crash
  PID:4124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 448 -ip 448
1⤵
PID:2636

C:\ProgramData\winrar\OWT.exe
C:\ProgramData\winrar\OWT.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\screen.jpg

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
C:\ProgramData\winrar\OWT.exe

Filesize
1.4MB

MD5
073a3dc0c60492b618f888c5e603fd05

SHA1
4de52c57f8f032724452e901120bcf0fbee52902

SHA256
f4fcbc524c30e4469464eb1c5641577b1042bd6fb5f44835731a3ee156d29c27

SHA512
4262dd0e07f0d083c75607a0a67e20b8b8f85c57aeeba2359cc92731a82ba9d2191482cb3d28c7c8f1163b0d9604bf1cfba5ffe168ad7bb6fc7c1c11c99c0d7f

Download Submit
C:\ProgramData\winrar\uninstall.dat

Filesize
476KB

MD5
9c42da8556cde017198ac9bda4d4dcd4

SHA1
942e768769fd5c6eb2d8c0a1d64ce56d4da2619b

SHA256
e083892858f44fdc8470bf419dc8b9fbb6581c8272840524a8340161e3ac84be

SHA512
7395e5b39ef69ce6b01e6a2bd2658e5c189bde13abcfb461daa494939c2d560d840143ca9d3fe23d00f94f1d2693c5ef83c8b1e6b553bf8c8be3e2da14622908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2979eabc783eaca50de7be23dd4eafcf

SHA1
d709ce5f3a06b7958a67e20870bfd95b83cad2ea

SHA256
006cca90e78fbb571532a83082ac6712721a34ea4b21f490058ffb3f521f4903

SHA512
92bc433990572d9427d0c93eef9bd1cc23fa00ed60dd0c9c983d87d3421e02ce3f156c6f88fe916ef6782dbf185cbce083bc0094f8c527f302be6a37d1c53aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C9E.tmp.bat

Filesize
138B

MD5
abc0ddefbb3e558c56a49a343d808f77

SHA1
6153c2480f977d3361e7dc8c9c153d062528adf7

SHA256
ae12acf8df54f9de05a115599221c992ef72aa1bd8ca1eb35647194984eaa493

SHA512
07da39bee9bc8454e9a8a4751a59214a45e67f159dc223f353517cbc2db9791be3ff6054dfc1741d13b44f84e6b2480e5db48a0bf37b8a0ab031d2a9db57e297

Download Submit
memory/448-216-0x00007FFF2DAE0000-0x00007FFF2DBE2000-memory.dmp

Filesize
1.0MB

Download
memory/448-205-0x00007FFF2E740000-0x00007FFF2E88E000-memory.dmp

Filesize
1.3MB

Download
memory/448-197-0x00007FFF469B0000-0x00007FFF469C2000-memory.dmp

Filesize
72KB

Download
memory/448-198-0x00007FFF2E890000-0x00007FFF2E94D000-memory.dmp

Filesize
756KB

Download
memory/448-199-0x00007FFF4A2A0000-0x00007FFF4A441000-memory.dmp

Filesize
1.6MB

Download
memory/448-222-0x00007FFF2B7A0000-0x00007FFF2C261000-memory.dmp

Filesize
10.8MB

Download
memory/448-221-0x0000000000E50000-0x0000000000E91000-memory.dmp

Filesize
260KB

Download
memory/448-195-0x00007FFF3C840000-0x00007FFF3C8EA000-memory.dmp

Filesize
680KB

Download
memory/448-220-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/448-219-0x00007FFF2D970000-0x00007FFF2DADA000-memory.dmp

Filesize
1.4MB

Download
memory/448-200-0x00007FFF2B7A0000-0x00007FFF2C261000-memory.dmp

Filesize
10.8MB

Download
memory/448-218-0x00007FFF47E60000-0x00007FFF47E9B000-memory.dmp

Filesize
236KB

Download
memory/448-217-0x00007FFF4A030000-0x00007FFF4A09B000-memory.dmp

Filesize
428KB

Download
memory/448-201-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/448-215-0x00007FFF3CE60000-0x00007FFF3CE95000-memory.dmp

Filesize
212KB

Download
memory/448-214-0x00007FFF48DE0000-0x00007FFF48E07000-memory.dmp

Filesize
156KB

Download
memory/448-211-0x00007FFF2B7A0000-0x00007FFF2C261000-memory.dmp

Filesize
10.8MB

Download
memory/448-202-0x0000000000E50000-0x0000000000E91000-memory.dmp

Filesize
260KB

Download
memory/448-196-0x00007FFF4ACA0000-0x00007FFF4AD3E000-memory.dmp

Filesize
632KB

Download
memory/448-203-0x00007FFF49F00000-0x00007FFF49F2B000-memory.dmp

Filesize
172KB

Download
memory/448-204-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/856-177-0x0000000000000000-mapping.dmp

Download
memory/1004-157-0x00007FFF2BB20000-0x00007FFF2C5E1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-154-0x00007FFF2BB20000-0x00007FFF2C5E1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-148-0x0000000000000000-mapping.dmp

Download
memory/1004-152-0x00000223C3BC0000-0x00000223C3BE2000-memory.dmp

Filesize
136KB

Download
memory/1524-236-0x0000000000000000-mapping.dmp

Download
memory/1524-241-0x00007FFF2D880000-0x00007FFF2E341000-memory.dmp

Filesize
10.8MB

Download
memory/1556-168-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/1556-186-0x00007FFF28F90000-0x00007FFF290FA000-memory.dmp

Filesize
1.4MB

Download
memory/1556-158-0x0000000000000000-mapping.dmp

Download
memory/1556-176-0x00007FFF2BAF0000-0x00007FFF2C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-167-0x00007FFF2BAF0000-0x00007FFF2C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-173-0x00007FFF2A020000-0x00007FFF2A16E000-memory.dmp

Filesize
1.3MB

Download
memory/1556-170-0x00000000030C0000-0x0000000003101000-memory.dmp

Filesize
260KB

Download
memory/1556-180-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/1556-181-0x00000000030C0000-0x0000000003101000-memory.dmp

Filesize
260KB

Download
memory/1556-182-0x00007FFF2BAF0000-0x00007FFF2C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-169-0x00007FFF49F00000-0x00007FFF49F2B000-memory.dmp

Filesize
172KB

Download
memory/1556-162-0x00007FFF3CC70000-0x00007FFF3CD1A000-memory.dmp

Filesize
680KB

Download
memory/1556-163-0x00007FFF4ACA0000-0x00007FFF4AD3E000-memory.dmp

Filesize
632KB

Download
memory/1556-166-0x00007FFF4A2A0000-0x00007FFF4A441000-memory.dmp

Filesize
1.6MB

Download
memory/1556-187-0x00007FFF48DE0000-0x00007FFF48E07000-memory.dmp

Filesize
156KB

Download
memory/1556-188-0x00007FFF2F020000-0x00007FFF2F055000-memory.dmp

Filesize
212KB

Download
memory/1556-189-0x00007FFF27A90000-0x00007FFF27B92000-memory.dmp

Filesize
1.0MB

Download
memory/1556-190-0x00007FFF4A030000-0x00007FFF4A09B000-memory.dmp

Filesize
428KB

Download
memory/1556-191-0x00007FFF2BAF0000-0x00007FFF2C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/1556-192-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/1556-164-0x00007FFF469B0000-0x00007FFF469C2000-memory.dmp

Filesize
72KB

Download
memory/1556-171-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/1556-165-0x00007FFF3CB90000-0x00007FFF3CC4D000-memory.dmp

Filesize
756KB

Download
memory/1556-172-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/1716-209-0x0000000000000000-mapping.dmp

Download
memory/2264-206-0x0000000000000000-mapping.dmp

Download
memory/2264-212-0x00007FFF2B7A0000-0x00007FFF2C261000-memory.dmp

Filesize
10.8MB

Download
memory/2264-213-0x00007FFF2B7A0000-0x00007FFF2C261000-memory.dmp

Filesize
10.8MB

Download
memory/3132-139-0x0000000000C00000-0x0000000000C41000-memory.dmp

Filesize
260KB

Download
memory/3132-151-0x0000000000C00000-0x0000000000C41000-memory.dmp

Filesize
260KB

Download
memory/3132-134-0x00007FFF4ACA0000-0x00007FFF4AD3E000-memory.dmp

Filesize
632KB

Download
memory/3132-133-0x00007FFF2C5F0000-0x00007FFF2C69A000-memory.dmp

Filesize
680KB

Download
memory/3132-147-0x00007FFF2BB20000-0x00007FFF2C5E1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-135-0x00007FFF469B0000-0x00007FFF469C2000-memory.dmp

Filesize
72KB

Download
memory/3132-145-0x00007FFF3CC40000-0x00007FFF3CD8E000-memory.dmp

Filesize
1.3MB

Download
memory/3132-146-0x00007FFF2BB20000-0x00007FFF2C5E1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-137-0x00000000001F0000-0x00000000003BC000-memory.dmp

Filesize
1.8MB

Download
memory/3132-141-0x00007FFF49F00000-0x00007FFF49F2B000-memory.dmp

Filesize
172KB

Download
memory/3132-140-0x00007FFF2BB20000-0x00007FFF2C5E1000-memory.dmp

Filesize
10.8MB

Download
memory/3132-136-0x00007FFF2BA60000-0x00007FFF2BB1D000-memory.dmp

Filesize
756KB

Download
memory/3132-144-0x00000000001F0000-0x00000000003BC000-memory.dmp

Filesize
1.8MB

Download
memory/3132-142-0x00000000001F0000-0x00000000003BC000-memory.dmp

Filesize
1.8MB

Download
memory/3132-138-0x00007FFF4A2A0000-0x00007FFF4A441000-memory.dmp

Filesize
1.6MB

Download
memory/3132-143-0x0000000000C00000-0x0000000000C41000-memory.dmp

Filesize
260KB

Download
memory/3132-150-0x00000000001F0000-0x00000000003BC000-memory.dmp

Filesize
1.8MB

Download
memory/3132-153-0x00007FFF2BB20000-0x00007FFF2C5E1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-234-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/3144-229-0x00007FFF4A2A0000-0x00007FFF4A441000-memory.dmp

Filesize
1.6MB

Download
memory/3144-246-0x00007FFF2D880000-0x00007FFF2E341000-memory.dmp

Filesize
10.8MB

Download
memory/3144-245-0x00000000027D0000-0x0000000002811000-memory.dmp

Filesize
260KB

Download
memory/3144-225-0x00007FFF3C840000-0x00007FFF3C8EA000-memory.dmp

Filesize
680KB

Download
memory/3144-226-0x00007FFF4ACA0000-0x00007FFF4AD3E000-memory.dmp

Filesize
632KB

Download
memory/3144-228-0x00007FFF36E40000-0x00007FFF36EFD000-memory.dmp

Filesize
756KB

Download
memory/3144-238-0x00007FFF48DE0000-0x00007FFF48E07000-memory.dmp

Filesize
156KB

Download
memory/3144-227-0x00007FFF469B0000-0x00007FFF469C2000-memory.dmp

Filesize
72KB

Download
memory/3144-231-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/3144-232-0x00000000027D0000-0x0000000002811000-memory.dmp

Filesize
260KB

Download
memory/3144-230-0x00007FFF2D880000-0x00007FFF2E341000-memory.dmp

Filesize
10.8MB

Download
memory/3144-233-0x00007FFF49F00000-0x00007FFF49F2B000-memory.dmp

Filesize
172KB

Download
memory/3144-244-0x0000000000540000-0x000000000070C000-memory.dmp

Filesize
1.8MB

Download
memory/3144-235-0x00007FFF36CF0000-0x00007FFF36E3E000-memory.dmp

Filesize
1.3MB

Download
memory/3144-242-0x00007FFF2D880000-0x00007FFF2E341000-memory.dmp

Filesize
10.8MB

Download
memory/3188-183-0x00007FFF2BAF0000-0x00007FFF2C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-184-0x00007FFF2BAF0000-0x00007FFF2C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3188-174-0x0000000000000000-mapping.dmp

Download
memory/3188-178-0x00007FFF2BAF0000-0x00007FFF2C5B1000-memory.dmp

Filesize
10.8MB

Download
memory/3424-237-0x0000000000000000-mapping.dmp

Download
memory/3560-185-0x0000000000000000-mapping.dmp

Download
memory/3648-240-0x0000000000000000-mapping.dmp

Download
memory/4328-207-0x0000000000000000-mapping.dmp

Download
memory/4608-156-0x0000000000000000-mapping.dmp

Download
memory/4712-149-0x0000000000000000-mapping.dmp

Download