dcf86afd771b851e2cec90dd044a7d629a1bda033e2bdafe6c198180d7cf0f15

Resubmissions

04-05-2023 21:16

230504-z4frlaha9y 3

04-05-2023 20:53

230504-zpsgvafb66 3

04-05-2023 20:38

230504-zew3aafa88 8

04-05-2023 20:30

230504-y97ltsgg7x 3

Analysis

max time kernel
72s
max time network
90s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2023 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MossfieldOrigin.exe
Size

33.1MB
MD5

bb48e12db27082f17fbaf07fa1f11276
SHA1

68b4b598a36f9325169a3a5b1c4e00d86dee3b6e
SHA256

83e7c2cd30fbc3fbb7baa0b997d9fa5bf9ed075a510ba2382be7d6c44006273c
SHA512

f2b37160c99d6512d10eb260759d731636f418bbdca936c317079963cc286fbf09da75724b5c05b25a937cfa24ddca47d8bf7068ee164ebc5f3590532eb4cd7c
SSDEEP

393216:RVkZDbxDV08qbsvOaNpDBcDsxsbqFlUMFkEli4dqRYVHkFtOv9OBBuX6rYRAqs3s:RG/DpKtzIVm09tX6rYSnyQH1lQ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2336	vlc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2404	powershell.exe
2404	powershell.exe
4620	powershell.exe
4620	powershell.exe
2244	powershell.exe
2244	powershell.exe
4356	powershell.exe
4356	powershell.exe
1192	powershell.exe
4632	powershell.exe
1192	powershell.exe
3924	powershell.exe
4632	powershell.exe
3924	powershell.exe
4876	powershell.exe
4876	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2336	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeIncreaseQuotaPrivilege	2404	powershell.exe
Token: SeSecurityPrivilege	2404	powershell.exe
Token: SeTakeOwnershipPrivilege	2404	powershell.exe
Token: SeLoadDriverPrivilege	2404	powershell.exe
Token: SeSystemProfilePrivilege	2404	powershell.exe
Token: SeSystemtimePrivilege	2404	powershell.exe
Token: SeProfSingleProcessPrivilege	2404	powershell.exe
Token: SeIncBasePriorityPrivilege	2404	powershell.exe
Token: SeCreatePagefilePrivilege	2404	powershell.exe
Token: SeBackupPrivilege	2404	powershell.exe
Token: SeRestorePrivilege	2404	powershell.exe
Token: SeShutdownPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeSystemEnvironmentPrivilege	2404	powershell.exe
Token: SeRemoteShutdownPrivilege	2404	powershell.exe
Token: SeUndockPrivilege	2404	powershell.exe
Token: SeManageVolumePrivilege	2404	powershell.exe
Token: 33	2404	powershell.exe
Token: 34	2404	powershell.exe
Token: 35	2404	powershell.exe
Token: 36	2404	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeIncreaseQuotaPrivilege	2244	powershell.exe
Token: SeSecurityPrivilege	2244	powershell.exe
Token: SeTakeOwnershipPrivilege	2244	powershell.exe
Token: SeLoadDriverPrivilege	2244	powershell.exe
Token: SeSystemProfilePrivilege	2244	powershell.exe
Token: SeSystemtimePrivilege	2244	powershell.exe
Token: SeProfSingleProcessPrivilege	2244	powershell.exe
Token: SeIncBasePriorityPrivilege	2244	powershell.exe
Token: SeCreatePagefilePrivilege	2244	powershell.exe
Token: SeBackupPrivilege	2244	powershell.exe
Token: SeRestorePrivilege	2244	powershell.exe
Token: SeShutdownPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeSystemEnvironmentPrivilege	2244	powershell.exe
Token: SeRemoteShutdownPrivilege	2244	powershell.exe
Token: SeUndockPrivilege	2244	powershell.exe
Token: SeManageVolumePrivilege	2244	powershell.exe
Token: 33	2244	powershell.exe
Token: 34	2244	powershell.exe
Token: 35	2244	powershell.exe
Token: 36	2244	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeIncreaseQuotaPrivilege	4356	powershell.exe
Token: SeSecurityPrivilege	4356	powershell.exe
Token: SeTakeOwnershipPrivilege	4356	powershell.exe
Token: SeLoadDriverPrivilege	4356	powershell.exe
Token: SeSystemProfilePrivilege	4356	powershell.exe
Token: SeSystemtimePrivilege	4356	powershell.exe
Token: SeProfSingleProcessPrivilege	4356	powershell.exe
Token: SeIncBasePriorityPrivilege	4356	powershell.exe
Token: SeCreatePagefilePrivilege	4356	powershell.exe
Token: SeBackupPrivilege	4356	powershell.exe
Token: SeRestorePrivilege	4356	powershell.exe
Token: SeShutdownPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeSystemEnvironmentPrivilege	4356	powershell.exe
Token: SeRemoteShutdownPrivilege	4356	powershell.exe
Token: SeUndockPrivilege	4356	powershell.exe
Token: SeManageVolumePrivilege	4356	powershell.exe
Token: 33	4356	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2336	vlc.exe
2336	vlc.exe
2336	vlc.exe
2336	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2336	vlc.exe
2336	vlc.exe
2336	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2336	vlc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3044	4044	MossfieldOrigin.exe	85
PID 4044 wrote to memory of 3044	4044	MossfieldOrigin.exe	85
PID 3044 wrote to memory of 4244	3044	cmd.exe	87
PID 3044 wrote to memory of 4244	3044	cmd.exe	87
PID 4044 wrote to memory of 4620	4044	MossfieldOrigin.exe	88
PID 4044 wrote to memory of 4620	4044	MossfieldOrigin.exe	88
PID 4044 wrote to memory of 2404	4044	MossfieldOrigin.exe	89
PID 4044 wrote to memory of 2404	4044	MossfieldOrigin.exe	89
PID 4620 wrote to memory of 1860	4620	powershell.exe	91
PID 4620 wrote to memory of 1860	4620	powershell.exe	91
PID 1860 wrote to memory of 2232	1860	csc.exe	92
PID 1860 wrote to memory of 2232	1860	csc.exe	92
PID 4044 wrote to memory of 2244	4044	MossfieldOrigin.exe	93
PID 4044 wrote to memory of 2244	4044	MossfieldOrigin.exe	93
PID 4044 wrote to memory of 4356	4044	MossfieldOrigin.exe	99
PID 4044 wrote to memory of 4356	4044	MossfieldOrigin.exe	99
PID 4044 wrote to memory of 1020	4044	MossfieldOrigin.exe	101
PID 4044 wrote to memory of 1020	4044	MossfieldOrigin.exe	101
PID 4044 wrote to memory of 1192	4044	MossfieldOrigin.exe	103
PID 4044 wrote to memory of 1192	4044	MossfieldOrigin.exe	103
PID 4044 wrote to memory of 4632	4044	MossfieldOrigin.exe	107
PID 4044 wrote to memory of 4632	4044	MossfieldOrigin.exe	107
PID 4044 wrote to memory of 3924	4044	MossfieldOrigin.exe	106
PID 4044 wrote to memory of 3924	4044	MossfieldOrigin.exe	106
PID 4044 wrote to memory of 2296	4044	MossfieldOrigin.exe	109
PID 4044 wrote to memory of 2296	4044	MossfieldOrigin.exe	109
PID 2296 wrote to memory of 3740	2296	cmd.exe	112
PID 2296 wrote to memory of 3740	2296	cmd.exe	112
PID 4044 wrote to memory of 4876	4044	MossfieldOrigin.exe	113
PID 4044 wrote to memory of 4876	4044	MossfieldOrigin.exe	113
PID 4044 wrote to memory of 352	4044	MossfieldOrigin.exe	115
PID 4044 wrote to memory of 352	4044	MossfieldOrigin.exe	115
PID 352 wrote to memory of 3396	352	cmd.exe	117
PID 352 wrote to memory of 3396	352	cmd.exe	117
PID 4044 wrote to memory of 1636	4044	MossfieldOrigin.exe	118
PID 4044 wrote to memory of 1636	4044	MossfieldOrigin.exe	118

C:\Users\Admin\AppData\Local\Temp\MossfieldOrigin.exe
"C:\Users\Admin\AppData\Local\Temp\MossfieldOrigin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c " Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjnjiffk\cjnjiffk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87E2.tmp" "c:\Users\Admin\AppData\Local\Temp\cjnjiffk\CSCAFBE81E5D20C4CEE8757311A0B92D0.TMP"
      4⤵
      PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
    3⤵
    PID:3396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:1636

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\JoinRemove.3gp"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
0fa26551915f91b51ecb8a3bcc371a0c

SHA1
6bdc2276249806945d25e29aefeefb3f77445ada

SHA256
d39672eebd0620bd8f71b2c21daef1b0ca39e0f26df7c7697618f973abc61312

SHA512
ff92870dd548b15b2cfbaba56e5311ae5e4883e949dfd796c18d2c3d7a7f9043130d912045225221707769f41ae3e0c382da2207dce22b07a0859255a9acb804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2236bdd7d6fe867b88578cce7b3767fe

SHA1
63ac234cc96a8976014c622a2557c14520f92ede

SHA256
1a7ee098437c16d37f9fa931f5af862f85f483f6c9f98f0a229546c062cb844f

SHA512
f0ff4a8d8e2906c2639b4d10bb1d324976ebb72ed296b8890301ff37d5790a565aa42ebc827e023d8e7c85d5c5299ba59fe5d995632cd04323caf10a2001ccb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
fd7ab915585654521a418f018ef3d960

SHA1
f8cc8412b3da5681f4d6df3a9e3b9162f05fc25a

SHA256
4a425868885f331124c6cbdea64a491249024b7a9bd801c817faac5b1ae7b088

SHA512
d7b1269991173c665d7e9b4be0339a58b0bdfecea2eb4490519e1aa64c94e1c83139fd9df2d4944abec7eb297f695219932825e18ce7101dde875fb0ee764fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
104B

MD5
54b5fa9bd9a0ed3a6e91a93adb69d68e

SHA1
f2bd686895474fdebb06bb6f5765221d3d55dc70

SHA256
9a1e5462caa71bdd4c8b0e490f4bd351b5b53e1bb6fb8ee9d8f2bf68afe92472

SHA512
3412d4cee57e11861fb0a563b7876bcf51f7326f6564166f163e209649a8e511f1a7d6feff644ea778688c6db6e376d1dc44460fdfeb4aaa440fe0eb7c808d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
8ef23aa7ab3bf543ffa52032638c0181

SHA1
95483c575480b8ba1e1c9435724c6d8810a1d7d7

SHA256
ca3d06a20b68be087dfbd3f09d59f04f46b24d8ff18c9f1033eefb53be76c96f

SHA512
838f4fc0a0123a88f2446f4cab8a50a990e2f87d0c8f536b0c856536c8ce298c0dc711cba86402d9f09224d398080c3bc1f1248360e0ace59241a3f7ec7dee47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES87E2.tmp

Filesize
1KB

MD5
8ff372e228b8293dc3dca32abcb2faaf

SHA1
41081797998af627f6bafb321a4db70e14beae71

SHA256
0e48981bf8744403abf5a2145060d9fd1722b93e4dfeed1cd25a5a7ee9018551

SHA512
0318a70abda78eefce20ee701393f92dcae8b39074ace241a195ec86c523a46b839afd7f4301963f41c0bbabd83363d907df62cd1907e0f59fd1119bfeed9283

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_slw3cpfy.ab3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cjnjiffk\cjnjiffk.dll

Filesize
3KB

MD5
073a1ff00b9af8ff884b23b2fc31c685

SHA1
cc9a13de2b02ba886aba1dc493c0dcadb2260548

SHA256
3f0b4393796f9cb243a9252dc5e5611fbc5aaddf21c6e2d9af69352a494c1521

SHA512
8367fe09eec80c61d4eeb45bff4c37f643a51ccb8b40045b3d16bcd6b05859fdadc3527ce0e093eb311cb7f3cab6f93bc94b0e935888ce1e49841eb4962c046e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjnjiffk\CSCAFBE81E5D20C4CEE8757311A0B92D0.TMP

Filesize
652B

MD5
f2f7997188e3b0101c1438aadc6a695e

SHA1
f51dc6a3f6bed4e8240c3d65e9b0a2c20eacd630

SHA256
9fbe126f6d84881db307bbf5540bc9d75e07eae77eb5610916a42f80f0e14218

SHA512
6b0802cf2f98a2734361a1c3f85be15d538295b75b5680e2d307cfe86ddc4f6eeb44433ef306467187a4df995f1047d8d03bb7c3647e6e54abbc03877bcef4c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjnjiffk\cjnjiffk.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cjnjiffk\cjnjiffk.cmdline

Filesize
369B

MD5
e24da6e71a5f13ffc2cd81300420f4cb

SHA1
3f349144f36f9e6015aa433907459d34a25b4f9a

SHA256
e089e2d20b050e39edda571c738d3083d297e0a60a59020d425bd67167475716

SHA512
5eb2ab29b11db56c7197ae25c67371ae8ba9000601b9427d43cdb22f8c4f42208fc4bf9fa214bfe3eda5bd486b31b35ee808e7ef831936fa69007a90dba34aa6

Download Submit
memory/1192-255-0x000002B944F80000-0x000002B944F90000-memory.dmp

Filesize
64KB

Download
memory/1192-247-0x000002B944F80000-0x000002B944F90000-memory.dmp

Filesize
64KB

Download
memory/1192-245-0x000002B944F80000-0x000002B944F90000-memory.dmp

Filesize
64KB

Download
memory/2244-199-0x0000026BC4090000-0x0000026BC40A0000-memory.dmp

Filesize
64KB

Download
memory/2244-198-0x0000026BC4090000-0x0000026BC40A0000-memory.dmp

Filesize
64KB

Download
memory/2244-197-0x0000026BC4090000-0x0000026BC40A0000-memory.dmp

Filesize
64KB

Download
memory/2336-297-0x00007FFA81B20000-0x00007FFA81B54000-memory.dmp

Filesize
208KB

Download
memory/2336-300-0x00007FFA78110000-0x00007FFA78222000-memory.dmp

Filesize
1.1MB

Download
memory/2336-296-0x00007FF79FDD0000-0x00007FF79FEC8000-memory.dmp

Filesize
992KB

Download
memory/2336-299-0x00007FFA78F40000-0x00007FFA79FEB000-memory.dmp

Filesize
16.7MB

Download
memory/2336-298-0x00007FFA7A7D0000-0x00007FFA7AA84000-memory.dmp

Filesize
2.7MB

Download
memory/2404-181-0x0000021EE7FD0000-0x0000021EE7FF4000-memory.dmp

Filesize
144KB

Download
memory/2404-145-0x0000021EE7F00000-0x0000021EE7F22000-memory.dmp

Filesize
136KB

Download
memory/2404-166-0x0000021ECE0E0000-0x0000021ECE0F0000-memory.dmp

Filesize
64KB

Download
memory/2404-180-0x0000021EE7FD0000-0x0000021EE7FFA000-memory.dmp

Filesize
168KB

Download
memory/2404-163-0x0000021ECE0E0000-0x0000021ECE0F0000-memory.dmp

Filesize
64KB

Download
memory/2404-167-0x0000021ECE0E0000-0x0000021ECE0F0000-memory.dmp

Filesize
64KB

Download
memory/2404-157-0x0000021EE8780000-0x0000021EE87F6000-memory.dmp

Filesize
472KB

Download
memory/2404-156-0x0000021EE7F80000-0x0000021EE7FC4000-memory.dmp

Filesize
272KB

Download
memory/3924-254-0x000002023DD60000-0x000002023DD70000-memory.dmp

Filesize
64KB

Download
memory/3924-253-0x000002023DD60000-0x000002023DD70000-memory.dmp

Filesize
64KB

Download
memory/4356-216-0x0000025629A40000-0x0000025629A50000-memory.dmp

Filesize
64KB

Download
memory/4356-215-0x0000025629A40000-0x0000025629A50000-memory.dmp

Filesize
64KB

Download
memory/4356-214-0x0000025629A40000-0x0000025629A50000-memory.dmp

Filesize
64KB

Download
memory/4620-168-0x00000176E4F60000-0x00000176E4F70000-memory.dmp

Filesize
64KB

Download
memory/4632-252-0x0000021A96CF0000-0x0000021A96D00000-memory.dmp

Filesize
64KB

Download
memory/4632-246-0x0000021A96CF0000-0x0000021A96D00000-memory.dmp

Filesize
64KB

Download
memory/4876-281-0x00000203BB480000-0x00000203BB490000-memory.dmp

Filesize
64KB

Download
memory/4876-282-0x00000203BB480000-0x00000203BB490000-memory.dmp

Filesize
64KB

Download