dcf86afd771b851e2cec90dd044a7d629a1bda033e2bdafe6c198180d7cf0f15

Resubmissions

04/05/2023, 21:16

230504-z4frlaha9y 3

04/05/2023, 20:53

230504-zpsgvafb66 3

04/05/2023, 20:38

230504-zew3aafa88 8

04/05/2023, 20:30

230504-y97ltsgg7x 3

Analysis

max time kernel
58s
max time network
177s
platform
windows10-1703_x64
resource
win10-20230220-de
resource tags

arch:x64arch:x86image:win10-20230220-delocale:de-deos:windows10-1703-x64systemwindows
submitted
04/05/2023, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MossfieldOrigin.exe
Size

33.1MB
MD5

bb48e12db27082f17fbaf07fa1f11276
SHA1

68b4b598a36f9325169a3a5b1c4e00d86dee3b6e
SHA256

83e7c2cd30fbc3fbb7baa0b997d9fa5bf9ed075a510ba2382be7d6c44006273c
SHA512

f2b37160c99d6512d10eb260759d731636f418bbdca936c317079963cc286fbf09da75724b5c05b25a937cfa24ddca47d8bf7068ee164ebc5f3590532eb4cd7c
SSDEEP

393216:RVkZDbxDV08qbsvOaNpDBcDsxsbqFlUMFkEli4dqRYVHkFtOv9OBBuX6rYRAqs3s:RG/DpKtzIVm09tX6rYSnyQH1lQ

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3860	powershell.exe
4024	powershell.exe
3860	powershell.exe
4024	powershell.exe
4024	powershell.exe
3860	powershell.exe
2364	powershell.exe
2364	powershell.exe
2364	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
4756	powershell.exe
796	powershell.exe
4780	powershell.exe
4756	powershell.exe
796	powershell.exe
4780	powershell.exe
4756	powershell.exe
796	powershell.exe
4780	powershell.exe
1340	powershell.exe
1340	powershell.exe
1340	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	3860	powershell.exe
Token: SeSecurityPrivilege	3860	powershell.exe
Token: SeTakeOwnershipPrivilege	3860	powershell.exe
Token: SeLoadDriverPrivilege	3860	powershell.exe
Token: SeSystemProfilePrivilege	3860	powershell.exe
Token: SeSystemtimePrivilege	3860	powershell.exe
Token: SeProfSingleProcessPrivilege	3860	powershell.exe
Token: SeIncBasePriorityPrivilege	3860	powershell.exe
Token: SeCreatePagefilePrivilege	3860	powershell.exe
Token: SeBackupPrivilege	3860	powershell.exe
Token: SeRestorePrivilege	3860	powershell.exe
Token: SeShutdownPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeSystemEnvironmentPrivilege	3860	powershell.exe
Token: SeRemoteShutdownPrivilege	3860	powershell.exe
Token: SeUndockPrivilege	3860	powershell.exe
Token: SeManageVolumePrivilege	3860	powershell.exe
Token: 33	3860	powershell.exe
Token: 34	3860	powershell.exe
Token: 35	3860	powershell.exe
Token: 36	3860	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	2364	powershell.exe
Token: SeSecurityPrivilege	2364	powershell.exe
Token: SeTakeOwnershipPrivilege	2364	powershell.exe
Token: SeLoadDriverPrivilege	2364	powershell.exe
Token: SeSystemProfilePrivilege	2364	powershell.exe
Token: SeSystemtimePrivilege	2364	powershell.exe
Token: SeProfSingleProcessPrivilege	2364	powershell.exe
Token: SeIncBasePriorityPrivilege	2364	powershell.exe
Token: SeCreatePagefilePrivilege	2364	powershell.exe
Token: SeBackupPrivilege	2364	powershell.exe
Token: SeRestorePrivilege	2364	powershell.exe
Token: SeShutdownPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeSystemEnvironmentPrivilege	2364	powershell.exe
Token: SeRemoteShutdownPrivilege	2364	powershell.exe
Token: SeUndockPrivilege	2364	powershell.exe
Token: SeManageVolumePrivilege	2364	powershell.exe
Token: 33	2364	powershell.exe
Token: 34	2364	powershell.exe
Token: 35	2364	powershell.exe
Token: 36	2364	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeIncreaseQuotaPrivilege	4492	powershell.exe
Token: SeSecurityPrivilege	4492	powershell.exe
Token: SeTakeOwnershipPrivilege	4492	powershell.exe
Token: SeLoadDriverPrivilege	4492	powershell.exe
Token: SeSystemProfilePrivilege	4492	powershell.exe
Token: SeSystemtimePrivilege	4492	powershell.exe
Token: SeProfSingleProcessPrivilege	4492	powershell.exe
Token: SeIncBasePriorityPrivilege	4492	powershell.exe
Token: SeCreatePagefilePrivilege	4492	powershell.exe
Token: SeBackupPrivilege	4492	powershell.exe
Token: SeRestorePrivilege	4492	powershell.exe
Token: SeShutdownPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeSystemEnvironmentPrivilege	4492	powershell.exe
Token: SeRemoteShutdownPrivilege	4492	powershell.exe
Token: SeUndockPrivilege	4492	powershell.exe
Token: SeManageVolumePrivilege	4492	powershell.exe
Token: 33	4492	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3456 wrote to memory of 4300	3456	MossfieldOrigin.exe	67
PID 3456 wrote to memory of 4300	3456	MossfieldOrigin.exe	67
PID 4300 wrote to memory of 1452	4300	cmd.exe	69
PID 4300 wrote to memory of 1452	4300	cmd.exe	69
PID 3456 wrote to memory of 4024	3456	MossfieldOrigin.exe	70
PID 3456 wrote to memory of 4024	3456	MossfieldOrigin.exe	70
PID 3456 wrote to memory of 3860	3456	MossfieldOrigin.exe	71
PID 3456 wrote to memory of 3860	3456	MossfieldOrigin.exe	71
PID 4024 wrote to memory of 4828	4024	powershell.exe	73
PID 4024 wrote to memory of 4828	4024	powershell.exe	73
PID 4828 wrote to memory of 4756	4828	csc.exe	74
PID 4828 wrote to memory of 4756	4828	csc.exe	74
PID 3456 wrote to memory of 2364	3456	MossfieldOrigin.exe	76
PID 3456 wrote to memory of 2364	3456	MossfieldOrigin.exe	76
PID 3456 wrote to memory of 4492	3456	MossfieldOrigin.exe	79
PID 3456 wrote to memory of 4492	3456	MossfieldOrigin.exe	79
PID 3456 wrote to memory of 972	3456	MossfieldOrigin.exe	81
PID 3456 wrote to memory of 972	3456	MossfieldOrigin.exe	81
PID 3456 wrote to memory of 796	3456	MossfieldOrigin.exe	83
PID 3456 wrote to memory of 796	3456	MossfieldOrigin.exe	83
PID 3456 wrote to memory of 4780	3456	MossfieldOrigin.exe	87
PID 3456 wrote to memory of 4780	3456	MossfieldOrigin.exe	87
PID 3456 wrote to memory of 4756	3456	MossfieldOrigin.exe	86
PID 3456 wrote to memory of 4756	3456	MossfieldOrigin.exe	86
PID 3456 wrote to memory of 1528	3456	MossfieldOrigin.exe	89
PID 3456 wrote to memory of 1528	3456	MossfieldOrigin.exe	89
PID 1528 wrote to memory of 3656	1528	cmd.exe	91
PID 1528 wrote to memory of 3656	1528	cmd.exe	91
PID 3456 wrote to memory of 1340	3456	MossfieldOrigin.exe	92
PID 3456 wrote to memory of 1340	3456	MossfieldOrigin.exe	92
PID 3456 wrote to memory of 4992	3456	MossfieldOrigin.exe	94
PID 3456 wrote to memory of 4992	3456	MossfieldOrigin.exe	94
PID 4992 wrote to memory of 208	4992	cmd.exe	96
PID 4992 wrote to memory of 208	4992	cmd.exe	96
PID 3456 wrote to memory of 4056	3456	MossfieldOrigin.exe	97
PID 3456 wrote to memory of 4056	3456	MossfieldOrigin.exe	97

C:\Users\Admin\AppData\Local\Temp\MossfieldOrigin.exe
"C:\Users\Admin\AppData\Local\Temp\MossfieldOrigin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:1452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c " Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bzc5mk0k\bzc5mk0k.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD585.tmp" "c:\Users\Admin\AppData\Local\Temp\bzc5mk0k\CSCA89543CDAA964672A657D177BDEBD36A.TMP"
      4⤵
      PID:4756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:3656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
b103ab9177b14a42995d90c23b3ba25e

SHA1
fc1725d4eff163f4d9a2f0f631d28edaede79ebf

SHA256
90bf3e6a52ecbd9da5d38236b7114650dbaef9d9e5bd51c202a10e179c9d1c4a

SHA512
24f98cc7d2a1de21a509001f0218b0657057bfc254e7dd0903bf54b0b2c1670fa3eb4643741d3ec85add27b61e0e08feb5bde71015ce4f6e414296c8d2c4621b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5f81e8d09e3dd572ff4ab08d86890d9b

SHA1
b83d0c26336f01f53ad8250f2b495d79215fa080

SHA256
42593e4c260d2113e893dee54a99f92f86f606e5478f9553cc8a34c7caaf5a15

SHA512
626750494da82b78aeaca1fdc69a8d923120160f381cca8dca5d8518223a524ad131f2f541314bb71f98d09cb950ff001f382ae7b62c999a0c56566222d1c05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
5f81e8d09e3dd572ff4ab08d86890d9b

SHA1
b83d0c26336f01f53ad8250f2b495d79215fa080

SHA256
42593e4c260d2113e893dee54a99f92f86f606e5478f9553cc8a34c7caaf5a15

SHA512
626750494da82b78aeaca1fdc69a8d923120160f381cca8dca5d8518223a524ad131f2f541314bb71f98d09cb950ff001f382ae7b62c999a0c56566222d1c05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
80ef418749393790b80930b9d1b1ed38

SHA1
baae03cf53c24cb4b4e16618f69dd770e75b17f5

SHA256
a9116390b696f61a4e6fb4887cc9e1cd896c2dbdc92693d247ccaa3ee590cfbb

SHA512
935c42409d95d6e35082cdad292e85d938988c5957e05b81c7473ce7b149457b3d47047c1eeba985d4b1f87b240cdb426537989d4dbf2621143c2090df2abcd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
51fa821e700a33bb7080a0991df6ba75

SHA1
2140af112a1ac917dfde0429939062fe4ecf463f

SHA256
b2245f1528bf4a241c9758a3c9720d28fdafdb472379d438c2421afbc30947ad

SHA512
9d2a66160ce47ff19545c1478172f8d0f1a3904cbab3ae1aac7d82c533fcf4b59dc4dedcb5ffee02b620a96f02bcd4e0c9ee41362cb4f2548bda96978f29ff08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2c8b9a4a65f1d2e27dff0f901bad4019

SHA1
0ce83aef38c0a154adc87147bf59f70ada0a85f8

SHA256
03c901c950dc754ca51e576a8d7d4dff43e395cb34651c8e8dcd9290357245ee

SHA512
4fe2d348d805a5c5894164280b92f67aed7e691e3449d0a8e83a4aca3a9625015921f0fdc1402f3b451d748c2ce4e88ed760c51ed01a855bd498b781915c28bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD585.tmp

Filesize
1KB

MD5
61190f40f1a2faf23cbed21b2c8085b3

SHA1
ceb3421e941f6c9803a0a12fe4e5676e79e84df4

SHA256
7d484738c009582577dfbdff9cec807bbe70c3cd5875a9085d34fed7c1250a51

SHA512
381a670801651b9c58b2e929436eff0ac1052891394387238364d706bba50a91aba12310b180227a73701227c71a2639d2205947b52c1881741b43b7aef0bcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5kagafcp.cfe.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bzc5mk0k\bzc5mk0k.dll

Filesize
3KB

MD5
55b457779717a85e493d07e7eeb8ed40

SHA1
d632e654d0bc7b497e5059fca5f7e0e9b8e4e67c

SHA256
5dbeb4dc96bfab314e831c45a129123370fbb3e65075d4c74cdc29c120a916a6

SHA512
83830b894feadd1f9739ad192d76933f3477d399b98e17d89e2b35aee69ff458ff3596e90a355b8d385c78289ff252fa0fe58fa7afb0c7d393c3954c666e0574

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bzc5mk0k\CSCA89543CDAA964672A657D177BDEBD36A.TMP

Filesize
652B

MD5
45d77979af7bd850bd44ab3d1565826b

SHA1
cc3fe80211c30d326c7b963314fe63e5e6e73c44

SHA256
a4de025475669e68dabb96150b97a361e488781e097386821dd7b70c98f7bc58

SHA512
9f424f599cf995bbfa92dcff31caf1b4b9fb3148bd65b7cd3c01aeb4d1f6a13eb2ff2b480272965273ce753113d00f7af4e8caedaf41e11446ad1ce185472323

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bzc5mk0k\bzc5mk0k.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bzc5mk0k\bzc5mk0k.cmdline

Filesize
369B

MD5
63e069493cbf8c9ba27fdf752e8b78df

SHA1
26735f5923b0550304448a60f30395633f5e88a1

SHA256
b3e30d00535da385a540c857161db4011bae6393463a2faa5245d00b1f9213ec

SHA512
7b9ef7e8e31b097b7d0ce8a919c35e32f0d9e0e00c527e726924cba795fea42a871489783d0e324e11f5cb3012cb5890e6f980daf0f0266042a239f756055cfe

Download Submit
memory/796-1503-0x0000023D68EC0000-0x0000023D68ED0000-memory.dmp

Filesize
64KB

Download
memory/796-1441-0x0000023D68EC0000-0x0000023D68ED0000-memory.dmp

Filesize
64KB

Download
memory/796-1438-0x0000023D68EC0000-0x0000023D68ED0000-memory.dmp

Filesize
64KB

Download
memory/796-947-0x0000023D68EC0000-0x0000023D68ED0000-memory.dmp

Filesize
64KB

Download
memory/796-944-0x0000023D68EC0000-0x0000023D68ED0000-memory.dmp

Filesize
64KB

Download
memory/1340-1529-0x0000019FD3450000-0x0000019FD3460000-memory.dmp

Filesize
64KB

Download
memory/1340-1527-0x0000019FD3450000-0x0000019FD3460000-memory.dmp

Filesize
64KB

Download
memory/2364-470-0x000001E6749A0000-0x000001E6749B0000-memory.dmp

Filesize
64KB

Download
memory/2364-471-0x000001E6749A0000-0x000001E6749B0000-memory.dmp

Filesize
64KB

Download
memory/3860-407-0x000001F6B7110000-0x000001F6B7118000-memory.dmp

Filesize
32KB

Download
memory/3860-397-0x000001F6B7580000-0x000001F6B75A2000-memory.dmp

Filesize
136KB

Download
memory/3860-183-0x000001F6B70D0000-0x000001F6B710C000-memory.dmp

Filesize
240KB

Download
memory/3860-132-0x000001F6B7120000-0x000001F6B7130000-memory.dmp

Filesize
64KB

Download
memory/3860-134-0x000001F6B7120000-0x000001F6B7130000-memory.dmp

Filesize
64KB

Download
memory/3860-136-0x000001F6B7000000-0x000001F6B7086000-memory.dmp

Filesize
536KB

Download
memory/3860-139-0x000001F6B7340000-0x000001F6B7444000-memory.dmp

Filesize
1.0MB

Download
memory/3860-378-0x000001F6B7580000-0x000001F6B75AA000-memory.dmp

Filesize
168KB

Download
memory/3860-406-0x000001F6B7550000-0x000001F6B7566000-memory.dmp

Filesize
88KB

Download
memory/4024-211-0x0000027717B20000-0x0000027717B28000-memory.dmp

Filesize
32KB

Download
memory/4024-135-0x00000277302C0000-0x00000277302D0000-memory.dmp

Filesize
64KB

Download
memory/4024-188-0x00000277302C0000-0x00000277302D0000-memory.dmp

Filesize
64KB

Download
memory/4024-146-0x00000277304F0000-0x0000027730566000-memory.dmp

Filesize
472KB

Download
memory/4024-137-0x0000027717AE0000-0x0000027717AF0000-memory.dmp

Filesize
64KB

Download
memory/4024-138-0x0000027717B30000-0x0000027717B52000-memory.dmp

Filesize
136KB

Download
memory/4024-217-0x00000277302C0000-0x00000277302D0000-memory.dmp

Filesize
64KB

Download
memory/4492-683-0x000001ECC9A20000-0x000001ECC9A30000-memory.dmp

Filesize
64KB

Download
memory/4492-682-0x000001ECC9A20000-0x000001ECC9A30000-memory.dmp

Filesize
64KB

Download
memory/4756-946-0x0000022728910000-0x0000022728920000-memory.dmp

Filesize
64KB

Download
memory/4756-945-0x0000022728910000-0x0000022728920000-memory.dmp

Filesize
64KB

Download
memory/4780-1447-0x0000027E7C530000-0x0000027E7C540000-memory.dmp

Filesize
64KB

Download
memory/4780-1500-0x0000027E7C530000-0x0000027E7C540000-memory.dmp

Filesize
64KB

Download
memory/4780-1444-0x0000027E7C530000-0x0000027E7C540000-memory.dmp

Filesize
64KB

Download
memory/4780-949-0x0000027E7C530000-0x0000027E7C540000-memory.dmp

Filesize
64KB

Download
memory/4780-948-0x0000027E7C530000-0x0000027E7C540000-memory.dmp

Filesize
64KB

Download