ba4c8e065f601de46ae7844e81921c68726d09345f3db13fb6e3f5ea2d413dde

Analysis

max time kernel
153s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2023 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b66f351c35212c7a265272d27aa09656.exe
Size

4.4MB
MD5

b66f351c35212c7a265272d27aa09656
SHA1

c2994b2969f315b189a151d545b35a2c8ed6a2f9
SHA256

ba4c8e065f601de46ae7844e81921c68726d09345f3db13fb6e3f5ea2d413dde
SHA512

82ac249a9024085be3bd071682d15054696b0cd61a8b8a85d77c7ff4cd7703124ab07a3446b1b7b69015b5a30643f88030bef908644c88256d1784f992207fcb
SSDEEP

98304:sParA5bJxdz0l3YIMFQxMKsVCyGPPUpGieNjBVTRB7OQ8TZMQ7caYS3u:6a6rwlLSQxMKeiVRpSnYvIu

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1976-133-0x00007FF71CC80000-0x00007FF71D891000-memory.dmp	upx
behavioral2/memory/1976-146-0x00007FF71CC80000-0x00007FF71D891000-memory.dmp	upx
behavioral2/memory/1412-209-0x0000000140000000-0x0000000140A62000-memory.dmp	upx
behavioral2/memory/1412-211-0x0000000140000000-0x0000000140A62000-memory.dmp	upx
behavioral2/memory/1412-213-0x0000000140000000-0x0000000140A62000-memory.dmp	upx
behavioral2/memory/1412-215-0x0000000140000000-0x0000000140A62000-memory.dmp	upx
behavioral2/memory/1412-214-0x0000000140000000-0x0000000140A62000-memory.dmp	upx
behavioral2/memory/1412-216-0x0000000140000000-0x0000000140A62000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

lguplus.exelguplus.exe

description	pid	process	target process
PID 3440 set thread context of 1412	3440	lguplus.exe	svchost.exe
PID 1856 set thread context of 2300	1856	lguplus.exe	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

nPandaVPN.exelguplus.exelguplus.exe

pid process

952 nPandaVPN.exe
3440 lguplus.exe
1856 lguplus.exe

pid	process
952	nPandaVPN.exe
3440	lguplus.exe
1856	lguplus.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b66f351c35212c7a265272d27aa09656.exe

pid	process
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe
1976	b66f351c35212c7a265272d27aa09656.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

b66f351c35212c7a265272d27aa09656.exenotepad.exenotepad.exepowershell.exepowershell.exelguplus.exesvchost.exepowershell.exepowershell.exelguplus.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1976	b66f351c35212c7a265272d27aa09656.exe
Token: SeDebugPrivilege	3996	notepad.exe
Token: SeDebugPrivilege	3196	notepad.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	3440	lguplus.exe
Token: SeDebugPrivilege	1412	svchost.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1856	lguplus.exe
Token: SeDebugPrivilege	2300	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

b66f351c35212c7a265272d27aa09656.execmd.exenotepad.exenotepad.execmd.exelguplus.exepowershell.exepowershell.exelguplus.exe

description	pid	process	target process
PID 1976 wrote to memory of 3324	1976	b66f351c35212c7a265272d27aa09656.exe	cmd.exe
PID 1976 wrote to memory of 3324	1976	b66f351c35212c7a265272d27aa09656.exe	cmd.exe
PID 3324 wrote to memory of 952	3324	cmd.exe	nPandaVPN.exe
PID 3324 wrote to memory of 952	3324	cmd.exe	nPandaVPN.exe
PID 3324 wrote to memory of 952	3324	cmd.exe	nPandaVPN.exe
PID 1976 wrote to memory of 3996	1976	b66f351c35212c7a265272d27aa09656.exe	notepad.exe
PID 1976 wrote to memory of 3996	1976	b66f351c35212c7a265272d27aa09656.exe	notepad.exe
PID 1976 wrote to memory of 3996	1976	b66f351c35212c7a265272d27aa09656.exe	notepad.exe
PID 1976 wrote to memory of 3996	1976	b66f351c35212c7a265272d27aa09656.exe	notepad.exe
PID 3996 wrote to memory of 3196	3996	notepad.exe	notepad.exe
PID 3996 wrote to memory of 3196	3996	notepad.exe	notepad.exe
PID 3996 wrote to memory of 3196	3996	notepad.exe	notepad.exe
PID 3196 wrote to memory of 1900	3196	notepad.exe	powershell.exe
PID 3196 wrote to memory of 1900	3196	notepad.exe	powershell.exe
PID 3196 wrote to memory of 2956	3196	notepad.exe	powershell.exe
PID 3196 wrote to memory of 2956	3196	notepad.exe	powershell.exe
PID 3196 wrote to memory of 3368	3196	notepad.exe	cmd.exe
PID 3196 wrote to memory of 3368	3196	notepad.exe	cmd.exe
PID 3368 wrote to memory of 3440	3368	cmd.exe	lguplus.exe
PID 3368 wrote to memory of 3440	3368	cmd.exe	lguplus.exe
PID 3440 wrote to memory of 1412	3440	lguplus.exe	svchost.exe
PID 3440 wrote to memory of 1412	3440	lguplus.exe	svchost.exe
PID 3440 wrote to memory of 1412	3440	lguplus.exe	svchost.exe
PID 3440 wrote to memory of 1412	3440	lguplus.exe	svchost.exe
PID 3440 wrote to memory of 1412	3440	lguplus.exe	svchost.exe
PID 3440 wrote to memory of 1412	3440	lguplus.exe	svchost.exe
PID 3440 wrote to memory of 1412	3440	lguplus.exe	svchost.exe
PID 1304 wrote to memory of 2872	1304	powershell.exe	powershell.exe
PID 1304 wrote to memory of 2872	1304	powershell.exe	powershell.exe
PID 2872 wrote to memory of 1856	2872	powershell.exe	lguplus.exe
PID 2872 wrote to memory of 1856	2872	powershell.exe	lguplus.exe
PID 1856 wrote to memory of 2300	1856	lguplus.exe	svchost.exe
PID 1856 wrote to memory of 2300	1856	lguplus.exe	svchost.exe
PID 1856 wrote to memory of 2300	1856	lguplus.exe	svchost.exe
PID 1856 wrote to memory of 2300	1856	lguplus.exe	svchost.exe
PID 1856 wrote to memory of 2300	1856	lguplus.exe	svchost.exe
PID 1856 wrote to memory of 2300	1856	lguplus.exe	svchost.exe
PID 1856 wrote to memory of 2300	1856	lguplus.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\b66f351c35212c7a265272d27aa09656.exe
"C:\Users\Admin\AppData\Local\Temp\b66f351c35212c7a265272d27aa09656.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cmd.exe
cmd /C nPandaVPN.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\nPandaVPN.exe
nPandaVPN.exe
3⤵
- Executes dropped EXE
PID:952

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

\??\c:\windows\system32\notepad.exe
c:\windows\system32\notepad.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "((Get-WMIObject -ClassName Win32_ComputerSystem).Username).Split('\')[1]"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Write-host -ForegroundColor Yellow \"Set PowerShell Job...\" Start-Sleep 2 $trigger = New-JobTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 60) -RepetitionDuration ([TimeSpan]::MaxValue) $options = New-ScheduledJobOption –HideInTaskScheduler Register-ScheduledJob –Name \"Updates\" -ScriptBlock {C:\Users\\.local\share\lguplus.exe} –Trigger $trigger –ScheduledJobOption $options Write-host -ForegroundColor Green \"Done!\" "
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\system32\cmd.exe
cmd /C C:\Users\\.local\share\lguplus.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\.local\share\lguplus.exe
C:\Users\\.local\share\lguplus.exe
5⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NonInteractive -WindowStyle Hidden -Command "Import-Module PSScheduledJob; $jobDef = [Microsoft.PowerShell.ScheduledJob.ScheduledJobDefinition]::LoadFromStore('Updates', 'C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs'); $jobDef.Run()"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\.local\share\lguplus.exe
"C:\Users\.local\share\lguplus.exe"
3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\.local\share\lguplus.exe

Filesize
19KB

MD5
42496ddabff1b31c7c8fcbe54dcfbd65

SHA1
8f01d9d0cef6990aba295f51724916e8116cb210

SHA256
a15d8d1958aa4fb1d9e661b9f29400ac3a5d4f04d5be4b12decef77391bf4ab1

SHA512
95941ee945194e4f05e075c2d7c3cbf8fe31b858918f2282d980a7d127266263bc9db09450e43dd23ac3400063d181cf8830ef7227366e57d28ac181466f3154

Download Submit
C:\Users\.local\share\lguplus.exe

Filesize
19KB

MD5
42496ddabff1b31c7c8fcbe54dcfbd65

SHA1
8f01d9d0cef6990aba295f51724916e8116cb210

SHA256
a15d8d1958aa4fb1d9e661b9f29400ac3a5d4f04d5be4b12decef77391bf4ab1

SHA512
95941ee945194e4f05e075c2d7c3cbf8fe31b858918f2282d980a7d127266263bc9db09450e43dd23ac3400063d181cf8830ef7227366e57d28ac181466f3154

Download Submit
C:\Users\.local\share\lguplus.exe

Filesize
19KB

MD5
42496ddabff1b31c7c8fcbe54dcfbd65

SHA1
8f01d9d0cef6990aba295f51724916e8116cb210

SHA256
a15d8d1958aa4fb1d9e661b9f29400ac3a5d4f04d5be4b12decef77391bf4ab1

SHA512
95941ee945194e4f05e075c2d7c3cbf8fe31b858918f2282d980a7d127266263bc9db09450e43dd23ac3400063d181cf8830ef7227366e57d28ac181466f3154

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lguplus.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ScheduledJobs\Updates\ScheduledJobDefinition.xml

Filesize
7KB

MD5
576d340baa81fb628eb1f4a87467d18d

SHA1
86b2c7af7bd8cd2f18427e426b103b67537a554b

SHA256
44cd83a7ac06b1e3f4a2c3e66bee522a05307a483926fe51fb21cc452fbacc66

SHA512
69532f8413a8dcde1a69e44dc568871d088ba1b38dcaa6a70b72646a18ba6c8b446dcf35fd62cc6c59d1fa69dc87a52b0d54fc90b0a5a30fbc09b388003328bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dedd980f0c3cf1a56b3749d138a358e0

SHA1
3faa12db8c3c3606550b5708b2afb5990ab8d668

SHA256
40fd1a1b6acba46c1d3e5d2706cb6ffac9fff54153505010b4ec4343de3a1bf8

SHA512
3607065b8b7755c0e4db19d100614ea923412c26fed215f56099e176d8d9521a904cc6d19b08fdbd5505df9ff8b0e11eab9c443e1df80c95d0136b9781cdcccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7f5825c13a911fe0212232347cac388

SHA1
bcc14d76a0c583797a3bb888d010f2c48f5a1574

SHA256
ecc7ba62a46d9108129327e701e9fc0a92e22f24590e384e65a63a0ad6c59d16

SHA512
eab49d09c6831f19ae94d0202c3430392802049f865f68efb5566235aede808b1989a7c73128aafdc573c2ad49256ea96c1931ae4fb2b7f586ddfecbeade2f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5txlz1m.3vo.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nPandaVPN.exe

Filesize
2.1MB

MD5
c83323d126469b0eaab04876edd391a3

SHA1
dc9b1aeb0535cc30eff5f298e81de1476ec8e02a

SHA256
318f8b901a0c9226f41409e97c4167cdf1836508f969ab13b8e004b4f6c9caac

SHA512
edde3c33d83b5ba1d527073afbf99568737a82d1142003b7163d5c037e536761a7472b0245a85e0dcab9c89790a82a7470a57b2f1829e75875a92b8495825487

Download Submit
C:\Users\Admin\AppData\Local\Temp\nPandaVPN.exe

Filesize
2.1MB

MD5
c83323d126469b0eaab04876edd391a3

SHA1
dc9b1aeb0535cc30eff5f298e81de1476ec8e02a

SHA256
318f8b901a0c9226f41409e97c4167cdf1836508f969ab13b8e004b4f6c9caac

SHA512
edde3c33d83b5ba1d527073afbf99568737a82d1142003b7163d5c037e536761a7472b0245a85e0dcab9c89790a82a7470a57b2f1829e75875a92b8495825487

Download Submit
memory/952-142-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/952-147-0x0000000074DB0000-0x0000000075560000-memory.dmp

Filesize
7.7MB

Download
memory/952-145-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/952-143-0x0000000000B50000-0x0000000000D64000-memory.dmp

Filesize
2.1MB

Download
memory/1304-218-0x000001339B650000-0x000001339B660000-memory.dmp

Filesize
64KB

Download
memory/1304-230-0x000001339B650000-0x000001339B660000-memory.dmp

Filesize
64KB

Download
memory/1304-248-0x00007FF926000000-0x00007FF926AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1304-252-0x000001339B650000-0x000001339B660000-memory.dmp

Filesize
64KB

Download
memory/1304-253-0x000001339B650000-0x000001339B660000-memory.dmp

Filesize
64KB

Download
memory/1304-219-0x000001339B650000-0x000001339B660000-memory.dmp

Filesize
64KB

Download
memory/1304-217-0x00007FF926000000-0x00007FF926AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1412-215-0x0000000140000000-0x0000000140A62000-memory.dmp

Filesize
10.4MB

Download
memory/1412-216-0x0000000140000000-0x0000000140A62000-memory.dmp

Filesize
10.4MB

Download
memory/1412-211-0x0000000140000000-0x0000000140A62000-memory.dmp

Filesize
10.4MB

Download
memory/1412-213-0x0000000140000000-0x0000000140A62000-memory.dmp

Filesize
10.4MB

Download
memory/1412-209-0x0000000140000000-0x0000000140A62000-memory.dmp

Filesize
10.4MB

Download
memory/1412-214-0x0000000140000000-0x0000000140A62000-memory.dmp

Filesize
10.4MB

Download
memory/1856-259-0x00007FF926000000-0x00007FF926AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-249-0x00007FF926000000-0x00007FF926AC1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-251-0x0000000001CC0000-0x0000000001CD0000-memory.dmp

Filesize
64KB

Download
memory/1900-179-0x00007FF925F50000-0x00007FF926A11000-memory.dmp

Filesize
10.8MB

Download
memory/1900-164-0x000002BF53930000-0x000002BF53952000-memory.dmp

Filesize
136KB

Download
memory/1900-175-0x000002BF53990000-0x000002BF539A0000-memory.dmp

Filesize
64KB

Download
memory/1900-176-0x000002BF53990000-0x000002BF539A0000-memory.dmp

Filesize
64KB

Download
memory/1900-174-0x00007FF925F50000-0x00007FF926A11000-memory.dmp

Filesize
10.8MB

Download
memory/1976-133-0x00007FF71CC80000-0x00007FF71D891000-memory.dmp

Filesize
12.1MB

Download
memory/1976-146-0x00007FF71CC80000-0x00007FF71D891000-memory.dmp

Filesize
12.1MB

Download
memory/2872-233-0x00007FF926000000-0x00007FF926AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-234-0x000001E576CB0000-0x000001E576CC0000-memory.dmp

Filesize
64KB

Download
memory/2872-240-0x000001E576CB0000-0x000001E576CC0000-memory.dmp

Filesize
64KB

Download
memory/2872-254-0x00007FF926000000-0x00007FF926AC1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-260-0x000001E576CB0000-0x000001E576CC0000-memory.dmp

Filesize
64KB

Download
memory/2872-261-0x000001E576CB0000-0x000001E576CC0000-memory.dmp

Filesize
64KB

Download
memory/2956-195-0x000002093AC00000-0x000002093AC10000-memory.dmp

Filesize
64KB

Download
memory/2956-199-0x000002093CE90000-0x000002093CECC000-memory.dmp

Filesize
240KB

Download
memory/2956-188-0x00007FF925EE0000-0x00007FF9269A1000-memory.dmp

Filesize
10.8MB

Download
memory/2956-189-0x000002093AC00000-0x000002093AC10000-memory.dmp

Filesize
64KB

Download
memory/2956-198-0x000002093CE30000-0x000002093CE42000-memory.dmp

Filesize
72KB

Download
memory/2956-202-0x00007FF925EE0000-0x00007FF9269A1000-memory.dmp

Filesize
10.8MB

Download
memory/3196-162-0x000001620EBA0000-0x000001620F59F000-memory.dmp

Filesize
10.0MB

Download
memory/3196-157-0x000001620BD90000-0x000001620C723000-memory.dmp

Filesize
9.6MB

Download
memory/3196-197-0x000001620EBA0000-0x000001620F59F000-memory.dmp

Filesize
10.0MB

Download
memory/3196-194-0x000001620EBA0000-0x000001620F59F000-memory.dmp

Filesize
10.0MB

Download
memory/3196-180-0x000001620EBA0000-0x000001620F59F000-memory.dmp

Filesize
10.0MB

Download
memory/3196-161-0x000001620EBA0000-0x000001620F59F000-memory.dmp

Filesize
10.0MB

Download
memory/3196-160-0x000001620EBA0000-0x000001620F59F000-memory.dmp

Filesize
10.0MB

Download
memory/3196-159-0x000001620EBA0000-0x000001620F59F000-memory.dmp

Filesize
10.0MB

Download
memory/3440-207-0x00007FF925F50000-0x00007FF926A11000-memory.dmp

Filesize
10.8MB

Download
memory/3440-212-0x00007FF925F50000-0x00007FF926A11000-memory.dmp

Filesize
10.8MB

Download
memory/3440-208-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/3440-206-0x0000000000670000-0x0000000000676000-memory.dmp

Filesize
24KB

Download
memory/3996-156-0x000001FAF6CE0000-0x000001FAF7DA6000-memory.dmp

Filesize
16.8MB

Download
memory/3996-155-0x000001FAF6CE0000-0x000001FAF7DA6000-memory.dmp

Filesize
16.8MB

Download
memory/3996-154-0x000001FAF6CE0000-0x000001FAF7DA6000-memory.dmp

Filesize
16.8MB

Download
memory/3996-153-0x000001FAF6CE0000-0x000001FAF7DA6000-memory.dmp

Filesize
16.8MB

Download
memory/3996-152-0x000001FAF6CE0000-0x000001FAF7DA6000-memory.dmp

Filesize
16.8MB

Download
memory/3996-151-0x000001FAF6CE0000-0x000001FAF7DA6000-memory.dmp

Filesize
16.8MB

Download
memory/3996-150-0x000001FAF6CE0000-0x000001FAF7DA6000-memory.dmp

Filesize
16.8MB

Download
memory/3996-148-0x000001FAF4BE0000-0x000001FAF5C3C000-memory.dmp

Filesize
16.4MB

Download
memory/3996-144-0x000001FAC8830000-0x000001FAC8CE6000-memory.dmp

Filesize
4.7MB

Download