23350615b3fc362fc7c8adcda2e78507a0bd912e0b48f0988058972e95eba22e

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf031bd09dab5037a32e95290bef27d0.exe
Size

1.1MB
MD5

bf031bd09dab5037a32e95290bef27d0
SHA1

2608e6d61087f9fbeb1149c57428eb00963cb37c
SHA256

23350615b3fc362fc7c8adcda2e78507a0bd912e0b48f0988058972e95eba22e
SHA512

0787396eecaaae4a9d08cba1745ad2492117de82a3007d31467a71ca86d1613d5b3cd960a69f20cada91da4da2907e6e7d63da57a513aff7ace2d0d0a40c310e
SSDEEP

24576:2TbBv5rUyXV/vTn+4EkEZxTJMA+o3iE0n7162:IBJnTn+4EkgmA+o3K73

Score

8^/10

evasion spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	bf031bd09dab5037a32e95290bef27d0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	serverwebSavesmonitorDhcp.exe

Executes dropped EXE 3 IoCs

pid	Process
3376	serverwebSavesmonitorDhcp.exe
4560	winlogon.exe
5048	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe	serverwebSavesmonitorDhcp.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe	serverwebSavesmonitorDhcp.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\cc11b995f2a76d	serverwebSavesmonitorDhcp.exe
File created	C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe	serverwebSavesmonitorDhcp.exe
File created	C:\Program Files\Java\jdk-1.8\lib\e1ef82546f0b02	serverwebSavesmonitorDhcp.exe
File created	C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe	serverwebSavesmonitorDhcp.exe
File created	C:\Program Files (x86)\Google\Temp\9e8d7a4ca61bd9	serverwebSavesmonitorDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	bf031bd09dab5037a32e95290bef27d0.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	serverwebSavesmonitorDhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000_Classes\Local Settings	winlogon.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2272	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4144	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe
3376	serverwebSavesmonitorDhcp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3376	serverwebSavesmonitorDhcp.exe
Token: SeDebugPrivilege	4560	winlogon.exe
Token: SeDebugPrivilege	5048	winlogon.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1680	776	bf031bd09dab5037a32e95290bef27d0.exe	86
PID 776 wrote to memory of 1680	776	bf031bd09dab5037a32e95290bef27d0.exe	86
PID 776 wrote to memory of 1680	776	bf031bd09dab5037a32e95290bef27d0.exe	86
PID 1680 wrote to memory of 1244	1680	WScript.exe	91
PID 1680 wrote to memory of 1244	1680	WScript.exe	91
PID 1680 wrote to memory of 1244	1680	WScript.exe	91
PID 1244 wrote to memory of 2272	1244	cmd.exe	94
PID 1244 wrote to memory of 2272	1244	cmd.exe	94
PID 1244 wrote to memory of 2272	1244	cmd.exe	94
PID 1244 wrote to memory of 3376	1244	cmd.exe	95
PID 1244 wrote to memory of 3376	1244	cmd.exe	95
PID 3376 wrote to memory of 828	3376	serverwebSavesmonitorDhcp.exe	96
PID 3376 wrote to memory of 828	3376	serverwebSavesmonitorDhcp.exe	96
PID 828 wrote to memory of 4948	828	cmd.exe	99
PID 828 wrote to memory of 4948	828	cmd.exe	99
PID 828 wrote to memory of 3024	828	cmd.exe	100
PID 828 wrote to memory of 3024	828	cmd.exe	100
PID 828 wrote to memory of 4560	828	cmd.exe	102
PID 828 wrote to memory of 4560	828	cmd.exe	102
PID 4560 wrote to memory of 3384	4560	winlogon.exe	104
PID 4560 wrote to memory of 3384	4560	winlogon.exe	104
PID 3384 wrote to memory of 4824	3384	cmd.exe	106
PID 3384 wrote to memory of 4824	3384	cmd.exe	106
PID 3384 wrote to memory of 4144	3384	cmd.exe	107
PID 3384 wrote to memory of 4144	3384	cmd.exe	107
PID 3384 wrote to memory of 5048	3384	cmd.exe	108
PID 3384 wrote to memory of 5048	3384	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\bf031bd09dab5037a32e95290bef27d0.exe
"C:\Users\Admin\AppData\Local\Temp\bf031bd09dab5037a32e95290bef27d0.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BridgecomponentInto\VISX24Ttz4fn76YDhLu.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\BridgecomponentInto\1XBUud7wOwJEnPKdv7OLqMh9OwPwPqe6NavUixtdvXSB.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2272
  - - C:\BridgecomponentInto\serverwebSavesmonitorDhcp.exe
      "C:\BridgecomponentInto/serverwebSavesmonitorDhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3376
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Sm4RhIr4P.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4948
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3024
      - C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4144
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgecomponentInto\1XBUud7wOwJEnPKdv7OLqMh9OwPwPqe6NavUixtdvXSB.bat

Filesize
208B

MD5
d86f6b4ad59eef157c798372c96a09a1

SHA1
3cdff66bc162011a28b07da5e85d3afd0338121a

SHA256
882ac2f4d6d08743a7c5b40b1ba75070542fe4c3fa6c3c7c2cb688b8d4bc937f

SHA512
7912afaafad508e37f1a1ef34c193a4c2a30e7fe3e73d9c91cf2a5068f7a01339afa4bdf262c01338e12719105f96bb9f16a96a8015ec55126196c3cde1aa9e4

Download Submit
C:\BridgecomponentInto\VISX24Ttz4fn76YDhLu.vbe

Filesize
241B

MD5
495e1bcdad7192ab54c4d8f64fe732b8

SHA1
e053e2ccd31dfa9a5261eb9d8e7c9580050d79ec

SHA256
e65c9860d5c6a0ce6fca76c34fb69ac56f827c767014b4b0471c161bbce61973

SHA512
8a17bb083c17f8bb92800a45e1d8fbdccd1d3191914970a8db60227c71e07e6bc493d9f2da945467422093e3750fa2f99f210cfbd8b7a2e0dba86feb967791ea

Download Submit
C:\BridgecomponentInto\serverwebSavesmonitorDhcp.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\BridgecomponentInto\serverwebSavesmonitorDhcp.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\winlogon.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Program Files\Java\jdk-1.8\lib\SppExtComObj.exe

Filesize
844KB

MD5
8b79282b5a8985ceacdea8366c55370b

SHA1
a5bf983187f8f39c9f3c3f23a0ab2bcc27d6f675

SHA256
97d6d1fada376991381c2dc559e066dab7f1eeef4a0ab57d1178d8e8d735197a

SHA512
67e2a9043eebc2905cb3ee3038cb630526d75fd9e1758637c45d06f43bb07e0f61bed934754691153b83ce93a153279b682d2780eb71153477e3e50277628c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
04d89472c65d3bbaa3a172551b5c71e1

SHA1
b9f21e7cac5c00602ee172f2752c568d5dd26121

SHA256
e8d0e562df3559ad023471fd3ea147e4c3892365b0dfcf0632dfa9c98336e105

SHA512
665109418a1f4bf3f54bf4b87321595a3acf8114d5e2874db245b00b41dc98cfbcb77a2542f711a9146c849bfbf7163bcab286f8fc1774a48cf39b611cddee8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Sm4RhIr4P.bat

Filesize
236B

MD5
5694da9b6a01cd7dd1a4ded475572d2f

SHA1
a7ad44681144fb3a3d843e4d2ae7be45441a5ec0

SHA256
6c70daee7e1e0c35107215cbc27dcbc32b5943ff90f173f5e1f5c284a6b79b06

SHA512
e9afa89c39e245fc569eb1d5b5d28939d343ba179d91424b3313d878c77d94ae6edc085093ec5eccb0b6f34a089faff033b06b36c4910adc9705ce16b0ef9efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4kjvfRyFL.bat

Filesize
188B

MD5
29751dc3541256289f6fb5073aaffdb5

SHA1
9780c0f2efcb862a5babd2b81c74f7b14f14608b

SHA256
03db17481d77831145ba423fb02be5691c6fda35d4ffd20b7b3bae2a39a2ff12

SHA512
44e0c122044c17f3cab4556a471f2f61317d883fd1865faf11a2f2381a7b2d8b1e7f7227fb23e5670832e632a9c0f641f4572dba17f2800f7f0a16dc9c3c115d

Download Submit
memory/3376-23-0x000000001B850000-0x000000001B868000-memory.dmp

Filesize
96KB

Download
memory/3376-24-0x00007FFB1F300000-0x00007FFB1F301000-memory.dmp

Filesize
4KB

Download
memory/3376-21-0x000000001B8D0000-0x000000001B920000-memory.dmp

Filesize
320KB

Download
memory/3376-27-0x00007FFB1F2F0000-0x00007FFB1F2F1000-memory.dmp

Filesize
4KB

Download
memory/3376-26-0x0000000002E00000-0x0000000002E0E000-memory.dmp

Filesize
56KB

Download
memory/3376-28-0x00007FFB1F2E0000-0x00007FFB1F2E1000-memory.dmp

Filesize
4KB

Download
memory/3376-30-0x0000000002F20000-0x0000000002F2C000-memory.dmp

Filesize
48KB

Download
memory/3376-32-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/3376-33-0x00007FFB1F2D0000-0x00007FFB1F2D1000-memory.dmp

Filesize
4KB

Download
memory/3376-34-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download
memory/3376-19-0x000000001B830000-0x000000001B84C000-memory.dmp

Filesize
112KB

Download
memory/3376-51-0x00007FFB00E40000-0x00007FFB01901000-memory.dmp

Filesize
10.8MB

Download
memory/3376-20-0x00007FFB1F310000-0x00007FFB1F311000-memory.dmp

Filesize
4KB

Download
memory/3376-17-0x00007FFB1F320000-0x00007FFB1F321000-memory.dmp

Filesize
4KB

Download
memory/3376-16-0x0000000002DF0000-0x0000000002DFE000-memory.dmp

Filesize
56KB

Download
memory/3376-12-0x0000000000CB0000-0x0000000000D8A000-memory.dmp

Filesize
872KB

Download
memory/3376-13-0x00007FFB00E40000-0x00007FFB01901000-memory.dmp

Filesize
10.8MB

Download
memory/3376-14-0x000000001B960000-0x000000001B970000-memory.dmp

Filesize
64KB

Download
memory/4560-66-0x00007FFB1F2E0000-0x00007FFB1F2E1000-memory.dmp

Filesize
4KB

Download
memory/4560-63-0x00007FFB1F300000-0x00007FFB1F301000-memory.dmp

Filesize
4KB

Download
memory/4560-65-0x00007FFB1F2F0000-0x00007FFB1F2F1000-memory.dmp

Filesize
4KB

Download
memory/4560-60-0x00007FFB1F310000-0x00007FFB1F311000-memory.dmp

Filesize
4KB

Download
memory/4560-68-0x00007FFB1F2D0000-0x00007FFB1F2D1000-memory.dmp

Filesize
4KB

Download
memory/4560-69-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/4560-71-0x00007FFB00CC0000-0x00007FFB01781000-memory.dmp

Filesize
10.8MB

Download
memory/4560-72-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/4560-78-0x00007FFB00CC0000-0x00007FFB01781000-memory.dmp

Filesize
10.8MB

Download
memory/4560-58-0x00007FFB1F320000-0x00007FFB1F321000-memory.dmp

Filesize
4KB

Download
memory/4560-57-0x0000000002A30000-0x0000000002A40000-memory.dmp

Filesize
64KB

Download
memory/4560-56-0x00007FFB00CC0000-0x00007FFB01781000-memory.dmp

Filesize
10.8MB

Download
memory/5048-83-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/5048-95-0x00007FFB1F2D0000-0x00007FFB1F2D1000-memory.dmp

Filesize
4KB

Download
memory/5048-85-0x00007FFB1F320000-0x00007FFB1F321000-memory.dmp

Filesize
4KB

Download
memory/5048-87-0x00007FFB1F310000-0x00007FFB1F311000-memory.dmp

Filesize
4KB

Download
memory/5048-89-0x00007FFB1F300000-0x00007FFB1F301000-memory.dmp

Filesize
4KB

Download
memory/5048-91-0x00007FFB1F2F0000-0x00007FFB1F2F1000-memory.dmp

Filesize
4KB

Download
memory/5048-92-0x00007FFB1F2E0000-0x00007FFB1F2E1000-memory.dmp

Filesize
4KB

Download
memory/5048-82-0x00007FFAFEDE0000-0x00007FFAFF8A1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-96-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/5048-97-0x00007FFAFEDE0000-0x00007FFAFF8A1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-98-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/5048-99-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/5048-104-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download
memory/5048-136-0x0000000000B00000-0x0000000000B10000-memory.dmp

Filesize
64KB

Download