d2ade013842751895e152fb60cde6524dd7249919689ef6d028f9a00b69cdbe6

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 11:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19fba48af940ee0df42d649be0b83956.exe
Size

29KB
MD5

19fba48af940ee0df42d649be0b83956
SHA1

cb5d068906ac8a9aa0441653e117fda8c5638002
SHA256

d2ade013842751895e152fb60cde6524dd7249919689ef6d028f9a00b69cdbe6
SHA512

574acf0fc89f19c17c778b9b36db817b8ffcc0b58b4a3a93037305736e45925c3581af04b4632e5f41f121a7f5a83f6ffdb528500b6016563fed17b131c7aaa3
SSDEEP

768:T4JROoFgDEUEWZdjLYbIvUWAJaTIQLRGqpeoRMb/+4azuY:EVFsEde6svkw7cq8oRMb/PazuY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1684	svchost32.exe
1244	services32.exe
768	svchost32.exe
2036	sihost32.exe

Loads dropped DLL 4 IoCs

pid	Process
2900	cmd.exe
1684	svchost32.exe
1516	cmd.exe
768	svchost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1976	schtasks.exe
2276	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	svchost32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2120	powershell.exe
2716	powershell.exe
1672	powershell.exe
2712	powershell.exe
1684	svchost32.exe
772	powershell.exe
2016	powershell.exe
2464	powershell.exe
600	powershell.exe
768	svchost32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1684	svchost32.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	768	svchost32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2876	1940	19fba48af940ee0df42d649be0b83956.exe	28
PID 1940 wrote to memory of 2876	1940	19fba48af940ee0df42d649be0b83956.exe	28
PID 1940 wrote to memory of 2876	1940	19fba48af940ee0df42d649be0b83956.exe	28
PID 2876 wrote to memory of 2120	2876	cmd.exe	30
PID 2876 wrote to memory of 2120	2876	cmd.exe	30
PID 2876 wrote to memory of 2120	2876	cmd.exe	30
PID 2876 wrote to memory of 2716	2876	cmd.exe	31
PID 2876 wrote to memory of 2716	2876	cmd.exe	31
PID 2876 wrote to memory of 2716	2876	cmd.exe	31
PID 2876 wrote to memory of 1672	2876	cmd.exe	32
PID 2876 wrote to memory of 1672	2876	cmd.exe	32
PID 2876 wrote to memory of 1672	2876	cmd.exe	32
PID 2876 wrote to memory of 2712	2876	cmd.exe	33
PID 2876 wrote to memory of 2712	2876	cmd.exe	33
PID 2876 wrote to memory of 2712	2876	cmd.exe	33
PID 1940 wrote to memory of 2900	1940	19fba48af940ee0df42d649be0b83956.exe	35
PID 1940 wrote to memory of 2900	1940	19fba48af940ee0df42d649be0b83956.exe	35
PID 1940 wrote to memory of 2900	1940	19fba48af940ee0df42d649be0b83956.exe	35
PID 2900 wrote to memory of 1684	2900	cmd.exe	36
PID 2900 wrote to memory of 1684	2900	cmd.exe	36
PID 2900 wrote to memory of 1684	2900	cmd.exe	36
PID 1684 wrote to memory of 112	1684	svchost32.exe	38
PID 1684 wrote to memory of 112	1684	svchost32.exe	38
PID 1684 wrote to memory of 112	1684	svchost32.exe	38
PID 112 wrote to memory of 1976	112	cmd.exe	39
PID 112 wrote to memory of 1976	112	cmd.exe	39
PID 112 wrote to memory of 1976	112	cmd.exe	39
PID 1684 wrote to memory of 1244	1684	svchost32.exe	44
PID 1684 wrote to memory of 1244	1684	svchost32.exe	44
PID 1684 wrote to memory of 1244	1684	svchost32.exe	44
PID 1684 wrote to memory of 2484	1684	svchost32.exe	43
PID 1684 wrote to memory of 2484	1684	svchost32.exe	43
PID 1684 wrote to memory of 2484	1684	svchost32.exe	43
PID 1244 wrote to memory of 1572	1244	services32.exe	41
PID 1244 wrote to memory of 1572	1244	services32.exe	41
PID 1244 wrote to memory of 1572	1244	services32.exe	41
PID 2484 wrote to memory of 268	2484	cmd.exe	46
PID 2484 wrote to memory of 268	2484	cmd.exe	46
PID 2484 wrote to memory of 268	2484	cmd.exe	46
PID 1572 wrote to memory of 772	1572	cmd.exe	45
PID 1572 wrote to memory of 772	1572	cmd.exe	45
PID 1572 wrote to memory of 772	1572	cmd.exe	45
PID 1572 wrote to memory of 2016	1572	cmd.exe	47
PID 1572 wrote to memory of 2016	1572	cmd.exe	47
PID 1572 wrote to memory of 2016	1572	cmd.exe	47
PID 1572 wrote to memory of 2464	1572	cmd.exe	48
PID 1572 wrote to memory of 2464	1572	cmd.exe	48
PID 1572 wrote to memory of 2464	1572	cmd.exe	48
PID 1572 wrote to memory of 600	1572	cmd.exe	49
PID 1572 wrote to memory of 600	1572	cmd.exe	49
PID 1572 wrote to memory of 600	1572	cmd.exe	49
PID 1244 wrote to memory of 1516	1244	services32.exe	55
PID 1244 wrote to memory of 1516	1244	services32.exe	55
PID 1244 wrote to memory of 1516	1244	services32.exe	55
PID 1516 wrote to memory of 768	1516	cmd.exe	53
PID 1516 wrote to memory of 768	1516	cmd.exe	53
PID 1516 wrote to memory of 768	1516	cmd.exe	53
PID 768 wrote to memory of 884	768	svchost32.exe	52
PID 768 wrote to memory of 884	768	svchost32.exe	52
PID 768 wrote to memory of 884	768	svchost32.exe	52
PID 768 wrote to memory of 2036	768	svchost32.exe	58
PID 768 wrote to memory of 2036	768	svchost32.exe	58
PID 768 wrote to memory of 2036	768	svchost32.exe	58
PID 884 wrote to memory of 2276	884	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19fba48af940ee0df42d649be0b83956.exe
"C:\Users\Admin\AppData\Local\Temp\19fba48af940ee0df42d649be0b83956.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\19fba48af940ee0df42d649be0b83956.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\19fba48af940ee0df42d649be0b83956.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:268
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1244
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1516

C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
1⤵
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
1⤵
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\schtasks.exe
  schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
  2⤵
  - Creates scheduled task(s)
  PID:2276

C:\Users\Admin\AppData\Local\Temp\svchost32.exe
C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
  "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
  2⤵
  PID:2764

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
22KB

MD5
d6f691125b0d43be191e1fb811ef8ab5

SHA1
5489df0c20ac24580ff909d9c3f2490aa7300126

SHA256
c01911ec5ff1fa41ce959f9adf95a1574509cea78f0186947d7f53c2233c2657

SHA512
5cba9d6ad32463e123b3586117c0b59259d6438c75e593ecc70bfaf15b8f080cfcd160858cc5ba611a2e40e5a58c41c0eec496512ed5f393281c1f3f58d830a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d216f43228189d1794cccff1122c950c

SHA1
819ee0ad2a203aece8c0ad3f6a9bd0d0ac909440

SHA256
b387d1ba45d6a8ab3d62d301a0776754257f6da69c878a264932b1ca2f725249

SHA512
6e2f8cc62dc39738aa59cfc2c09fb7b9e48ac07d991306ad2055cdaa2e502c9b15ab365927406be855e982b3093867138b15060d60446cb99114afe46fc65adc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8bd301acfc41af40d7e1671fdad64d26

SHA1
2d36cf3f598ba5443524f41ca63a49944b23e300

SHA256
7b46f9254af10b21b06b2eb291a0a8d17f4a72ee35fb6723347f8e5d44d8952d

SHA512
186905f2ed04bb143dc25ce5cb2825aa5dac7faf231126f059201dbbda4b16e3dac813d7c23642fe9b4d9c23fbf0793434cacbb128e7dbac770d7148d36844f9

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
4577ec1058da9843c638be104bc98503

SHA1
bee3f20548834595adbaa5ce03fa0ebc5fd3d424

SHA256
804791f5dedce14edca593ed7bf6c1805a606056f55e03415ef97eb16fc5e1ea

SHA512
07cf025bcc73b554cec570e0129c4779c560a3daff6ee0808d4d3dc6e08a87d3cd00fa2fdc0e0864da443ad8beaecd19a7dbb5bbc63449729c707b5e98f4a004

Download Submit
\Windows\System32\services32.exe

Filesize
29KB

MD5
19fba48af940ee0df42d649be0b83956

SHA1
cb5d068906ac8a9aa0441653e117fda8c5638002

SHA256
d2ade013842751895e152fb60cde6524dd7249919689ef6d028f9a00b69cdbe6

SHA512
574acf0fc89f19c17c778b9b36db817b8ffcc0b58b4a3a93037305736e45925c3581af04b4632e5f41f121a7f5a83f6ffdb528500b6016563fed17b131c7aaa3

Download Submit
memory/600-114-0x0000000002950000-0x00000000029D0000-memory.dmp

Filesize
512KB

Download
memory/600-113-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/600-115-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/772-82-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/772-79-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/772-80-0x0000000001F90000-0x0000000002010000-memory.dmp

Filesize
512KB

Download
memory/772-83-0x0000000001F9B000-0x0000000002002000-memory.dmp

Filesize
412KB

Download
memory/772-81-0x0000000001F94000-0x0000000001F97000-memory.dmp

Filesize
12KB

Download
memory/772-84-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1244-69-0x000000013F650000-0x000000013F65C000-memory.dmp

Filesize
48KB

Download
memory/1244-72-0x000000001ABE0000-0x000000001AC60000-memory.dmp

Filesize
512KB

Download
memory/1244-71-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/1672-39-0x000000000258B000-0x00000000025F2000-memory.dmp

Filesize
412KB

Download
memory/1672-40-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-37-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1672-34-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-35-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1672-36-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/1672-38-0x0000000002580000-0x0000000002600000-memory.dmp

Filesize
512KB

Download
memory/1684-70-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-62-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-60-0x000000013F360000-0x000000013F36A000-memory.dmp

Filesize
40KB

Download
memory/1940-0-0x000000013FF20000-0x000000013FF2C000-memory.dmp

Filesize
48KB

Download
memory/1940-61-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-1-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/1940-2-0x000000001BD30000-0x000000001BDB0000-memory.dmp

Filesize
512KB

Download
memory/1940-48-0x000007FEF4FB0000-0x000007FEF599C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-92-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-94-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2016-93-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2016-95-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2016-91-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2016-96-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-90-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2120-9-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-15-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-14-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2120-13-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2120-12-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2120-7-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2120-11-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2120-10-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/2120-8-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/2464-104-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-107-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-103-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2464-102-0x000007FEF2440000-0x000007FEF2DDD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-106-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/2464-105-0x00000000028CB000-0x0000000002932000-memory.dmp

Filesize
412KB

Download
memory/2712-53-0x0000000002AAB000-0x0000000002B12000-memory.dmp

Filesize
412KB

Download
memory/2712-52-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2712-54-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-51-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2712-50-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2712-49-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2712-47-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-28-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-27-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2716-26-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2716-25-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-22-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2716-24-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2716-23-0x000007FEF1AA0000-0x000007FEF243D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-21-0x000000001B220000-0x000000001B502000-memory.dmp

Filesize
2.9MB

Download