55e6277caf00d4f97a27705ba4ae760578c4a0cbace8929f7067c52c93edb487

Analysis

max time kernel
136s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201ccc41ff100bf8046574b0ed41e939.exe
Size

30KB
MD5

201ccc41ff100bf8046574b0ed41e939
SHA1

e99a1ddd5947544ffdbcc448606d87d79bee2c97
SHA256

55e6277caf00d4f97a27705ba4ae760578c4a0cbace8929f7067c52c93edb487
SHA512

63cb5086969a2d9d3c353da8fcf282866fb23198ddfe9a4fd2ed11474b2123b41c7f67147b7f3b639065aec12cc9dd1c21a9319dc6ca80e52e8ab5c31506391b
SSDEEP

768:o874OGQjeUiXh/LWFsJpBv0EqLTP6uPixUWeWmuF9hZx3Ov4:otOZcNcEqPrpWeWPF9Mv4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1520	svchost32.exe
1964	services32.exe
1944	svchost32.exe
296	sihost32.exe

Loads dropped DLL 4 IoCs

pid	Process
2384	cmd.exe
1520	svchost32.exe
964	cmd.exe
1944	svchost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
768	schtasks.exe
1332	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	svchost32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1784	powershell.exe
2308	powershell.exe
2352	powershell.exe
2512	powershell.exe
1520	svchost32.exe
1956	powershell.exe
2132	powershell.exe
2952	powershell.exe
1944	svchost32.exe
1924	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1520	svchost32.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1944	svchost32.exe
Token: SeDebugPrivilege	1924	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 3052	3000	201ccc41ff100bf8046574b0ed41e939.exe	28
PID 3000 wrote to memory of 3052	3000	201ccc41ff100bf8046574b0ed41e939.exe	28
PID 3000 wrote to memory of 3052	3000	201ccc41ff100bf8046574b0ed41e939.exe	28
PID 3052 wrote to memory of 1784	3052	cmd.exe	30
PID 3052 wrote to memory of 1784	3052	cmd.exe	30
PID 3052 wrote to memory of 1784	3052	cmd.exe	30
PID 3052 wrote to memory of 2308	3052	cmd.exe	31
PID 3052 wrote to memory of 2308	3052	cmd.exe	31
PID 3052 wrote to memory of 2308	3052	cmd.exe	31
PID 3052 wrote to memory of 2352	3052	cmd.exe	32
PID 3052 wrote to memory of 2352	3052	cmd.exe	32
PID 3052 wrote to memory of 2352	3052	cmd.exe	32
PID 3052 wrote to memory of 2512	3052	cmd.exe	33
PID 3052 wrote to memory of 2512	3052	cmd.exe	33
PID 3052 wrote to memory of 2512	3052	cmd.exe	33
PID 3000 wrote to memory of 2384	3000	201ccc41ff100bf8046574b0ed41e939.exe	34
PID 3000 wrote to memory of 2384	3000	201ccc41ff100bf8046574b0ed41e939.exe	34
PID 3000 wrote to memory of 2384	3000	201ccc41ff100bf8046574b0ed41e939.exe	34
PID 2384 wrote to memory of 1520	2384	cmd.exe	36
PID 2384 wrote to memory of 1520	2384	cmd.exe	36
PID 2384 wrote to memory of 1520	2384	cmd.exe	36
PID 1520 wrote to memory of 2436	1520	svchost32.exe	38
PID 1520 wrote to memory of 2436	1520	svchost32.exe	38
PID 1520 wrote to memory of 2436	1520	svchost32.exe	38
PID 2436 wrote to memory of 768	2436	cmd.exe	39
PID 2436 wrote to memory of 768	2436	cmd.exe	39
PID 2436 wrote to memory of 768	2436	cmd.exe	39
PID 1520 wrote to memory of 1964	1520	svchost32.exe	42
PID 1520 wrote to memory of 1964	1520	svchost32.exe	42
PID 1520 wrote to memory of 1964	1520	svchost32.exe	42
PID 1520 wrote to memory of 948	1520	svchost32.exe	44
PID 1520 wrote to memory of 948	1520	svchost32.exe	44
PID 1520 wrote to memory of 948	1520	svchost32.exe	44
PID 1964 wrote to memory of 1916	1964	services32.exe	45
PID 1964 wrote to memory of 1916	1964	services32.exe	45
PID 1964 wrote to memory of 1916	1964	services32.exe	45
PID 948 wrote to memory of 2636	948	cmd.exe	47
PID 948 wrote to memory of 2636	948	cmd.exe	47
PID 948 wrote to memory of 2636	948	cmd.exe	47
PID 1916 wrote to memory of 1956	1916	cmd.exe	48
PID 1916 wrote to memory of 1956	1916	cmd.exe	48
PID 1916 wrote to memory of 1956	1916	cmd.exe	48
PID 1916 wrote to memory of 2132	1916	cmd.exe	49
PID 1916 wrote to memory of 2132	1916	cmd.exe	49
PID 1916 wrote to memory of 2132	1916	cmd.exe	49
PID 1916 wrote to memory of 2952	1916	cmd.exe	50
PID 1916 wrote to memory of 2952	1916	cmd.exe	50
PID 1916 wrote to memory of 2952	1916	cmd.exe	50
PID 1964 wrote to memory of 964	1964	services32.exe	52
PID 1964 wrote to memory of 964	1964	services32.exe	52
PID 1964 wrote to memory of 964	1964	services32.exe	52
PID 964 wrote to memory of 1944	964	cmd.exe	53
PID 964 wrote to memory of 1944	964	cmd.exe	53
PID 964 wrote to memory of 1944	964	cmd.exe	53
PID 1944 wrote to memory of 1948	1944	svchost32.exe	54
PID 1944 wrote to memory of 1948	1944	svchost32.exe	54
PID 1944 wrote to memory of 1948	1944	svchost32.exe	54
PID 1916 wrote to memory of 1924	1916	cmd.exe	55
PID 1916 wrote to memory of 1924	1916	cmd.exe	55
PID 1916 wrote to memory of 1924	1916	cmd.exe	55
PID 1944 wrote to memory of 296	1944	svchost32.exe	58
PID 1944 wrote to memory of 296	1944	svchost32.exe	58
PID 1944 wrote to memory of 296	1944	svchost32.exe	58
PID 1948 wrote to memory of 1332	1948	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe
"C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:768
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
      - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:1332
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        7⤵
        Executes dropped EXE
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        7⤵
        
        PID:3064
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
23KB

MD5
0c09fa12328f97526cf203298cb759f1

SHA1
b84dc4618548074cf84ca6956a3b067c1e93f24f

SHA256
f155cc45db016c18351c015828b605c34e0fa8bdc3e8f01f80d1fabf4af16e62

SHA512
816deffeee99593abcdde6b85cb24885b69bc8a13b5f7ca1546cf54077299331e0fd25661e34065e6b3f9fea88fc832e3857dde18b694e698f55b89b1fe78da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7cfef93ec46127e9424a0822fd4b6d51

SHA1
9cc306a8f225907f190ccae84d0f4df4ada20fdd

SHA256
5e3457db33c179fd01f3de4dcd7543f2d1c64350d8afc70295723e6f7d3e4717

SHA512
bb13a661e553100bdf787d79616c80b99128b0ad0750316d5108fe038bd703a5ea5fea7fb5b70f4c7d799b26bb6fa97d8654e67b8b84f1e05637c64a51edaa5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb39c3ebf21f1f2b96f2082005ec7390

SHA1
f14dc227e22e5d9c58127e953c67c550173dadc1

SHA256
de86e7f286d94584c4d66e7204b1c67156f51ed7e3805bebd9d53a1c1f002600

SHA512
63fb90f58f9fcd14c9fcc2ce2082ca357c32b9092ada1cc1ca13be0343739ef699156d8042bf496d04dd7c1ec46e3703c98d7f331d4db7069d5bce11341bea6c

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
b6e33521c7366d6c16a9b0b1abfaedc1

SHA1
1b06a4b5a527e280a7bdba7ea457f96daef111ec

SHA256
e1215ba5f18875a9741b551894d7502f1862b4758f47b144a720340aa76b2abc

SHA512
d2964e676dab96436b6884d57c0a6f2844791659356f871fde8b4372385d789d2080f6b21831c2dda188c8cf2526b0c26ff5fabadbe9238805dc6d1ccbce8b78

Download Submit
\Windows\System32\services32.exe

Filesize
30KB

MD5
201ccc41ff100bf8046574b0ed41e939

SHA1
e99a1ddd5947544ffdbcc448606d87d79bee2c97

SHA256
55e6277caf00d4f97a27705ba4ae760578c4a0cbace8929f7067c52c93edb487

SHA512
63cb5086969a2d9d3c353da8fcf282866fb23198ddfe9a4fd2ed11474b2123b41c7f67147b7f3b639065aec12cc9dd1c21a9319dc6ca80e52e8ab5c31506391b

Download Submit
memory/1520-60-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-71-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-59-0x000000013F270000-0x000000013F27A000-memory.dmp

Filesize
40KB

Download
memory/1520-61-0x000000001BEF0000-0x000000001BF70000-memory.dmp

Filesize
512KB

Download
memory/1784-8-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1784-14-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/1784-13-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1784-12-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1784-11-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/1784-10-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/1784-9-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/1784-7-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/1944-114-0x000000013F380000-0x000000013F38A000-memory.dmp

Filesize
40KB

Download
memory/1956-79-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-78-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1956-77-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-80-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1956-83-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/1956-82-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1956-81-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/1964-70-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1964-69-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-68-0x000000013F270000-0x000000013F27C000-memory.dmp

Filesize
48KB

Download
memory/1964-106-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1964-109-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/2132-92-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2132-93-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2132-91-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2132-90-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2132-94-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2132-95-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/2132-96-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2308-24-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2308-28-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2308-20-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2308-21-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2308-22-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2308-23-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2308-25-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2308-27-0x0000000002A20000-0x0000000002AA0000-memory.dmp

Filesize
512KB

Download
memory/2308-26-0x0000000002A24000-0x0000000002A27000-memory.dmp

Filesize
12KB

Download
memory/2352-41-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/2352-40-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2352-38-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2352-37-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2352-36-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/2352-35-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/2352-34-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-49-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2512-51-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2512-47-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-56-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2512-52-0x0000000002A80000-0x0000000002B00000-memory.dmp

Filesize
512KB

Download
memory/2512-50-0x000007FEF2630000-0x000007FEF2FCD000-memory.dmp

Filesize
9.6MB

Download
memory/2952-105-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2952-102-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-103-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/2952-104-0x000007FEF2FD0000-0x000007FEF396D000-memory.dmp

Filesize
9.6MB

Download
memory/2952-108-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/3000-55-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-39-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-0-0x000000013FBD0000-0x000000013FBDC000-memory.dmp

Filesize
48KB

Download
memory/3000-2-0x000000001BB60000-0x000000001BBE0000-memory.dmp

Filesize
512KB

Download
memory/3000-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download