55e6277caf00d4f97a27705ba4ae760578c4a0cbace8929f7067c52c93edb487

Analysis

max time kernel
181s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201ccc41ff100bf8046574b0ed41e939.exe
Size

30KB
MD5

201ccc41ff100bf8046574b0ed41e939
SHA1

e99a1ddd5947544ffdbcc448606d87d79bee2c97
SHA256

55e6277caf00d4f97a27705ba4ae760578c4a0cbace8929f7067c52c93edb487
SHA512

63cb5086969a2d9d3c353da8fcf282866fb23198ddfe9a4fd2ed11474b2123b41c7f67147b7f3b639065aec12cc9dd1c21a9319dc6ca80e52e8ab5c31506391b
SSDEEP

768:o874OGQjeUiXh/LWFsJpBv0EqLTP6uPixUWeWmuF9hZx3Ov4:otOZcNcEqPrpWeWPF9Mv4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	services32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	svchost32.exe

Executes dropped EXE 4 IoCs

pid	Process
2312	svchost32.exe
1636	services32.exe
2796	svchost32.exe
652	sihost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2520	schtasks.exe
1576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2196	powershell.exe
2196	powershell.exe
2036	powershell.exe
2036	powershell.exe
856	powershell.exe
856	powershell.exe
1172	powershell.exe
1172	powershell.exe
2312	svchost32.exe
468	powershell.exe
468	powershell.exe
3832	powershell.exe
3832	powershell.exe
2420	powershell.exe
2796	svchost32.exe
2420	powershell.exe
4412	powershell.exe
4412	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2312	svchost32.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2796	svchost32.exe
Token: SeDebugPrivilege	4412	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 864	2632	201ccc41ff100bf8046574b0ed41e939.exe	90
PID 2632 wrote to memory of 864	2632	201ccc41ff100bf8046574b0ed41e939.exe	90
PID 864 wrote to memory of 2196	864	cmd.exe	92
PID 864 wrote to memory of 2196	864	cmd.exe	92
PID 864 wrote to memory of 2036	864	cmd.exe	94
PID 864 wrote to memory of 2036	864	cmd.exe	94
PID 864 wrote to memory of 856	864	Process not Found	96
PID 864 wrote to memory of 856	864	Process not Found	96
PID 864 wrote to memory of 1172	864	Process not Found	97
PID 864 wrote to memory of 1172	864	Process not Found	97
PID 2632 wrote to memory of 436	2632	cmd.exe	99
PID 2632 wrote to memory of 436	2632	cmd.exe	99
PID 436 wrote to memory of 2312	436	cmd.exe	100
PID 436 wrote to memory of 2312	436	cmd.exe	100
PID 2312 wrote to memory of 1524	2312	svchost32.exe	102
PID 2312 wrote to memory of 1524	2312	svchost32.exe	102
PID 1524 wrote to memory of 1576	1524	cmd.exe	103
PID 1524 wrote to memory of 1576	1524	cmd.exe	103
PID 2312 wrote to memory of 1636	2312	svchost32.exe	105
PID 2312 wrote to memory of 1636	2312	svchost32.exe	105
PID 2312 wrote to memory of 804	2312	svchost32.exe	106
PID 2312 wrote to memory of 804	2312	svchost32.exe	106
PID 1636 wrote to memory of 4372	1636	services32.exe	107
PID 1636 wrote to memory of 4372	1636	services32.exe	107
PID 804 wrote to memory of 784	804	cmd.exe	112
PID 804 wrote to memory of 784	804	cmd.exe	112
PID 4372 wrote to memory of 468	4372	cmd.exe	111
PID 4372 wrote to memory of 468	4372	cmd.exe	111
PID 4372 wrote to memory of 3832	4372	cmd.exe	113
PID 4372 wrote to memory of 3832	4372	cmd.exe	113
PID 1636 wrote to memory of 3504	1636	services32.exe	114
PID 1636 wrote to memory of 3504	1636	services32.exe	114
PID 3504 wrote to memory of 2796	3504	cmd.exe	116
PID 3504 wrote to memory of 2796	3504	cmd.exe	116
PID 4372 wrote to memory of 2420	4372	cmd.exe	117
PID 4372 wrote to memory of 2420	4372	cmd.exe	117
PID 2796 wrote to memory of 2632	2796	svchost32.exe	118
PID 2796 wrote to memory of 2632	2796	svchost32.exe	118
PID 2796 wrote to memory of 652	2796	svchost32.exe	120
PID 2796 wrote to memory of 652	2796	svchost32.exe	120
PID 2632 wrote to memory of 2520	2632	cmd.exe	121
PID 2632 wrote to memory of 2520	2632	cmd.exe	121
PID 4372 wrote to memory of 4412	4372	cmd.exe	124
PID 4372 wrote to memory of 4412	4372	cmd.exe	124
PID 2796 wrote to memory of 1128	2796	svchost32.exe	130
PID 2796 wrote to memory of 1128	2796	svchost32.exe	130
PID 1128 wrote to memory of 2508	1128	cmd.exe	132
PID 1128 wrote to memory of 2508	1128	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe
"C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\201ccc41ff100bf8046574b0ed41e939.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1576
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:2520
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        7⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2508
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d7d43c7921ba2a019f8b71583dd48d4

SHA1
6948a707461340250eeb3c7a47be426af183e16b

SHA256
d7d4bb1a9755f4963c7749012884c8dc494726368c021cbefdb731e2b2dd691f

SHA512
05d3b04844abf0eef433ed67991a17ff8db9054d8e9bb327447c14c6f68f89c20da7a40ac91e47575e1ce4e21a9e6ab9e509254f73c46bc467733dddfc5919c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3805f27d120f72d38c9036a9121e4bbc

SHA1
83e452ab69f491e39635e7eac2bbf9577b44355f

SHA256
251b110996bfadc3e40f708da65e1242b692bc8c8cdb52e2e9323e1b9d82e590

SHA512
57e52747fe8f3f05e9215c6e127073efb03e3daf9614c9dce46c4cfee9661eef7edab9531a63dcc81579f732e1d7e585fc7d29be511d979ebc1d5d5ae5305081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3072fa0040b347c3941144486bf30c6f

SHA1
e6dc84a5bd882198583653592f17af1bf8cbfc68

SHA256
da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

SHA512
62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zyols0b.thg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
23KB

MD5
0c09fa12328f97526cf203298cb759f1

SHA1
b84dc4618548074cf84ca6956a3b067c1e93f24f

SHA256
f155cc45db016c18351c015828b605c34e0fa8bdc3e8f01f80d1fabf4af16e62

SHA512
816deffeee99593abcdde6b85cb24885b69bc8a13b5f7ca1546cf54077299331e0fd25661e34065e6b3f9fea88fc832e3857dde18b694e698f55b89b1fe78da3

Download Submit
C:\Windows\System32\services32.exe

Filesize
30KB

MD5
201ccc41ff100bf8046574b0ed41e939

SHA1
e99a1ddd5947544ffdbcc448606d87d79bee2c97

SHA256
55e6277caf00d4f97a27705ba4ae760578c4a0cbace8929f7067c52c93edb487

SHA512
63cb5086969a2d9d3c353da8fcf282866fb23198ddfe9a4fd2ed11474b2123b41c7f67147b7f3b639065aec12cc9dd1c21a9319dc6ca80e52e8ab5c31506391b

Download Submit
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
b6e33521c7366d6c16a9b0b1abfaedc1

SHA1
1b06a4b5a527e280a7bdba7ea457f96daef111ec

SHA256
e1215ba5f18875a9741b551894d7502f1862b4758f47b144a720340aa76b2abc

SHA512
d2964e676dab96436b6884d57c0a6f2844791659356f871fde8b4372385d789d2080f6b21831c2dda188c8cf2526b0c26ff5fabadbe9238805dc6d1ccbce8b78

Download Submit
memory/468-101-0x000001446B770000-0x000001446B780000-memory.dmp

Filesize
64KB

Download
memory/468-113-0x000001446B770000-0x000001446B780000-memory.dmp

Filesize
64KB

Download
memory/468-100-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/468-115-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/468-111-0x000001446B770000-0x000001446B780000-memory.dmp

Filesize
64KB

Download
memory/652-170-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/652-168-0x0000000000800000-0x0000000000806000-memory.dmp

Filesize
24KB

Download
memory/856-57-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/856-52-0x000001E4A9EA0000-0x000001E4A9EB0000-memory.dmp

Filesize
64KB

Download
memory/856-54-0x000001E4A9EA0000-0x000001E4A9EB0000-memory.dmp

Filesize
64KB

Download
memory/856-51-0x000001E4A9EA0000-0x000001E4A9EB0000-memory.dmp

Filesize
64KB

Download
memory/856-50-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/856-55-0x000001E4A9EA0000-0x000001E4A9EB0000-memory.dmp

Filesize
64KB

Download
memory/1172-84-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/1172-73-0x0000018B7E490000-0x0000018B7E4A0000-memory.dmp

Filesize
64KB

Download
memory/1172-75-0x0000018B7E490000-0x0000018B7E4A0000-memory.dmp

Filesize
64KB

Download
memory/1172-68-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/1172-70-0x0000018B7E490000-0x0000018B7E4A0000-memory.dmp

Filesize
64KB

Download
memory/1172-69-0x0000018B7E490000-0x0000018B7E4A0000-memory.dmp

Filesize
64KB

Download
memory/1636-134-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/1636-96-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/1636-119-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/1636-97-0x0000000001B30000-0x0000000001B40000-memory.dmp

Filesize
64KB

Download
memory/2036-38-0x0000020970200000-0x0000020970210000-memory.dmp

Filesize
64KB

Download
memory/2036-35-0x0000020970200000-0x0000020970210000-memory.dmp

Filesize
64KB

Download
memory/2036-33-0x0000020970200000-0x0000020970210000-memory.dmp

Filesize
64KB

Download
memory/2036-32-0x0000020970200000-0x0000020970210000-memory.dmp

Filesize
64KB

Download
memory/2036-31-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2036-39-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2196-17-0x000002775EA20000-0x000002775EA30000-memory.dmp

Filesize
64KB

Download
memory/2196-16-0x000002775EA20000-0x000002775EA30000-memory.dmp

Filesize
64KB

Download
memory/2196-20-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2196-15-0x0000027778CF0000-0x0000027778D12000-memory.dmp

Filesize
136KB

Download
memory/2196-10-0x000002775EA20000-0x000002775EA30000-memory.dmp

Filesize
64KB

Download
memory/2196-4-0x000002775EA20000-0x000002775EA30000-memory.dmp

Filesize
64KB

Download
memory/2196-3-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2312-82-0x0000000003080000-0x0000000003092000-memory.dmp

Filesize
72KB

Download
memory/2312-83-0x000000001C270000-0x000000001C280000-memory.dmp

Filesize
64KB

Download
memory/2312-99-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2312-80-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2312-79-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/2420-143-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2420-175-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2420-173-0x00000191686B0000-0x00000191686C0000-memory.dmp

Filesize
64KB

Download
memory/2420-171-0x00000191686B0000-0x00000191686C0000-memory.dmp

Filesize
64KB

Download
memory/2420-144-0x00000191686B0000-0x00000191686C0000-memory.dmp

Filesize
64KB

Download
memory/2420-145-0x00000191686B0000-0x00000191686C0000-memory.dmp

Filesize
64KB

Download
memory/2632-36-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2632-1-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2632-74-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2632-40-0x000000001C190000-0x000000001C1A0000-memory.dmp

Filesize
64KB

Download
memory/2632-0-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2632-2-0x000000001C190000-0x000000001C1A0000-memory.dmp

Filesize
64KB

Download
memory/2796-172-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2796-141-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/2796-142-0x0000000003580000-0x0000000003590000-memory.dmp

Filesize
64KB

Download
memory/2796-176-0x0000000003580000-0x0000000003590000-memory.dmp

Filesize
64KB

Download
memory/3832-133-0x0000026AFA1B0000-0x0000026AFA1C0000-memory.dmp

Filesize
64KB

Download
memory/3832-117-0x0000026AFA1B0000-0x0000026AFA1C0000-memory.dmp

Filesize
64KB

Download
memory/3832-118-0x0000026AFA1B0000-0x0000026AFA1C0000-memory.dmp

Filesize
64KB

Download
memory/3832-116-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/3832-131-0x0000026AFA1B0000-0x0000026AFA1C0000-memory.dmp

Filesize
64KB

Download
memory/3832-140-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download
memory/4412-177-0x00007FFAD4CB0000-0x00007FFAD5771000-memory.dmp

Filesize
10.8MB

Download