0caf1ae312a99cde7514f5d02e6ceb22664119d9e8e3275eee9aca77faf6064e

Analysis

max time kernel
143s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96e9e209995b72f190f3e471220e03af.exe
Size

33KB
MD5

96e9e209995b72f190f3e471220e03af
SHA1

18ceac50034f1c929d3234e57718cecfcadd374d
SHA256

0caf1ae312a99cde7514f5d02e6ceb22664119d9e8e3275eee9aca77faf6064e
SHA512

249b3960f2151a8f121e5e78fb9f76f0b5556f1a23b1058a64680b0b30a4fdd09120e3f90f448df4c01414392be87869c3cab482ea4145e9688912140d4e1e90
SSDEEP

768:hJv6oMKlsISL1yWbYilyQjJjxvnRPWUg65YCdF99FmJR:hJv6oMKlsIoyWsilyqvnR+vhSF9nmR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	services32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	svchost32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	96e9e209995b72f190f3e471220e03af.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	svchost32.exe

Executes dropped EXE 4 IoCs

pid	Process
1048	svchost32.exe
2332	services32.exe
2768	svchost32.exe
1960	sihost32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	svchost32.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.log	svchost32.exe
File created	C:\Windows\system32\services32.exe	svchost32.exe
File opened for modification	C:\Windows\system32\services32.exe	svchost32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
800	schtasks.exe
4212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1756	powershell.exe
1756	powershell.exe
4984	powershell.exe
4984	powershell.exe
2684	powershell.exe
2684	powershell.exe
4492	powershell.exe
4492	powershell.exe
1048	svchost32.exe
4536	powershell.exe
4536	powershell.exe
532	powershell.exe
532	powershell.exe
4800	powershell.exe
4800	powershell.exe
2484	powershell.exe
2484	powershell.exe
2768	svchost32.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	1048	svchost32.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2768	svchost32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2884	1916	96e9e209995b72f190f3e471220e03af.exe	85
PID 1916 wrote to memory of 2884	1916	96e9e209995b72f190f3e471220e03af.exe	85
PID 2884 wrote to memory of 1756	2884	cmd.exe	87
PID 2884 wrote to memory of 1756	2884	cmd.exe	87
PID 2884 wrote to memory of 4984	2884	cmd.exe	88
PID 2884 wrote to memory of 4984	2884	cmd.exe	88
PID 2884 wrote to memory of 2684	2884	cmd.exe	89
PID 2884 wrote to memory of 2684	2884	cmd.exe	89
PID 2884 wrote to memory of 4492	2884	cmd.exe	90
PID 2884 wrote to memory of 4492	2884	cmd.exe	90
PID 1916 wrote to memory of 4796	1916	96e9e209995b72f190f3e471220e03af.exe	98
PID 1916 wrote to memory of 4796	1916	96e9e209995b72f190f3e471220e03af.exe	98
PID 4796 wrote to memory of 1048	4796	cmd.exe	100
PID 4796 wrote to memory of 1048	4796	cmd.exe	100
PID 1048 wrote to memory of 796	1048	svchost32.exe	102
PID 1048 wrote to memory of 796	1048	svchost32.exe	102
PID 796 wrote to memory of 4212	796	cmd.exe	103
PID 796 wrote to memory of 4212	796	cmd.exe	103
PID 1048 wrote to memory of 2332	1048	svchost32.exe	104
PID 1048 wrote to memory of 2332	1048	svchost32.exe	104
PID 2332 wrote to memory of 3016	2332	services32.exe	105
PID 2332 wrote to memory of 3016	2332	services32.exe	105
PID 1048 wrote to memory of 4808	1048	svchost32.exe	107
PID 1048 wrote to memory of 4808	1048	svchost32.exe	107
PID 3016 wrote to memory of 4536	3016	cmd.exe	109
PID 3016 wrote to memory of 4536	3016	cmd.exe	109
PID 4808 wrote to memory of 392	4808	cmd.exe	110
PID 4808 wrote to memory of 392	4808	cmd.exe	110
PID 3016 wrote to memory of 532	3016	cmd.exe	111
PID 3016 wrote to memory of 532	3016	cmd.exe	111
PID 3016 wrote to memory of 4800	3016	cmd.exe	112
PID 3016 wrote to memory of 4800	3016	cmd.exe	112
PID 3016 wrote to memory of 2484	3016	cmd.exe	113
PID 3016 wrote to memory of 2484	3016	cmd.exe	113
PID 2332 wrote to memory of 3412	2332	services32.exe	115
PID 2332 wrote to memory of 3412	2332	services32.exe	115
PID 3412 wrote to memory of 2768	3412	cmd.exe	117
PID 3412 wrote to memory of 2768	3412	cmd.exe	117
PID 2768 wrote to memory of 1344	2768	svchost32.exe	118
PID 2768 wrote to memory of 1344	2768	svchost32.exe	118
PID 2768 wrote to memory of 1960	2768	svchost32.exe	120
PID 2768 wrote to memory of 1960	2768	svchost32.exe	120
PID 1344 wrote to memory of 800	1344	cmd.exe	121
PID 1344 wrote to memory of 800	1344	cmd.exe	121
PID 2768 wrote to memory of 3216	2768	svchost32.exe	122
PID 2768 wrote to memory of 3216	2768	svchost32.exe	122
PID 3216 wrote to memory of 4104	3216	cmd.exe	124
PID 3216 wrote to memory of 4104	3216	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe
"C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4796
- - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
    C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\96e9e209995b72f190f3e471220e03af.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:4212
  - - C:\Windows\system32\services32.exe
      "C:\Windows\system32\services32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Users\Admin\AppData\Local\Temp\svchost32.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:800
        
        C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
        
        "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
        7⤵
        Executes dropped EXE
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:4104
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost32.exe.log

Filesize
539B

MD5
b245679121623b152bea5562c173ba11

SHA1
47cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d

SHA256
73d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f

SHA512
75e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75d224e238a397659d8e5cf458a41143

SHA1
d182d16283d3d864a2e328b677551428c29ad6df

SHA256
6a98fa5e6c5b77722f2bd8c855fd14d6bf545fc35b292252d1dc136b89ed2fee

SHA512
3477f3b4182ffdccc817de4242c8fcba706c193a0de5170cd023f8df3d330487d7e372556524b5a0fe1df56de40923700f3f8368eadf6601970e347cbcf078cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cb8446bc2fbcab102f302ae61f7ead37

SHA1
308adbd78be5d6be2ff733474209a5141ad118c0

SHA256
ea0a94e298d1905ba8a7dadfd1c85782aaab45f20d68a1b2f1ad11e94e6c7aac

SHA512
9bb145fdde09d417e2aa222a0f9e1ff95255ba4bc7202e71627ff4e38172ed350db47cd26bcf5737d930af92f092f5b60cd020c857185e1ffe7d35a4fc2cb85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cb4l2a4.3bn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost32.exe

Filesize
25KB

MD5
6097de3af582394387ed37148cfeb88d

SHA1
c2a525463c505fb91d2b2597b5357636e31ca59f

SHA256
6795fff425a9789f91fc56a9b9729182d444638734b44615ea78ea34953177e1

SHA512
2343fb51968f69651095b57f67062c84a1cea556aecbeb817f707be32f8c647650fe1c7fabdf0c3b00dc0e8625c49bc1ee4d6282d79676c080f798cc25e7afb9

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe

Filesize
8KB

MD5
549779a60c6a961510880b8826eada2c

SHA1
d401f76327bee6e1989fe6c6710554f59d1815e7

SHA256
993d8c4a7ce2feb70115160f7873e3ae6fca1756b2c73b67f537e7db6e526db9

SHA512
30cd765b6e0fe778c835122c44aa95d6f796e91071002f1781971e2dabc8c62a4e3e0f510adea11313263475c8e819c5de56fabb2558fc37bc1179b57c48cbb0

Download Submit
C:\Windows\System32\services32.exe

Filesize
33KB

MD5
96e9e209995b72f190f3e471220e03af

SHA1
18ceac50034f1c929d3234e57718cecfcadd374d

SHA256
0caf1ae312a99cde7514f5d02e6ceb22664119d9e8e3275eee9aca77faf6064e

SHA512
249b3960f2151a8f121e5e78fb9f76f0b5556f1a23b1058a64680b0b30a4fdd09120e3f90f448df4c01414392be87869c3cab482ea4145e9688912140d4e1e90

Download Submit
memory/532-108-0x0000019CFCE90000-0x0000019CFCEA0000-memory.dmp

Filesize
64KB

Download
memory/532-121-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/532-109-0x0000019CFCE90000-0x0000019CFCEA0000-memory.dmp

Filesize
64KB

Download
memory/532-107-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1048-74-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1048-72-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download
memory/1048-89-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1048-75-0x000000001C540000-0x000000001C550000-memory.dmp

Filesize
64KB

Download
memory/1048-73-0x0000000001170000-0x0000000001182000-memory.dmp

Filesize
72KB

Download
memory/1756-3-0x000002035B790000-0x000002035B7A0000-memory.dmp

Filesize
64KB

Download
memory/1756-4-0x000002035D940000-0x000002035D962000-memory.dmp

Filesize
136KB

Download
memory/1756-14-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1756-15-0x000002035B790000-0x000002035B7A0000-memory.dmp

Filesize
64KB

Download
memory/1756-16-0x000002035B790000-0x000002035B7A0000-memory.dmp

Filesize
64KB

Download
memory/1756-19-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1916-0-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1916-68-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1916-65-0x000000001BE60000-0x000000001BE70000-memory.dmp

Filesize
64KB

Download
memory/1916-1-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1916-2-0x000000001BE60000-0x000000001BE70000-memory.dmp

Filesize
64KB

Download
memory/1960-177-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1960-181-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/1960-178-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/1960-182-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/1960-176-0x0000000000030000-0x0000000000036000-memory.dmp

Filesize
24KB

Download
memory/2332-88-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2332-156-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2332-153-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/2332-152-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2332-90-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/2484-137-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2484-139-0x000001D2EDAB0000-0x000001D2EDAC0000-memory.dmp

Filesize
64KB

Download
memory/2484-151-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2484-138-0x000001D2EDAB0000-0x000001D2EDAC0000-memory.dmp

Filesize
64KB

Download
memory/2684-37-0x0000025E72900000-0x0000025E72910000-memory.dmp

Filesize
64KB

Download
memory/2684-36-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2684-49-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2768-162-0x000000001C870000-0x000000001C880000-memory.dmp

Filesize
64KB

Download
memory/2768-161-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/2768-180-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4492-50-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4492-52-0x0000025BC1890000-0x0000025BC18A0000-memory.dmp

Filesize
64KB

Download
memory/4492-64-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4492-51-0x0000025BC1890000-0x0000025BC18A0000-memory.dmp

Filesize
64KB

Download
memory/4536-106-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4536-97-0x0000015FDECD0000-0x0000015FDECE0000-memory.dmp

Filesize
64KB

Download
memory/4536-103-0x0000015FDECD0000-0x0000015FDECE0000-memory.dmp

Filesize
64KB

Download
memory/4536-104-0x0000015FDECD0000-0x0000015FDECE0000-memory.dmp

Filesize
64KB

Download
memory/4536-91-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4800-128-0x00000240C3DA0000-0x00000240C3DB0000-memory.dmp

Filesize
64KB

Download
memory/4800-136-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4800-122-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4800-129-0x00000240C3DA0000-0x00000240C3DB0000-memory.dmp

Filesize
64KB

Download
memory/4984-35-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4984-23-0x000002CADEAA0000-0x000002CADEAB0000-memory.dmp

Filesize
64KB

Download
memory/4984-22-0x000002CADEAA0000-0x000002CADEAB0000-memory.dmp

Filesize
64KB

Download
memory/4984-21-0x00007FFE3AF90000-0x00007FFE3BA51000-memory.dmp

Filesize
10.8MB

Download