5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/02/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe
Size

442KB
MD5

c02689449a4ce73ec79a52595ab590f6
SHA1

5908453afef391437c632ca0ce921dbf0c6e8bd5
SHA256

5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f
SHA512

86503802f69ab69ee18e5b8635ca9442867beed6b1547565bbc3bae12db51b7aa5ed1ed472a1c7278608a936747865f290297f78b729c249006ee6377cc86082
SSDEEP

6144:RlDoHtgdupnzKELHSM0zAAFFOQVJ3hAkToXTOnRnN/jxrUmNAXRDfSZ8cPiKqpr/:Uj87domKxSZ8LKqm31uQHTbJ/ERp4Q5D

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2556	Wscript.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2556	Wscript.exe	34

Executes dropped EXE 2 IoCs

pid	Process
2708	BitlockerNetworkClient.exe
1688	BitlockerNetworkClient.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 2708 set thread context of 1688	2708	BitlockerNetworkClient.exe	46
PID 1688 set thread context of 2588	1688	BitlockerNetworkClient.exe	49

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1504	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2776	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2588	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeSecurityPrivilege	2424	WMIC.exe
Token: SeTakeOwnershipPrivilege	2424	WMIC.exe
Token: SeLoadDriverPrivilege	2424	WMIC.exe
Token: SeSystemProfilePrivilege	2424	WMIC.exe
Token: SeSystemtimePrivilege	2424	WMIC.exe
Token: SeProfSingleProcessPrivilege	2424	WMIC.exe
Token: SeIncBasePriorityPrivilege	2424	WMIC.exe
Token: SeCreatePagefilePrivilege	2424	WMIC.exe
Token: SeBackupPrivilege	2424	WMIC.exe
Token: SeRestorePrivilege	2424	WMIC.exe
Token: SeShutdownPrivilege	2424	WMIC.exe
Token: SeDebugPrivilege	2424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2424	WMIC.exe
Token: SeRemoteShutdownPrivilege	2424	WMIC.exe
Token: SeUndockPrivilege	2424	WMIC.exe
Token: SeManageVolumePrivilege	2424	WMIC.exe
Token: 33	2424	WMIC.exe
Token: 34	2424	WMIC.exe
Token: 35	2424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2424	WMIC.exe
Token: SeSecurityPrivilege	2424	WMIC.exe
Token: SeTakeOwnershipPrivilege	2424	WMIC.exe
Token: SeLoadDriverPrivilege	2424	WMIC.exe
Token: SeSystemProfilePrivilege	2424	WMIC.exe
Token: SeSystemtimePrivilege	2424	WMIC.exe
Token: SeProfSingleProcessPrivilege	2424	WMIC.exe
Token: SeIncBasePriorityPrivilege	2424	WMIC.exe
Token: SeCreatePagefilePrivilege	2424	WMIC.exe
Token: SeBackupPrivilege	2424	WMIC.exe
Token: SeRestorePrivilege	2424	WMIC.exe
Token: SeShutdownPrivilege	2424	WMIC.exe
Token: SeDebugPrivilege	2424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2424	WMIC.exe
Token: SeRemoteShutdownPrivilege	2424	WMIC.exe
Token: SeUndockPrivilege	2424	WMIC.exe
Token: SeManageVolumePrivilege	2424	WMIC.exe
Token: 33	2424	WMIC.exe
Token: 34	2424	WMIC.exe
Token: 35	2424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe
Token: SeSystemProfilePrivilege	2368	WMIC.exe
Token: SeSystemtimePrivilege	2368	WMIC.exe
Token: SeProfSingleProcessPrivilege	2368	WMIC.exe
Token: SeIncBasePriorityPrivilege	2368	WMIC.exe
Token: SeCreatePagefilePrivilege	2368	WMIC.exe
Token: SeBackupPrivilege	2368	WMIC.exe
Token: SeRestorePrivilege	2368	WMIC.exe
Token: SeShutdownPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2368	WMIC.exe
Token: SeRemoteShutdownPrivilege	2368	WMIC.exe
Token: SeUndockPrivilege	2368	WMIC.exe
Token: SeManageVolumePrivilege	2368	WMIC.exe
Token: 33	2368	WMIC.exe
Token: 34	2368	WMIC.exe
Token: 35	2368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 936	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	28
PID 844 wrote to memory of 936	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	28
PID 844 wrote to memory of 936	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	28
PID 844 wrote to memory of 936	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	28
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 844 wrote to memory of 2236	844	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	30
PID 2236 wrote to memory of 2500	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	31
PID 2236 wrote to memory of 2500	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	31
PID 2236 wrote to memory of 2500	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	31
PID 2236 wrote to memory of 2500	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	31
PID 2500 wrote to memory of 2424	2500	cmd.exe	33
PID 2500 wrote to memory of 2424	2500	cmd.exe	33
PID 2500 wrote to memory of 2424	2500	cmd.exe	33
PID 2500 wrote to memory of 2424	2500	cmd.exe	33
PID 2236 wrote to memory of 2972	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	36
PID 2236 wrote to memory of 2972	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	36
PID 2236 wrote to memory of 2972	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	36
PID 2236 wrote to memory of 2972	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	36
PID 2972 wrote to memory of 2368	2972	cmd.exe	38
PID 2972 wrote to memory of 2368	2972	cmd.exe	38
PID 2972 wrote to memory of 2368	2972	cmd.exe	38
PID 2972 wrote to memory of 2368	2972	cmd.exe	38
PID 2236 wrote to memory of 2476	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	40
PID 2236 wrote to memory of 2476	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	40
PID 2236 wrote to memory of 2476	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	40
PID 2236 wrote to memory of 2476	2236	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	40
PID 2476 wrote to memory of 2636	2476	cmd.exe	42
PID 2476 wrote to memory of 2636	2476	cmd.exe	42
PID 2476 wrote to memory of 2636	2476	cmd.exe	42
PID 2476 wrote to memory of 2636	2476	cmd.exe	42
PID 2708 wrote to memory of 2728	2708	BitlockerNetworkClient.exe	44
PID 2708 wrote to memory of 2728	2708	BitlockerNetworkClient.exe	44
PID 2708 wrote to memory of 2728	2708	BitlockerNetworkClient.exe	44
PID 2708 wrote to memory of 2728	2708	BitlockerNetworkClient.exe	44
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 2708 wrote to memory of 1688	2708	BitlockerNetworkClient.exe	46
PID 1688 wrote to memory of 2180	1688	BitlockerNetworkClient.exe	47
PID 1688 wrote to memory of 2180	1688	BitlockerNetworkClient.exe	47
PID 1688 wrote to memory of 2180	1688	BitlockerNetworkClient.exe	47
PID 1688 wrote to memory of 2180	1688	BitlockerNetworkClient.exe	47
PID 1688 wrote to memory of 2588	1688	BitlockerNetworkClient.exe	49
PID 1688 wrote to memory of 2588	1688	BitlockerNetworkClient.exe	49

C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe
"C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe" C:\Users\Admin\AppData\Local\Temp\bd891.tmp
  2⤵
  PID:936
- C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe
  "C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic process call create "C:\ProgramData\Chrome\BitlockerNetworkClient.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process call create "C:\ProgramData\Chrome\BitlockerNetworkClient.exe"
      4⤵
      PID:2636

C:\Windows\System32\Wscript.exe
C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs
1⤵
- Process spawned unexpected child process
PID:2400

C:\Windows\System32\Wscript.exe
C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs
1⤵
- Process spawned unexpected child process
PID:664

C:\ProgramData\Chrome\BitlockerNetworkClient.exe
C:\ProgramData\Chrome\BitlockerNetworkClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Chrome\BitlockerNetworkClient.exe" C:\Users\Admin\AppData\Local\Temp\bd891.tmp
  2⤵
  PID:2728
- C:\ProgramData\Chrome\BitlockerNetworkClient.exe
  "C:\ProgramData\Chrome\BitlockerNetworkClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Chrome\BitlockerNetworkClient.exe" C:\Users\Admin\AppData\Local\Temp\bd891.tmp
    3⤵
    PID:2180
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2588
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Stp /f
      4⤵
      PID:1612
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Stp /f
        5⤵
        Modifies registry key
        
        PID:1504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Copy /Y "C:\ProgramData\Chrome\FileInfo.txt" "C:\ProgramData\InternetExplorer\FileInfoStp.txt"
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\C-Strt-C-Up-T.bat
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.0.0.0 -n 1 -w 20000
        5⤵
        Runs ping.exe
        
        PID:2776
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Microsoft\Windows\CurrentVersion\Run" sValue = "C:\ProgramData\InternetExplorer\BitlockerNetworkClientStp.exe" sValueName = "BitlockerNetworkClientStp"
        5⤵
        
        PID:444
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000002" sSubKeyName = "Software\Microsoft\Windows\CurrentVersion\Run" sValue = "C:\ProgramData\InternetExplorer\BitlockerNetworkClientStp.exe" sValueName = "BitlockerNetworkClientStp"
        5⤵
        
        PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\FileInfo.txt

Filesize
96B

MD5
818375bedc051f8fdb8cc7b3cd85399e

SHA1
11341fbfa333ea697c8b3c30654639173be10e61

SHA256
f9d104bbe00c13979266edebab30c28c447fa63ad01b6690a66ca209b4f93a8e

SHA512
21bc9c650774a220f6c29b3096db2b61cfbaca691afabb7f2e73b21178c827688076fdbbd52e092fadb513db69066eec44a939319a288161cb18b66b6ca6693e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-Dlt-C-Trsh-T.tmp

Filesize
1KB

MD5
fbee459bd14566078f798620be9ef49d

SHA1
2296a1cd4a5d820293cb0545516b8ed3f96c21df

SHA256
388a4f87377519c5b6a59322d77db47ab7e59e4b5dc2cd6f1f514f3283fbe3e0

SHA512
4a8e741d3bce336ab284aba3cbc09cd6a9a6182ae56c3c4d337748675690a4c44ec292e511bf62d10a520975754a5090afe9284c62be858d546469160c696cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs

Filesize
554B

MD5
b00435327731c749f843ca213a56e035

SHA1
d4b20e13fb910f5b1a99ca683c7e064e6c64909c

SHA256
2cfe176c2470b02d3f9207b38c64413cda54ae2eced3895b07dfbe54484a7777

SHA512
f92a76fdf7043f13ca6449f7ebe4ca255da4ff4d0d24ad877b332aacb88ef66bf00ec0b8c6031e64290164c93dda8cc6f1f6c5ab426d5008cb5d5a68bcb3cf62

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs

Filesize
426B

MD5
6cc41125b5c05df3911b177c4c276c8d

SHA1
b972c6f3df11aaa6a5f408d1a76bd7e6b975e750

SHA256
fef03f68051274e1be6a0ac2daddcc7dfc03326e8e21df331a6712ce5904d4d4

SHA512
88c68d0c50f373755de04385627a56cd085b51d1b97f70cfea11609879548a77f4bce687261d176f26df0c3eac68fbd307fbc36411080c5497ae13d963d5096b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-Strt-C-Up-T.bat

Filesize
643B

MD5
93a428476312e448cdc7550a7487dded

SHA1
61d450ca5951888fac72bd8953f3ce7263792837

SHA256
49b7203bdf1279e6a145115377c1e280ffebbcff1bf17c2a56372b53b1912848

SHA512
70028ce83fae05e8bc3c7ac1e44d20a6b12e19ad4d0db95b7b82adfd3a6fd8aa436e5f08c7ff6e4b5d14d775e026b4bcd6aeb4be8bd69b0b941649574df104d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd891.tmp

Filesize
442KB

MD5
c02689449a4ce73ec79a52595ab590f6

SHA1
5908453afef391437c632ca0ce921dbf0c6e8bd5

SHA256
5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f

SHA512
86503802f69ab69ee18e5b8635ca9442867beed6b1547565bbc3bae12db51b7aa5ed1ed472a1c7278608a936747865f290297f78b729c249006ee6377cc86082

Download Submit
memory/844-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/844-5-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/844-23-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/844-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1688-84-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1688-72-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/1688-80-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-27-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-16-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-26-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-21-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-29-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-30-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-17-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-40-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-6-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-8-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-10-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-69-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-24-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-14-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2236-12-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/2588-82-0x0000000000600000-0x0000000000653000-memory.dmp

Filesize
332KB

Download
memory/2708-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2708-44-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2708-43-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download