5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe
Size

442KB
MD5

c02689449a4ce73ec79a52595ab590f6
SHA1

5908453afef391437c632ca0ce921dbf0c6e8bd5
SHA256

5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f
SHA512

86503802f69ab69ee18e5b8635ca9442867beed6b1547565bbc3bae12db51b7aa5ed1ed472a1c7278608a936747865f290297f78b729c249006ee6377cc86082
SSDEEP

6144:RlDoHtgdupnzKELHSM0zAAFFOQVJ3hAkToXTOnRnN/jxrUmNAXRDfSZ8cPiKqpr/:Uj87domKxSZ8LKqm31uQHTbJ/ERp4Q5D

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	4584	Wscript.exe	99
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4584	Wscript.exe	99

Executes dropped EXE 2 IoCs

pid	Process
4500	JavaServiceDiagnostics.exe
4752	JavaServiceDiagnostics.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4500 set thread context of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4752 set thread context of 3688	4752	JavaServiceDiagnostics.exe	114

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3348	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4588	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3688	iexplore.exe
3688	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeSecurityPrivilege	4556	WMIC.exe
Token: SeTakeOwnershipPrivilege	4556	WMIC.exe
Token: SeLoadDriverPrivilege	4556	WMIC.exe
Token: SeSystemProfilePrivilege	4556	WMIC.exe
Token: SeSystemtimePrivilege	4556	WMIC.exe
Token: SeProfSingleProcessPrivilege	4556	WMIC.exe
Token: SeIncBasePriorityPrivilege	4556	WMIC.exe
Token: SeCreatePagefilePrivilege	4556	WMIC.exe
Token: SeBackupPrivilege	4556	WMIC.exe
Token: SeRestorePrivilege	4556	WMIC.exe
Token: SeShutdownPrivilege	4556	WMIC.exe
Token: SeDebugPrivilege	4556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4556	WMIC.exe
Token: SeRemoteShutdownPrivilege	4556	WMIC.exe
Token: SeUndockPrivilege	4556	WMIC.exe
Token: SeManageVolumePrivilege	4556	WMIC.exe
Token: 33	4556	WMIC.exe
Token: 34	4556	WMIC.exe
Token: 35	4556	WMIC.exe
Token: 36	4556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4556	WMIC.exe
Token: SeSecurityPrivilege	4556	WMIC.exe
Token: SeTakeOwnershipPrivilege	4556	WMIC.exe
Token: SeLoadDriverPrivilege	4556	WMIC.exe
Token: SeSystemProfilePrivilege	4556	WMIC.exe
Token: SeSystemtimePrivilege	4556	WMIC.exe
Token: SeProfSingleProcessPrivilege	4556	WMIC.exe
Token: SeIncBasePriorityPrivilege	4556	WMIC.exe
Token: SeCreatePagefilePrivilege	4556	WMIC.exe
Token: SeBackupPrivilege	4556	WMIC.exe
Token: SeRestorePrivilege	4556	WMIC.exe
Token: SeShutdownPrivilege	4556	WMIC.exe
Token: SeDebugPrivilege	4556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4556	WMIC.exe
Token: SeRemoteShutdownPrivilege	4556	WMIC.exe
Token: SeUndockPrivilege	4556	WMIC.exe
Token: SeManageVolumePrivilege	4556	WMIC.exe
Token: 33	4556	WMIC.exe
Token: 34	4556	WMIC.exe
Token: 35	4556	WMIC.exe
Token: 36	4556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4084	WMIC.exe
Token: SeSecurityPrivilege	4084	WMIC.exe
Token: SeTakeOwnershipPrivilege	4084	WMIC.exe
Token: SeLoadDriverPrivilege	4084	WMIC.exe
Token: SeSystemProfilePrivilege	4084	WMIC.exe
Token: SeSystemtimePrivilege	4084	WMIC.exe
Token: SeProfSingleProcessPrivilege	4084	WMIC.exe
Token: SeIncBasePriorityPrivilege	4084	WMIC.exe
Token: SeCreatePagefilePrivilege	4084	WMIC.exe
Token: SeBackupPrivilege	4084	WMIC.exe
Token: SeRestorePrivilege	4084	WMIC.exe
Token: SeShutdownPrivilege	4084	WMIC.exe
Token: SeDebugPrivilege	4084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4084	WMIC.exe
Token: SeRemoteShutdownPrivilege	4084	WMIC.exe
Token: SeUndockPrivilege	4084	WMIC.exe
Token: SeManageVolumePrivilege	4084	WMIC.exe
Token: 33	4084	WMIC.exe
Token: 34	4084	WMIC.exe
Token: 35	4084	WMIC.exe
Token: 36	4084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4084	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3860	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	89
PID 4952 wrote to memory of 3860	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	89
PID 4952 wrote to memory of 3860	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	89
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4952 wrote to memory of 4140	4952	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	92
PID 4140 wrote to memory of 1120	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	96
PID 4140 wrote to memory of 1120	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	96
PID 4140 wrote to memory of 1120	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	96
PID 1120 wrote to memory of 4556	1120	cmd.exe	98
PID 1120 wrote to memory of 4556	1120	cmd.exe	98
PID 1120 wrote to memory of 4556	1120	cmd.exe	98
PID 4140 wrote to memory of 1172	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	101
PID 4140 wrote to memory of 1172	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	101
PID 4140 wrote to memory of 1172	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	101
PID 1172 wrote to memory of 4084	1172	cmd.exe	103
PID 1172 wrote to memory of 4084	1172	cmd.exe	103
PID 1172 wrote to memory of 4084	1172	cmd.exe	103
PID 4140 wrote to memory of 920	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	105
PID 4140 wrote to memory of 920	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	105
PID 4140 wrote to memory of 920	4140	5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe	105
PID 920 wrote to memory of 4132	920	cmd.exe	107
PID 920 wrote to memory of 4132	920	cmd.exe	107
PID 920 wrote to memory of 4132	920	cmd.exe	107
PID 4500 wrote to memory of 864	4500	JavaServiceDiagnostics.exe	109
PID 4500 wrote to memory of 864	4500	JavaServiceDiagnostics.exe	109
PID 4500 wrote to memory of 864	4500	JavaServiceDiagnostics.exe	109
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4500 wrote to memory of 4752	4500	JavaServiceDiagnostics.exe	111
PID 4752 wrote to memory of 2128	4752	JavaServiceDiagnostics.exe	112
PID 4752 wrote to memory of 2128	4752	JavaServiceDiagnostics.exe	112
PID 4752 wrote to memory of 2128	4752	JavaServiceDiagnostics.exe	112
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 4752 wrote to memory of 3688	4752	JavaServiceDiagnostics.exe	114
PID 3688 wrote to memory of 3576	3688	iexplore.exe	115
PID 3688 wrote to memory of 3576	3688	iexplore.exe	115
PID 3688 wrote to memory of 3576	3688	iexplore.exe	115

C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe
"C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe" C:\Users\Admin\AppData\Local\Temp\bd891.tmp
  2⤵
  PID:3860
- C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe
  "C:\Users\Admin\AppData\Local\Temp\5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC Process Call Create "C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c wmic process call create "C:\ProgramData\Chrome\JavaServiceDiagnostics.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process call create "C:\ProgramData\Chrome\JavaServiceDiagnostics.exe"
      4⤵
      PID:4132

C:\Windows\System32\Wscript.exe
C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs
1⤵
- Process spawned unexpected child process
PID:3588

C:\Windows\System32\Wscript.exe
C:\Windows\System32\Wscript.exe //NOLOGO C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs
1⤵
- Process spawned unexpected child process
PID:4052

C:\ProgramData\Chrome\JavaServiceDiagnostics.exe
C:\ProgramData\Chrome\JavaServiceDiagnostics.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Chrome\JavaServiceDiagnostics.exe" C:\Users\Admin\AppData\Local\Temp\bd891.tmp
  2⤵
  PID:864
- C:\ProgramData\Chrome\JavaServiceDiagnostics.exe
  "C:\ProgramData\Chrome\JavaServiceDiagnostics.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Chrome\JavaServiceDiagnostics.exe" C:\Users\Admin\AppData\Local\Temp\bd891.tmp
    3⤵
    PID:2128
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Stp /f
      4⤵
      PID:3576
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Stp /f
        5⤵
        Modifies registry key
        
        PID:3348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Copy /Y "C:\ProgramData\Chrome\FileInfo.txt" "C:\ProgramData\InternetExplorer\FileInfoStp.txt"
      4⤵
      PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\C-Strt-C-Up-T.bat
      4⤵
      PID:3984
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.0.0.0 -n 1 -w 20000
        5⤵
        Runs ping.exe
        
        PID:4588
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000001" sSubKeyName = "Software\Microsoft\Windows\CurrentVersion\Run" sValue = "C:\ProgramData\InternetExplorer\JavaServiceDiagnosticsStp.exe" sValueName = "JavaServiceDiagnosticsStp"
        5⤵
        
        PID:4404
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic /NameSpace:\\root\default Class StdRegProv Call SetStringValue hDefKey = "&H80000002" sSubKeyName = "Software\Microsoft\Windows\CurrentVersion\Run" sValue = "C:\ProgramData\InternetExplorer\JavaServiceDiagnosticsStp.exe" sValueName = "JavaServiceDiagnosticsStp"
        5⤵
        
        PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Chrome\FileInfo.txt

Filesize
96B

MD5
f77223452972882136be2e24f2bd50af

SHA1
01fa7696187df0c257a1b819bc598b21c7b919ec

SHA256
281cc864df192e940214d36e06901bdebe91088d55158f8304c70780d5116e7b

SHA512
7d616372bfef6f144a30783943c157594d3da27c037357a3e690b33ccad746773a0bc800e034db25b938133e711bc14c37005fa2cc6f74d86a6aec430bdec29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-Dlt-C-Trsh-T.tmp

Filesize
1KB

MD5
fbee459bd14566078f798620be9ef49d

SHA1
2296a1cd4a5d820293cb0545516b8ed3f96c21df

SHA256
388a4f87377519c5b6a59322d77db47ab7e59e4b5dc2cd6f1f514f3283fbe3e0

SHA512
4a8e741d3bce336ab284aba3cbc09cd6a9a6182ae56c3c4d337748675690a4c44ec292e511bf62d10a520975754a5090afe9284c62be858d546469160c696cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-PDC-C-Cpy-T.vbs

Filesize
554B

MD5
a6e283d9b5a49d20d9692c00ce28b186

SHA1
f45847c129c7a10ae2fe1cb4e7e0fe2bdc642f15

SHA256
e573eec86037631793240d51655e3aec99956b991ac215e82a9d2800ecd72544

SHA512
bd79443a5733339d1ed950c9a1edb412e8e1ca827c656f250467ca5b7ecbaae409525ae61241a34c5d00b27c3372930ef18781ecf891d98b514679c58870b25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-PDI-C-Cpy-T.vbs

Filesize
426B

MD5
ff924882915a61df5f56fc1ecf00920a

SHA1
fba9cc2cc1a58b4be8973e1e68930bdd7c5cfe4f

SHA256
60a5ff980fb65da6db16027540979805127c4b564b1a75386adebc6e76e21574

SHA512
89143ff89a137810771a3825373d5d06a10457d9dfb0f81a4188f30985d52260ecb35ee3fd614f7d7ce4198b80307d9337bc2d65f976588de4452cff2a09ee80

Download Submit
C:\Users\Admin\AppData\Local\Temp\C-Strt-C-Up-T.bat

Filesize
643B

MD5
d77b83ccec52ef5e54e80696a2cc1609

SHA1
5c1f227e8597037ec8bf7565f7133c2aad77438e

SHA256
400c4ccd5432315e35d05ce54041cc2aa2607e375653f4567d6c5b4e02a79c90

SHA512
77373771875d84716a67ee4dc8fc8845853d99f6f1231dba9e3939e7540ae554fbe1abf52be10d528646773ce7f58e1919c4cdf30b903d1d39c5fadb89692f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd891.tmp

Filesize
442KB

MD5
c02689449a4ce73ec79a52595ab590f6

SHA1
5908453afef391437c632ca0ce921dbf0c6e8bd5

SHA256
5798aefb07e12a942672a60c2be101dc26b01485616713e8be1f68b321747f2f

SHA512
86503802f69ab69ee18e5b8635ca9442867beed6b1547565bbc3bae12db51b7aa5ed1ed472a1c7278608a936747865f290297f78b729c249006ee6377cc86082

Download Submit
memory/3688-48-0x0000000000600000-0x0000000000653000-memory.dmp

Filesize
332KB

Download
memory/4140-6-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4140-8-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4140-11-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4140-12-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4140-21-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4140-26-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4500-27-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4500-38-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4752-45-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4752-47-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4752-50-0x0000000000400000-0x00000000004A7000-memory.dmp

Filesize
668KB

Download
memory/4952-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4952-10-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4952-5-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/4952-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download