Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    1785s
  • max time network
    1815s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-04-2024 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 8 IoCs
    evasion
  • Executes dropped EXE 7 IoCs
  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3772
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:1932
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:3720
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1440
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:400
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:2312
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1792
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:4008
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:3292
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:784
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1260
        • C:\Users\Admin\AppData\Local\Temp\~tlA0A9.tmp
          C:\Users\Admin\AppData\Local\Temp\~tlA0A9.tmp
          3⤵
          • Executes dropped EXE
          PID:3460
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        2⤵
          PID:2400
      • \??\c:\windows\system\svchost.exe
        c:\windows\system\svchost.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          2⤵
            PID:4700
        • \??\c:\windows\system\svchost.exe
          c:\windows\system\svchost.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:4456
          • C:\Windows\System32\Wbem\WMIC.exe
            WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
            2⤵
              PID:1452
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              PID:3528
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
              2⤵
              • Modifies Windows Firewall
              PID:2808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:3044
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
              2⤵
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              PID:4880
            • C:\Windows\TEMP\~tl4338.tmp
              C:\Windows\TEMP\~tl4338.tmp
              2⤵
              • Executes dropped EXE
              PID:5000
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\System32\Wbem\WMIC.exe
              WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
              2⤵
                PID:4948
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:2444
              • C:\Windows\System32\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                2⤵
                • Modifies Windows Firewall
                PID:3484
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:2596
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                2⤵
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:1732

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              627073ee3ca9676911bee35548eff2b8

              SHA1

              4c4b68c65e2cab9864b51167d710aa29ebdcff2e

              SHA256

              85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

              SHA512

              3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              e3840d9bcedfe7017e49ee5d05bd1c46

              SHA1

              272620fb2605bd196df471d62db4b2d280a363c6

              SHA256

              3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

              SHA512

              76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              051a74485331f9d9f5014e58ec71566c

              SHA1

              4ed0256a84f2e95609a0b4d5c249bca624db8fe4

              SHA256

              3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

              SHA512

              1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2axcqoez.qdx.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\~tlA0A9.tmp
              Filesize

              385KB

              MD5

              e802c96760e48c5139995ffb2d891f90

              SHA1

              bba3d278c0eb1094a26e5d2f4c099ad685371578

              SHA256

              cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

              SHA512

              97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

              Download Submit

            • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus
              Filesize

              2.6MB

              MD5

              9bae03d3dc0f5cfd40507ee03ba5a765

              SHA1

              bbb2ea791c2e53e615f7c4b17246b4d465e6a4fe

              SHA256

              ff1af3cc0eff747f5425287eea2910d8d69cd9d30af5a90a41a03a023bb0313f

              SHA512

              2263b74eefd835f92a085f1b35e156b79c37996b1976d6b93ad94cfce8454411131d4b3dc1d3d3cee175b37d05433f3061060023219d7d3da86e034e510b7b81

              Download Submit

            • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
              Filesize

              8.6MB

              MD5

              462fde2ef3bd70827166b35a7e51c426

              SHA1

              739d328ab82995e0ce9609df025f0a4d8ab67d5a

              SHA256

              8c79fd4a98d7b002babfeaa114e29467729f03cb7c804f08e3ca195bddc916ca

              SHA512

              f8fe69e6594eeadef500e19c94aee2a7ec7d02ad8f16cf9d14637dc11abc86efd5d5bae86b88a986126a3c05eca03a9df85aa8f0f6712effef814a84b723bad9

              Download Submit

            • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
              Filesize

              15KB

              MD5

              cf2f82854f4f1f9590a50a8d9f36ca4f

              SHA1

              9df8480b1a3bb9d81cb1a791546f31177828e941

              SHA256

              7613901f907025298a27b4ec2f345cedc917ccad389059c02f46242b20708c7e

              SHA512

              f12372486edcce405ec1af7635a96585c5c5b889d683cb88fc55c790b4c9bfbc902dc001b4f18e899bd6e84dc160964d5b7b7d30b3e2158b4a208bb478791f4f

              Download Submit

            • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdesc-consensus
              Filesize

              2.6MB

              MD5

              3af58b6add70a3559c53205e4aefd0f9

              SHA1

              5c1a95db8a1695b14b26cb5e8ae92fea5bd9da41

              SHA256

              d9595b5e4bb49267b93c50334024de412c0e8a2831f2caa1102529292b9c2a7e

              SHA512

              21b93f9444d559aa19fd36afd939120623187fd42cf43296447cfa8794d7a72773900405b37587def2e794b7e829d337aaf5b397a8882552875a89023f104f97

              Download Submit

            • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
              Filesize

              6.3MB

              MD5

              d64588bb4e5600927ad53e8b44e0719e

              SHA1

              4799b3a47ab4b8027975ff72b4ecce3fb7de7ffd

              SHA256

              f9eb239f06f9dcb1f34c8df04d0e6482f3b27f61e6ac05fcacd8983821370626

              SHA512

              83040f31febf2cc4f65a82d02c84f84a09e6645105d5b86b7b50ca3cebaa4aa31066432b31e44a38e7c92b792742896ef5883f4b1e2ac081283c252ef9ea7ca2

              Download Submit

            • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
              Filesize

              18.9MB

              MD5

              880712f15915f1e46b5a7aaae598d52e

              SHA1

              4f5c1a359b0e7e29a85c05df4e4afee9e22299ef

              SHA256

              de9a0a315772991ed96dfa60071d5c2111e2533f79f2cb08bd03022c4c327b96

              SHA512

              e3adefe057989c0d69629a4ae8030e830266e8fe544bc0205b6135199b1d6c88d8201af88d2518a7522b082ec9fca42a60742931a3603fe7b3985a0d2e791738

              Download Submit

            • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state
              Filesize

              3KB

              MD5

              ab84455e52b1e4dd98f5fb2219ca3ab5

              SHA1

              3218fcfa7112510166a7a3a5ceef0b73c74a5e04

              SHA256

              36693371622d5f129ae23ba9dd6734e437603e5f59c9f1a71d66d9b9feff2d5b

              SHA512

              73f8f3709287c814259087580c934dce42aca6d510c8cc020235bfe61a7d54c51ef4c1dad91935d9dfce6e0268ce76dbfb303b28938e7be4ac86ee4c923b26d5

              Download Submit

            • C:\Windows\System\svchost.exe
              Filesize

              5.2MB

              MD5

              5fd3d21a968f4b8a1577b5405ab1c36a

              SHA1

              710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

              SHA256

              7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

              SHA512

              085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

              Download Submit

            • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              4KB

              MD5

              dbbd2d4458d7e8094846420da595dfc3

              SHA1

              267cb47b904f14a519d2bd73abfdb30e1a06e1a6

              SHA256

              e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

              SHA512

              480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

              Download Submit

            • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              f2dd68ab8e611f0143c6ad176f223ae9

              SHA1

              30f580175773f251a9572fe757de6eaef6844abc

              SHA256

              f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

              SHA512

              f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

              Download Submit

            • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              Download Submit

            • memory/664-142-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/664-143-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/668-129-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/784-43-0x00007FFBE0610000-0x00007FFBE10D2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/784-44-0x0000014FAF5C0000-0x0000014FAF5D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/784-45-0x0000014FAF5C0000-0x0000014FAF5D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/784-73-0x00007FFBE0610000-0x00007FFBE10D2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/976-42-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/976-23-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/976-0-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1260-67-0x000002B50B830000-0x000002B50B840000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1260-56-0x000002B50B830000-0x000002B50B840000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1260-72-0x00007FFBE0610000-0x00007FFBE10D2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1260-57-0x000002B50B830000-0x000002B50B840000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1260-68-0x000002B50B830000-0x000002B50B840000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1260-55-0x00007FFBE0610000-0x00007FFBE10D2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1440-20-0x000002037A400000-0x000002037A410000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-19-0x00007FFBE05D0000-0x00007FFBE1092000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1440-21-0x000002037A400000-0x000002037A410000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-24-0x000002037A400000-0x000002037A410000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1440-31-0x00007FFBE05D0000-0x00007FFBE1092000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1580-279-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1580-316-0x00000000308F0000-0x0000000030DD2000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/1580-268-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1732-282-0x00000196E5540000-0x00000196E5550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1732-292-0x00000196E5540000-0x00000196E5550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1732-280-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1732-314-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1732-281-0x00000196E5540000-0x00000196E5550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1732-310-0x00000196E5540000-0x00000196E5550000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2596-315-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2596-269-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2596-301-0x000001D4C2D20000-0x000001D4C2DD3000-memory.dmp

              Filesize

              716KB

              Download

            • memory/2596-270-0x000001D4C2E10000-0x000001D4C2E20000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3044-197-0x0000021EF3510000-0x0000021EF35C3000-memory.dmp

              Filesize

              716KB

              Download

            • memory/3044-199-0x00007FF4F8C60000-0x00007FF4F8C70000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3044-198-0x0000021EF36D0000-0x0000021EF36DA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3044-157-0x0000021EF3270000-0x0000021EF3280000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3044-178-0x0000021EF3270000-0x0000021EF3280000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3044-156-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3044-204-0x0000021EF3870000-0x0000021EF3876000-memory.dmp

              Filesize

              24KB

              Download

            • memory/3044-212-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3460-151-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/3460-154-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/4100-22-0x0000010F7B3A0000-0x0000010F7B3B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4100-25-0x0000010F7B3A0000-0x0000010F7B3B0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4100-10-0x00007FFBE05D0000-0x00007FFBE1092000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4100-32-0x00007FFBE05D0000-0x00007FFBE1092000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4100-9-0x0000010F7B400000-0x0000010F7B422000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4456-158-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4456-266-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4456-214-0x000000003A380000-0x000000003A862000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/4604-41-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4604-54-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4604-74-0x00000000368E0000-0x0000000036DC2000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/4604-153-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4880-200-0x00000297FFFE0000-0x00000297FFFFC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4880-201-0x00000297FFF90000-0x00000297FFF9A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4880-202-0x0000029800020000-0x000002980003A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4880-188-0x0000029798850000-0x000002979886C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4880-179-0x0000029798A40000-0x0000029798A50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4880-177-0x0000029798A40000-0x0000029798A50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4880-176-0x0000029798A40000-0x0000029798A50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4880-175-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4880-203-0x0000029798A30000-0x0000029798A38000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4880-205-0x00000297FFFA0000-0x00000297FFFAA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4880-206-0x0000029798A40000-0x0000029798A50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4880-213-0x00007FFBE0DE0000-0x00007FFBE18A2000-memory.dmp

              Filesize

              10.8MB

              Download