Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    600s
  • max time network
    606s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 14 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2580
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:2644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2880
    • C:\Windows\system32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:1892
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:1748
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2224
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:2464
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:1912
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3020
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1556
        • C:\Users\Admin\AppData\Local\Temp\~tl95F9.tmp
          C:\Users\Admin\AppData\Local\Temp\~tl95F9.tmp
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Windows\system32\netsh.exe
            netsh int ipv4 set dynamicport tcp start=1025 num=64511
            4⤵
              PID:1784
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
              4⤵
              • Modifies Windows Firewall
              PID:1804
            • C:\Windows\System32\netsh.exe
              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
              4⤵
              • Modifies Windows Firewall
              PID:320
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:3064
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1816
            • C:\Windows\system32\schtasks.exe
              schtasks /delete /TN "Timer"
              4⤵
                PID:1608
              • C:\Windows\system32\schtasks.exe
                schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
                4⤵
                • Creates scheduled task(s)
                PID:1604
              • C:\Windows\System\svchost.exe
                "C:\Windows\System\svchost.exe" formal
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                PID:1888
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  5⤵
                    PID:2436
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    5⤵
                    • Modifies Windows Firewall
                    PID:2484
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    5⤵
                    • Modifies Windows Firewall
                    PID:2496
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1880
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2760
                  • C:\Users\Admin\AppData\Local\Temp\~tlBBD0.tmp
                    C:\Users\Admin\AppData\Local\Temp\~tlBBD0.tmp
                    5⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1072
                    • C:\Windows\system32\netsh.exe
                      netsh int ipv4 set dynamicport tcp start=1025 num=64511
                      6⤵
                        PID:1212
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        6⤵
                        • Modifies Windows Firewall
                        PID:1852
                      • C:\Windows\System32\netsh.exe
                        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                        6⤵
                        • Modifies Windows Firewall
                        PID:2960
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2848
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                        6⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2972
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {05D7D55F-45AC-433F-9865-AC5B4A272BDB} S-1-5-18:NT AUTHORITY\System:Service:
              1⤵
              • Loads dropped DLL
              PID:1084
              • \??\c:\windows\system\svchost.exe
                c:\windows\system\svchost.exe
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in System32 directory
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                PID:2988
                • C:\Windows\system32\netsh.exe
                  netsh int ipv4 set dynamicport tcp start=1025 num=64511
                  3⤵
                  • Modifies data under HKEY_USERS
                  PID:2644
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:2432
                • C:\Windows\System32\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                  3⤵
                  • Modifies Windows Firewall
                  • Modifies data under HKEY_USERS
                  PID:2660
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                  3⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2460
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                  3⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1880
                • C:\Windows\TEMP\~tl7149.tmp
                  C:\Windows\TEMP\~tl7149.tmp
                  3⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2300
                  • C:\Windows\system32\netsh.exe
                    netsh int ipv4 set dynamicport tcp start=1025 num=64511
                    4⤵
                    • Modifies data under HKEY_USERS
                    PID:2328
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    • Modifies data under HKEY_USERS
                    PID:836
                  • C:\Windows\System32\netsh.exe
                    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
                    4⤵
                    • Modifies Windows Firewall
                    • Modifies data under HKEY_USERS
                    PID:1572
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
                    4⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1624
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
                    4⤵
                    • Drops file in System32 directory
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2960

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              fba5f5b0a7aecac89c1c69d7ae7df7a8

              SHA1

              1d13543232521ec5e54cf91e0a02c6cdeab76a8e

              SHA256

              7cefe6394cc75430e2e503959d057e79aa836d18f9b294a9715cb64467e3e40b

              SHA512

              2dbe0b0bb8ac599e96f4d06db8cf91004d6506d5a989464c821397ee254ece933faa1a3f7142103f66d284a50ed51cab45c0b512c904c5b30dcf159b9d2b7165

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
              Filesize

              7KB

              MD5

              a387f9e6a990e55a879db017f123f200

              SHA1

              f5381df28a85859450da645b25ae9c3edd8014ce

              SHA256

              18b2258d83a9dabea3988d2661cbd93e1661ff16b9c81c408c18a616d1274d84

              SHA512

              bd5f1621fd919b182dba7aa469bca0c3da272aa6b9a4e5d5efcec9284f100e97958973f2e281beb14843319589cba9283e64b6689210829f739dd40aa0071b13

              Download Submit

            • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus.tmp
              Filesize

              2.7MB

              MD5

              27acfbf94480631e547b5cb508d9d4fb

              SHA1

              f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

              SHA256

              0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

              SHA512

              902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

              Download Submit

            • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
              Filesize

              5.2MB

              MD5

              4ae713ba519785eb2be144b62587e775

              SHA1

              12b478ade5cbce797b21acef68dc0849d62c244d

              SHA256

              0f32616e3276f1e392465eebe3c3f8df5fd57555f8a8b69038c01f1ac889ccfc

              SHA512

              dc3b54c6b3a9734bb25208882c80b7c5ddf45f99c189cdff8dbf7e14c7baae789360d7c1337600dac2a8b386942344d309f3761bbb73b631a183d0e43c7f4191

              Download Submit

            • \Users\Admin\AppData\Local\Temp\~tl95F9.tmp
              Filesize

              385KB

              MD5

              e802c96760e48c5139995ffb2d891f90

              SHA1

              bba3d278c0eb1094a26e5d2f4c099ad685371578

              SHA256

              cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

              SHA512

              97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

              Download Submit

            • \Users\Admin\AppData\Local\Temp\~tlBBD0.tmp
              Filesize

              393KB

              MD5

              9dbdd43a2e0b032604943c252eaf634a

              SHA1

              9584dc66f3c1cce4210fdf827a1b4e2bb22263af

              SHA256

              33c53cd5265502e7b62432dba0e1b5ed702b5007cc79973ccd1e71b2acc01e86

              SHA512

              b7b20b06dac952a96eda254bad29966fe7a4f827912beb0bc66d5af5b302d7c0282d70c1b01ff782507dd03a1d58706f05cb157521c7f2887a43085ffe5f94d1

              Download Submit

            • \Windows\system\svchost.exe
              Filesize

              5.2MB

              MD5

              5fd3d21a968f4b8a1577b5405ab1c36a

              SHA1

              710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

              SHA256

              7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

              SHA512

              085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

              Download Submit

            • memory/1072-201-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1072-200-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1072-227-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1072-202-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1556-55-0x0000000002A40000-0x0000000002AC0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1556-56-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1556-59-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1556-60-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1556-76-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1556-58-0x0000000002A4B000-0x0000000002AB2000-memory.dmp

              Filesize

              412KB

              Download

            • memory/1556-57-0x0000000002A40000-0x0000000002AC0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1688-61-0x000000001A0D0000-0x000000001A5B2000-memory.dmp

              Filesize

              4.9MB

              Download

            • memory/1688-35-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1688-120-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1688-33-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/1744-121-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1744-122-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1744-123-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1744-163-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1816-140-0x0000000002980000-0x0000000002A00000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1816-141-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1816-142-0x0000000002980000-0x0000000002A00000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1816-145-0x0000000002980000-0x0000000002A00000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1816-147-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1880-178-0x0000000002540000-0x00000000025C0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1880-186-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1880-177-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1880-179-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/1880-184-0x0000000002540000-0x00000000025C0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1880-185-0x0000000002540000-0x00000000025C0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/1888-199-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1888-166-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1888-161-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/1888-162-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2200-0-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2200-31-0x000000001ED70000-0x000000001F3A6000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2200-32-0x000000001ED70000-0x000000001F3A6000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2200-21-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2200-34-0x0000000140000000-0x0000000140636000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/2300-271-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2300-287-0x0000000140000000-0x0000000140170400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2552-13-0x0000000002A40000-0x0000000002AC0000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2552-12-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2552-20-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2552-15-0x0000000002A44000-0x0000000002A47000-memory.dmp

              Filesize

              12KB

              Download

            • memory/2552-17-0x0000000002A4B000-0x0000000002AB2000-memory.dmp

              Filesize

              412KB

              Download

            • memory/2552-16-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2760-187-0x00000000026B0000-0x0000000002730000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2760-188-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2760-183-0x00000000026B0000-0x0000000002730000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2760-182-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2760-181-0x00000000026B0000-0x0000000002730000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2760-180-0x000007FEF5890000-0x000007FEF622D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2848-208-0x000007FEF58D0000-0x000007FEF626D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2880-10-0x000000001B210000-0x000000001B4F2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2880-11-0x0000000002390000-0x0000000002398000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2880-14-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2880-18-0x00000000022E4000-0x00000000022E7000-memory.dmp

              Filesize

              12KB

              Download

            • memory/2880-19-0x00000000022E0000-0x0000000002360000-memory.dmp

              Filesize

              512KB

              Download

            • memory/2988-239-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2988-256-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2988-267-0x0000000140000000-0x000000014015E400-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/3020-45-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/3020-46-0x0000000002990000-0x0000000002A10000-memory.dmp

              Filesize

              512KB

              Download

            • memory/3020-50-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/3020-41-0x000000001B270000-0x000000001B552000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/3020-49-0x0000000002990000-0x0000000002A10000-memory.dmp

              Filesize

              512KB

              Download

            • memory/3020-43-0x000007FEF57B0000-0x000007FEF614D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/3020-44-0x0000000002990000-0x0000000002A10000-memory.dmp

              Filesize

              512KB

              Download

            • memory/3020-42-0x0000000002460000-0x0000000002468000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3064-146-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/3064-131-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/3064-134-0x00000000027E0000-0x0000000002860000-memory.dmp

              Filesize

              512KB

              Download

            • memory/3064-139-0x000007FEF5A00000-0x000007FEF639D000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/3064-143-0x00000000027E0000-0x0000000002860000-memory.dmp

              Filesize

              512KB

              Download

            • memory/3064-144-0x00000000027E0000-0x0000000002860000-memory.dmp

              Filesize

              512KB

              Download

            • memory/3064-130-0x0000000002620000-0x0000000002628000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3064-129-0x000000001B150000-0x000000001B432000-memory.dmp

              Filesize

              2.9MB

              Download