Overview

overview

8

Static

static

3

svchost_du...py.exe

windows7-x64

8

svchost_du...py.exe

windows10-1703-x64

8

svchost_du...py.exe

windows10-2004-x64

8

svchost_du...py.exe

windows11-21h2-x64

8

Resubmissions

12-04-2024 13:32

240412-qtgfpsag84 8

12-04-2024 13:32

240412-qtc4aaag83 8

12-04-2024 13:32

240412-qtcshsag82 8

12-04-2024 13:32

240412-qtb6zsag79 8

12-04-2024 13:32

240412-qtbkfsdh4s 8

09-04-2024 05:34

240409-f9mmjsbc9t 8

09-04-2024 05:33

240409-f9bkaabc8w 8

09-04-2024 05:33

240409-f86n2abc71 8

09-04-2024 05:33

240409-f8wh3afh27 8

01-02-2024 11:29

240201-nlq9tsebck 10

Analysis

  • max time kernel
    1170s
  • max time network
    1172s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-04-2024 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svchost_dump_SCY - Copy.exe

  • Size

    5.2MB

  • MD5

    5fd3d21a968f4b8a1577b5405ab1c36a

  • SHA1

    710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

  • SHA256

    7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

  • SHA512

    085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

  • SSDEEP

    98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score
8/10
evasion

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 8 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 17 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost_dump_SCY - Copy.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:236
    • C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1620
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:4840
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
      2⤵
      • Modifies Windows Firewall
      PID:4492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3660
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1740
    • C:\Windows\SYSTEM32\schtasks.exe
      schtasks /delete /TN "Timer"
      2⤵
        PID:1088
      • C:\Windows\SYSTEM32\schtasks.exe
        schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
        2⤵
        • Creates scheduled task(s)
        PID:1536
      • C:\Windows\System\svchost.exe
        "C:\Windows\System\svchost.exe" formal
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4984
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:396
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          3⤵
          • Modifies Windows Firewall
          PID:3228
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4488
        • C:\Users\Admin\AppData\Local\Temp\~tl29FF.tmp
          C:\Users\Admin\AppData\Local\Temp\~tl29FF.tmp
          3⤵
          • Executes dropped EXE
          PID:4772
    • \??\c:\windows\system\svchost.exe
      c:\windows\system\svchost.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\System32\Wbem\WMIC.exe
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
        2⤵
          PID:1036
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
          2⤵
          • Modifies Windows Firewall
          PID:1948
        • C:\Windows\System32\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
          2⤵
          • Modifies Windows Firewall
          PID:5116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:3172
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
          2⤵
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1600
        • C:\Windows\TEMP\~tl9E6C.tmp
          C:\Windows\TEMP\~tl9E6C.tmp
          2⤵
          • Executes dropped EXE
          PID:1464
      • \??\c:\windows\system\svchost.exe
        c:\windows\system\svchost.exe
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\System32\Wbem\WMIC.exe
          WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName
          2⤵
            PID:4256
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
            2⤵
            • Modifies Windows Firewall
            PID:680
          • C:\Windows\System32\netsh.exe
            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
            2⤵
            • Modifies Windows Firewall
            PID:2296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
            2⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:4936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
            2⤵
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:3948
          • C:\Windows\TEMP\~tl1D82.tmp
            C:\Windows\TEMP\~tl1D82.tmp
            2⤵
            • Executes dropped EXE
            PID:3380

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          627073ee3ca9676911bee35548eff2b8

          SHA1

          4c4b68c65e2cab9864b51167d710aa29ebdcff2e

          SHA256

          85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

          SHA512

          3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          1a9fa92a4f2e2ec9e244d43a6a4f8fb9

          SHA1

          9910190edfaccece1dfcc1d92e357772f5dae8f7

          SHA256

          0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

          SHA512

          5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          781da0576417bf414dc558e5a315e2be

          SHA1

          215451c1e370be595f1c389f587efeaa93108b4c

          SHA256

          41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

          SHA512

          24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          e07eea85a8893f23fb814cf4b3ed974c

          SHA1

          8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

          SHA256

          83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

          SHA512

          9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rddxvons.gwt.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\~tl29FF.tmp
          Filesize

          385KB

          MD5

          e802c96760e48c5139995ffb2d891f90

          SHA1

          bba3d278c0eb1094a26e5d2f4c099ad685371578

          SHA256

          cb82ea45a37f8f79d10726a7c165aa5b392b68d5ac954141129c1762a539722c

          SHA512

          97300ac501be6b6ea3ac1915361dd472824fe612801cab8561a02c7df071b1534190d2d5ef872d89d24c8c915b88101e7315f948f53215c2538d661181e3a5f0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\tor\cached-microdesc-consensus
          Filesize

          2.7MB

          MD5

          27acfbf94480631e547b5cb508d9d4fb

          SHA1

          f6477330ca9aeb4a8cd19cc44e1a30fa9695b36c

          SHA256

          0fd156526952ba5edb62133774a19bf72f71d3c968d01fcdb517521d45a67c5e

          SHA512

          902ccecfa284881c1f241802b9ccd51a85da0cc48632fbd944b686d37a4fa57bc7cd01c44ef79bfe475494be780164b82ff8fa9a3e77984f6e29467843138929

          Download Submit

        • C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
          Filesize

          8.9MB

          MD5

          a8dad5ba64b75cd3547972d00e8e5354

          SHA1

          2b6c88f73ba0e4415dd85da5c731246a112be4d4

          SHA256

          7c1abd25f3ac1903ff14ce0e65dd6b18ada7d12c3cf00c4f50dcdbbf3877431a

          SHA512

          61c00a7e74dfe98d37b2e5cc291f63525b3769cd2bcd7c2f2266eee524de0392df2d35e2579c10d3bb499d933768f0f5cb39af550dfc7dd25057dd0a5f0a8b88

          Download Submit

        • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-certs
          Filesize

          15KB

          MD5

          0413ce1640231ee4efe308763359036a

          SHA1

          969d9bbdc725f80e1d63263f95879bd5ddf063ba

          SHA256

          314bccd3b78c9fe250a20c37b355846aec14de04a8935a30932ab5fada3f8ae5

          SHA512

          1bd9d023a3929fde1fd08e5a20a71d5dca976b7445b1b5e79a2aac7531f209701a90d3cc82bb3bb3b7e7e943dbb34ff80e674ec4dbfb813ebdf054dad19b4d25

          Download Submit

        • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
          Filesize

          6.1MB

          MD5

          524278d87e88da6a9979964d03401855

          SHA1

          762826c868a433268a6be411c4b69e7715e2d759

          SHA256

          cf397a08202640178172b9459aac8c667d89f26e305124437ac66ebc6de1809f

          SHA512

          8f4c02b65ce2e6d6b6dba036a9e29b648d92adcd98502b3ad5e24d5c9ae2176c1024478fac3b45d55d62eccf29a9a8e8c277dc41582e2e096b74cebfc0b76a22

          Download Submit

        • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\cached-microdescs.new
          Filesize

          20.3MB

          MD5

          3f6bc87702fb34ecf6c7d716470ade02

          SHA1

          8972171fba7d3712f6c48cd91b3bc2f075922c3d

          SHA256

          74086319ee8150df4c14a75bdb1ad44040b2f3df309dcc0f446e10714dff8ed2

          SHA512

          f127e6213ded393a3dd7569bc039e076128c8f5bfbf052b821724ac9bf4103a3b66d16b9b877ab0373ca3ea9d3d7c03efafc42ac92d21baae20b27ed489b0d4f

          Download Submit

        • C:\Windows\System32\config\systemprofile\AppData\Roaming\tor\state
          Filesize

          3KB

          MD5

          a2d1cb7c78360dba1e79ecbd8d092269

          SHA1

          c7d1230b2b22e7f606bfa46c348c3630f781ec27

          SHA256

          e97f956bb5bf0d3f2d9744bd24a01363247583a3d4bb260d9d1bf09fa2b449b0

          SHA512

          20b7e9d2acd762173174d32134466f80f1afe3bd36fef4f37ccca745942fbd66ad94e5aa9097aba49398ac3bb1b12dd3cffcdaff93b470b8d051140cdd03c234

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          5.2MB

          MD5

          5fd3d21a968f4b8a1577b5405ab1c36a

          SHA1

          710e5ab0fceb71b982b966c3a7406ebdf1d2aa82

          SHA256

          7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f

          SHA512

          085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f

          Download Submit

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          4KB

          MD5

          dbbd2d4458d7e8094846420da595dfc3

          SHA1

          267cb47b904f14a519d2bd73abfdb30e1a06e1a6

          SHA256

          e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

          SHA512

          480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

          Download Submit

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          f2dd68ab8e611f0143c6ad176f223ae9

          SHA1

          30f580175773f251a9572fe757de6eaef6844abc

          SHA256

          f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

          SHA512

          f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

          Download Submit

        • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          c9e1a46a334bbf867474606ab7890f8f

          SHA1

          f975f36b18fb73608b752c5fd3e5af5be780ee53

          SHA256

          476da7b2266f9176d80a9228b6b5bbbd1b4a505428dbbcddf575fb4b43acce64

          SHA512

          8948dde2697e53780d1547b6e48713739fad6a6fc2e8bd7b2be6b104524017c38b57f5c35721c5e96b742e562a7638584faec0d067324ef3035e2a2122a7e90f

          Download Submit

        • memory/236-13-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/236-0-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/236-43-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1600-181-0x000001FDECDD0000-0x000001FDECDD6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1600-145-0x000001FDEC330000-0x000001FDEC340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1600-144-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1600-189-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1600-154-0x000001FDEC330000-0x000001FDEC340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1600-180-0x000001FDECDA0000-0x000001FDECDA8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1600-179-0x000001FDECDF0000-0x000001FDECE0A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1600-168-0x00007FF4BFB50000-0x00007FF4BFB60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1600-155-0x000001FDEC330000-0x000001FDEC340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1740-29-0x00000274774F0000-0x0000027477500000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1740-28-0x00000274774F0000-0x0000027477500000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1740-30-0x00000274774F0000-0x0000027477500000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1740-27-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1740-33-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1740-31-0x00000274774F0000-0x0000027477500000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1816-45-0x0000028F3F620000-0x0000028F3F630000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1816-70-0x0000028F3F620000-0x0000028F3F630000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1816-44-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1816-73-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1816-54-0x0000028F3F620000-0x0000028F3F630000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1816-57-0x0000028F3F620000-0x0000028F3F630000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1964-143-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1964-243-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1964-132-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1964-191-0x000000002BCA0000-0x000000002C182000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/2568-42-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2568-58-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2568-129-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2568-77-0x00000000368E0000-0x0000000036DC2000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/3172-166-0x00000132AF7B0000-0x00000132AF863000-memory.dmp

          Filesize

          716KB

          Download

        • memory/3172-156-0x00000132AF4F0000-0x00000132AF500000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3172-165-0x00000132AF790000-0x00000132AF7AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3172-134-0x00000132AF4F0000-0x00000132AF500000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3172-167-0x00000132AF870000-0x00000132AF87A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3172-182-0x00000132AFB20000-0x00000132AFB2A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3172-177-0x00000132AFAF0000-0x00000132AFB0C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3172-178-0x00000132AFAD0000-0x00000132AFADA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3172-133-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3172-190-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3172-183-0x00000132AF4F0000-0x00000132AF500000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3660-12-0x000001701CAB0000-0x000001701CAC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3660-10-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3660-9-0x0000017004580000-0x00000170045A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3660-11-0x000001701CAB0000-0x000001701CAC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3660-16-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3948-269-0x00000142E7970000-0x00000142E7980000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3948-280-0x00007FF47FA80000-0x00007FF47FA90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3948-257-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3948-258-0x00000142E7970000-0x00000142E7980000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4008-296-0x000000003A380000-0x000000003A862000-memory.dmp

          Filesize

          4.9MB

          Download

        • memory/4008-245-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4008-259-0x0000000140000000-0x0000000140636000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4488-69-0x0000021356010000-0x0000021356020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4488-56-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4488-60-0x0000021356010000-0x0000021356020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4488-59-0x0000021356010000-0x0000021356020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4488-72-0x0000021356010000-0x0000021356020000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4488-76-0x00007FF8FFDF0000-0x00007FF9008B2000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4772-130-0x0000000140000000-0x000000014015E400-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4772-126-0x0000000140000000-0x000000014015E400-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4936-248-0x000001CFB8EB0000-0x000001CFB8EC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4936-247-0x000001CFB8EB0000-0x000001CFB8EC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4936-246-0x00007FF900150000-0x00007FF900C12000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4936-270-0x000001CFB8EB0000-0x000001CFB8EC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4936-279-0x00007FF4DE7D0000-0x00007FF4DE7E0000-memory.dmp

          Filesize

          64KB

          Download