49d3da4a93495e17dc507de8e4e25cd5a038d199da49e34250f423b9fcfedca9

Resubmissions

16/04/2024, 19:44

240416-yfyf3aag99 7

16/04/2024, 19:29

240416-x7jljscb21 7

Analysis

max time kernel
90s
max time network
156s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16/04/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asdasdasd.exe
Size

131.9MB
MD5

7bfb255681df845fa08e937447fa5c4a
SHA1

3132cb69dbcf8964b9f8f286b2e2a14e47e614f7
SHA256

b018ff7173447e00dcdf50ea416152ca45eafa0b373d15c02a45f52ae9ce142c
SHA512

85aab548b1bfd1d9c4323af21a3c4231c75e8bd4484df53137799043c63677827779c3e99c00a95d5ea713165d29c9c95978a510c9ae33676e8656faf6e15228
SSDEEP

1572864:84sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVv:hl/BkVVPBDgmPKa5Wnu3X7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1396	asdasdasd.exe
1396	asdasdasd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
6	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	asdasdasd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	asdasdasd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	asdasdasd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	asdasdasd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	asdasdasd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	asdasdasd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	asdasdasd.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
3248	tasklist.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1932	powershell.exe
2460	powershell.exe
1112	powershell.exe
1536	asdasdasd.exe
1536	asdasdasd.exe
1932	powershell.exe
1112	powershell.exe
2460	powershell.exe
2460	powershell.exe
1932	powershell.exe
1112	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3248	tasklist.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeShutdownPrivilege	1396	asdasdasd.exe
Token: SeCreatePagefilePrivilege	1396	asdasdasd.exe
Token: SeIncreaseQuotaPrivilege	1932	powershell.exe
Token: SeSecurityPrivilege	1932	powershell.exe
Token: SeTakeOwnershipPrivilege	1932	powershell.exe
Token: SeLoadDriverPrivilege	1932	powershell.exe
Token: SeSystemProfilePrivilege	1932	powershell.exe
Token: SeSystemtimePrivilege	1932	powershell.exe
Token: SeProfSingleProcessPrivilege	1932	powershell.exe
Token: SeIncBasePriorityPrivilege	1932	powershell.exe
Token: SeCreatePagefilePrivilege	1932	powershell.exe
Token: SeBackupPrivilege	1932	powershell.exe
Token: SeRestorePrivilege	1932	powershell.exe
Token: SeShutdownPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeSystemEnvironmentPrivilege	1932	powershell.exe
Token: SeRemoteShutdownPrivilege	1932	powershell.exe
Token: SeUndockPrivilege	1932	powershell.exe
Token: SeManageVolumePrivilege	1932	powershell.exe
Token: 33	1932	powershell.exe
Token: 34	1932	powershell.exe
Token: 35	1932	powershell.exe
Token: 36	1932	powershell.exe
Token: SeIncreaseQuotaPrivilege	1112	powershell.exe
Token: SeSecurityPrivilege	1112	powershell.exe
Token: SeTakeOwnershipPrivilege	1112	powershell.exe
Token: SeLoadDriverPrivilege	1112	powershell.exe
Token: SeSystemProfilePrivilege	1112	powershell.exe
Token: SeSystemtimePrivilege	1112	powershell.exe
Token: SeProfSingleProcessPrivilege	1112	powershell.exe
Token: SeIncBasePriorityPrivilege	1112	powershell.exe
Token: SeCreatePagefilePrivilege	1112	powershell.exe
Token: SeBackupPrivilege	1112	powershell.exe
Token: SeRestorePrivilege	1112	powershell.exe
Token: SeShutdownPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeSystemEnvironmentPrivilege	1112	powershell.exe
Token: SeRemoteShutdownPrivilege	1112	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4608	1396	asdasdasd.exe	74
PID 1396 wrote to memory of 4608	1396	asdasdasd.exe	74
PID 1396 wrote to memory of 4608	1396	asdasdasd.exe	74
PID 4608 wrote to memory of 32	4608	cmd.exe	76
PID 4608 wrote to memory of 32	4608	cmd.exe	76
PID 4608 wrote to memory of 32	4608	cmd.exe	76
PID 1396 wrote to memory of 3988	1396	asdasdasd.exe	77
PID 1396 wrote to memory of 3988	1396	asdasdasd.exe	77
PID 1396 wrote to memory of 3988	1396	asdasdasd.exe	77
PID 3988 wrote to memory of 3248	3988	cmd.exe	79
PID 3988 wrote to memory of 3248	3988	cmd.exe	79
PID 3988 wrote to memory of 3248	3988	cmd.exe	79
PID 1396 wrote to memory of 3404	1396	asdasdasd.exe	81
PID 1396 wrote to memory of 3404	1396	asdasdasd.exe	81
PID 1396 wrote to memory of 3404	1396	asdasdasd.exe	81
PID 1396 wrote to memory of 1112	1396	asdasdasd.exe	83
PID 1396 wrote to memory of 1112	1396	asdasdasd.exe	83
PID 1396 wrote to memory of 1112	1396	asdasdasd.exe	83
PID 1396 wrote to memory of 1932	1396	asdasdasd.exe	84
PID 1396 wrote to memory of 1932	1396	asdasdasd.exe	84
PID 1396 wrote to memory of 1932	1396	asdasdasd.exe	84
PID 1396 wrote to memory of 2460	1396	asdasdasd.exe	86
PID 1396 wrote to memory of 2460	1396	asdasdasd.exe	86
PID 1396 wrote to memory of 2460	1396	asdasdasd.exe	86
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1900	1396	asdasdasd.exe	89
PID 1396 wrote to memory of 1536	1396	asdasdasd.exe	90
PID 1396 wrote to memory of 1536	1396	asdasdasd.exe	90
PID 1396 wrote to memory of 1536	1396	asdasdasd.exe	90
PID 1396 wrote to memory of 3700	1396	asdasdasd.exe	91
PID 1396 wrote to memory of 3700	1396	asdasdasd.exe	91
PID 1396 wrote to memory of 3700	1396	asdasdasd.exe	91
PID 3700 wrote to memory of 4536	3700	cmd.exe	93
PID 3700 wrote to memory of 4536	3700	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe
"C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:32
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:3404
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe
  "C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\asdasdasd" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=1840,i,10387620690186657083,14734986763488775156,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe
  "C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\asdasdasd" --mojo-platform-channel-handle=2016 --field-trial-handle=1840,i,10387620690186657083,14734986763488775156,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\SysWOW64\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:4536
- C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe
  "C:\Users\Admin\AppData\Local\Temp\asdasdasd.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\asdasdasd" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2404 --field-trial-handle=1840,i,10387620690186657083,14734986763488775156,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
32e05f2444df5b7af684f8105b7b87f8

SHA1
381941d3d35458b454eaa7fbc7694c827194c5a8

SHA256
d41e68a5a3165192ac482de7b0d76e07d77eb04c81243b0b889e6abfb97d187d

SHA512
fc0c994c5be244b347b80aef2d54f918159ef85a6b9574408f0237ac26c99e3cb2142627d4386740b92e4eff1693e6d04a9c43d0ba1e11104453b35285d85caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
20KB

MD5
36ad0bc590dacda3a48196fa108fea8f

SHA1
02e9323cadbdfaea8d5ac3affffa6621ae8e80c8

SHA256
a6b421f25f5a9203405f07c84e53bb5f04b51ba748e1cb15d9856605757bccb3

SHA512
1df7625ca0d92b4f58136f4b2dd15973e5cfd31aa1d483a4c14d71f44f8aaa229317a5489f1b7762cd3f545ad52a20309bfc1cd625eef91925e8f62252e7e769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
3cd610f9da258116b482b955b590b7a9

SHA1
bdd52da5e4fec60f93cccad737ca3e5dfa1024a9

SHA256
d1dc289ac08a033ee43e6b03b9abfcffca699c96219ed6480db62e807052ceca

SHA512
5717737842aa3a4a47babda947c21abd900edaf33bd6bdbe625d109033d7982d161f18d72468f829d13000000653d047436f0d54c06f2d790d454e1946f4d9a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ijvfnfn.qbf.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Local\Temp\54a82131-f061-45e1-b906-c991b4a3f3a7.tmp.node

Filesize
95KB

MD5
94d886881682434857d21ad7f08c9889

SHA1
1a3562ca09fa5a7ee075d78e1a360268e64b8617

SHA256
adac304b4e0b93ec46f469bd2a7451ab58ea1ed16e17d7a80e8b91312202c0a8

SHA512
92063672cdc076ca670b88a6d8eadaf9ae9fccf585a323b31c321d5a43ee7a9032ff4c0aea6e35e8847b1a9e149806322adf160c7f851e1c92112f43d093dc8e

Download Submit
\Users\Admin\AppData\Local\Temp\864db48e-3d08-4be7-823f-1f2bc9bd220b.tmp.node

Filesize
1.5MB

MD5
780a9a3098c31b205974a45dc3a15278

SHA1
6308103a4f97d5e0daff24a28d576fe852ef17ce

SHA256
9668a9002fa87090cc78771e6365d1f8cbb7d85e54f963c5afcd23963ce3d2ba

SHA512
4a9071beaa94f44e88148e731f218ea2bab6594afe837a7414c94287939ba4e20fbd3afc91904ec52f0c104d537fed95516cc278e37e1981adeaacebccb6651d

Download Submit
memory/1112-35-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1112-32-0x00000000726E0000-0x0000000072DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-507-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1112-509-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1112-498-0x000000006D760000-0x000000006DAB0000-memory.dmp

Filesize
3.3MB

Download
memory/1112-321-0x0000000007DE0000-0x0000000007E0A000-memory.dmp

Filesize
168KB

Download
memory/1112-205-0x0000000009070000-0x0000000009115000-memory.dmp

Filesize
660KB

Download
memory/1112-40-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/1112-193-0x000000006D700000-0x000000006D74B000-memory.dmp

Filesize
300KB

Download
memory/1112-42-0x00000000074E0000-0x0000000007546000-memory.dmp

Filesize
408KB

Download
memory/1112-195-0x000000007EDD0000-0x000000007EDE0000-memory.dmp

Filesize
64KB

Download
memory/1112-549-0x00000000726E0000-0x0000000072DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-102-0x0000000006890000-0x00000000068CC000-memory.dmp

Filesize
240KB

Download
memory/1932-192-0x000000006D700000-0x000000006D74B000-memory.dmp

Filesize
300KB

Download
memory/1932-36-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

Filesize
64KB

Download
memory/1932-139-0x0000000008FE0000-0x0000000009056000-memory.dmp

Filesize
472KB

Download
memory/1932-152-0x0000000009A60000-0x000000000A0D8000-memory.dmp

Filesize
6.5MB

Download
memory/1932-26-0x00000000726E0000-0x0000000072DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1932-47-0x0000000007E20000-0x0000000007E6B000-memory.dmp

Filesize
300KB

Download
memory/1932-533-0x00000000726E0000-0x0000000072DCE000-memory.dmp

Filesize
6.9MB

Download
memory/1932-189-0x00000000094A0000-0x00000000094D3000-memory.dmp

Filesize
204KB

Download
memory/1932-43-0x0000000007A30000-0x0000000007D80000-memory.dmp

Filesize
3.3MB

Download
memory/1932-34-0x0000000007220000-0x0000000007848000-memory.dmp

Filesize
6.2MB

Download
memory/1932-196-0x0000000009480000-0x000000000949E000-memory.dmp

Filesize
120KB

Download
memory/1932-41-0x0000000007100000-0x0000000007166000-memory.dmp

Filesize
408KB

Download
memory/1932-191-0x000000007F5D0000-0x000000007F5E0000-memory.dmp

Filesize
64KB

Download
memory/1932-38-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

Filesize
64KB

Download
memory/1932-501-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

Filesize
64KB

Download
memory/1932-500-0x0000000006BE0000-0x0000000006BF0000-memory.dmp

Filesize
64KB

Download
memory/1932-39-0x0000000006F60000-0x0000000006F82000-memory.dmp

Filesize
136KB

Download
memory/1932-485-0x00000000095C0000-0x00000000095E2000-memory.dmp

Filesize
136KB

Download
memory/1932-499-0x000000006D760000-0x000000006DAB0000-memory.dmp

Filesize
3.3MB

Download
memory/2460-37-0x0000000006850000-0x0000000006860000-memory.dmp

Filesize
64KB

Download
memory/2460-267-0x00000000726E0000-0x0000000072DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2460-255-0x0000000006850000-0x0000000006860000-memory.dmp

Filesize
64KB

Download
memory/2460-46-0x0000000007C90000-0x0000000007CAC000-memory.dmp

Filesize
112KB

Download
memory/2460-33-0x0000000006850000-0x0000000006860000-memory.dmp

Filesize
64KB

Download
memory/2460-194-0x00000000093C0000-0x0000000009452000-memory.dmp

Filesize
584KB

Download
memory/2460-29-0x0000000006810000-0x0000000006846000-memory.dmp

Filesize
216KB

Download
memory/2460-190-0x0000000009F70000-0x000000000A46E000-memory.dmp

Filesize
5.0MB

Download
memory/2460-30-0x00000000726E0000-0x0000000072DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2460-153-0x0000000008F60000-0x0000000008F7A000-memory.dmp

Filesize
104KB

Download