fb0e1a5a8ce0287140caa53c632cde2d111014e14b7f42b8fae5b287aaa3736b

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MENU.bat
Size

183KB
MD5

7d5957e6a5bb4c3ca187deea5ae7ccb6
SHA1

8ab3d729aa3a4b8b65bc7c55c20584f7f051c08d
SHA256

5fc67423b7525b9daf0c2cbd454206e2db1ca167c8fd6b8e390caae8797a6352
SHA512

782a687c23c5ff9c1472ba88a8e4f2bc9f2e6b268c4286eb7581e95cd42f00cf9761b025027773edef849fad542fdbb986c96b46489811c9441106e308310730
SSDEEP

3072:mA/9obuPb1dhnWpGy+9l1NRldjayM4m1EPBPbuE1m7:LFobuPb1yR+9l1NRldjbM4m1EZPbuE1G

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2424-0-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2424-1-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/5068-2-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/5068-4-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3320-6-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/5004-7-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4488-9-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1548-11-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4692-13-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4744-15-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4812-16-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4812-18-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1092-20-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2328-22-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3560-24-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/620-26-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1360-28-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4012-30-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3596-32-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/5000-34-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3328-36-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3740-37-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/3740-39-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2152-40-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2152-42-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/960-44-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1668-46-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1628-48-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2896-50-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1776-52-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2316-54-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1020-55-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/1020-57-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4896-59-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2224-60-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/4840-61-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral2/memory/2016-62-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	372	WMIC.exe
Token: SeSecurityPrivilege	372	WMIC.exe
Token: SeTakeOwnershipPrivilege	372	WMIC.exe
Token: SeLoadDriverPrivilege	372	WMIC.exe
Token: SeSystemProfilePrivilege	372	WMIC.exe
Token: SeSystemtimePrivilege	372	WMIC.exe
Token: SeProfSingleProcessPrivilege	372	WMIC.exe
Token: SeIncBasePriorityPrivilege	372	WMIC.exe
Token: SeCreatePagefilePrivilege	372	WMIC.exe
Token: SeBackupPrivilege	372	WMIC.exe
Token: SeRestorePrivilege	372	WMIC.exe
Token: SeShutdownPrivilege	372	WMIC.exe
Token: SeDebugPrivilege	372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	372	WMIC.exe
Token: SeRemoteShutdownPrivilege	372	WMIC.exe
Token: SeUndockPrivilege	372	WMIC.exe
Token: SeManageVolumePrivilege	372	WMIC.exe
Token: 33	372	WMIC.exe
Token: 34	372	WMIC.exe
Token: 35	372	WMIC.exe
Token: 36	372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	372	WMIC.exe
Token: SeSecurityPrivilege	372	WMIC.exe
Token: SeTakeOwnershipPrivilege	372	WMIC.exe
Token: SeLoadDriverPrivilege	372	WMIC.exe
Token: SeSystemProfilePrivilege	372	WMIC.exe
Token: SeSystemtimePrivilege	372	WMIC.exe
Token: SeProfSingleProcessPrivilege	372	WMIC.exe
Token: SeIncBasePriorityPrivilege	372	WMIC.exe
Token: SeCreatePagefilePrivilege	372	WMIC.exe
Token: SeBackupPrivilege	372	WMIC.exe
Token: SeRestorePrivilege	372	WMIC.exe
Token: SeShutdownPrivilege	372	WMIC.exe
Token: SeDebugPrivilege	372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	372	WMIC.exe
Token: SeRemoteShutdownPrivilege	372	WMIC.exe
Token: SeUndockPrivilege	372	WMIC.exe
Token: SeManageVolumePrivilege	372	WMIC.exe
Token: 33	372	WMIC.exe
Token: 34	372	WMIC.exe
Token: 35	372	WMIC.exe
Token: 36	372	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2616	2488	cmd.exe	82
PID 2488 wrote to memory of 2616	2488	cmd.exe	82
PID 2488 wrote to memory of 3300	2488	cmd.exe	83
PID 2488 wrote to memory of 3300	2488	cmd.exe	83
PID 2488 wrote to memory of 4700	2488	cmd.exe	84
PID 2488 wrote to memory of 4700	2488	cmd.exe	84
PID 2488 wrote to memory of 1308	2488	cmd.exe	86
PID 2488 wrote to memory of 1308	2488	cmd.exe	86
PID 2488 wrote to memory of 1552	2488	cmd.exe	87
PID 2488 wrote to memory of 1552	2488	cmd.exe	87
PID 2488 wrote to memory of 372	2488	cmd.exe	88
PID 2488 wrote to memory of 372	2488	cmd.exe	88
PID 2488 wrote to memory of 952	2488	cmd.exe	89
PID 2488 wrote to memory of 952	2488	cmd.exe	89
PID 2488 wrote to memory of 4508	2488	cmd.exe	92
PID 2488 wrote to memory of 4508	2488	cmd.exe	92
PID 2488 wrote to memory of 404	2488	cmd.exe	94
PID 2488 wrote to memory of 404	2488	cmd.exe	94
PID 2488 wrote to memory of 3968	2488	cmd.exe	95
PID 2488 wrote to memory of 3968	2488	cmd.exe	95
PID 2488 wrote to memory of 3844	2488	cmd.exe	96
PID 2488 wrote to memory of 3844	2488	cmd.exe	96
PID 2488 wrote to memory of 4820	2488	cmd.exe	97
PID 2488 wrote to memory of 4820	2488	cmd.exe	97
PID 2488 wrote to memory of 5116	2488	cmd.exe	98
PID 2488 wrote to memory of 5116	2488	cmd.exe	98
PID 2488 wrote to memory of 2920	2488	cmd.exe	99
PID 2488 wrote to memory of 2920	2488	cmd.exe	99
PID 2488 wrote to memory of 1080	2488	cmd.exe	100
PID 2488 wrote to memory of 1080	2488	cmd.exe	100
PID 2488 wrote to memory of 2168	2488	cmd.exe	101
PID 2488 wrote to memory of 2168	2488	cmd.exe	101
PID 2488 wrote to memory of 4636	2488	cmd.exe	102
PID 2488 wrote to memory of 4636	2488	cmd.exe	102
PID 2488 wrote to memory of 4532	2488	cmd.exe	103
PID 2488 wrote to memory of 4532	2488	cmd.exe	103
PID 2488 wrote to memory of 4664	2488	cmd.exe	104
PID 2488 wrote to memory of 4664	2488	cmd.exe	104
PID 2488 wrote to memory of 4268	2488	cmd.exe	105
PID 2488 wrote to memory of 4268	2488	cmd.exe	105
PID 2488 wrote to memory of 5064	2488	cmd.exe	106
PID 2488 wrote to memory of 5064	2488	cmd.exe	106
PID 2488 wrote to memory of 3288	2488	cmd.exe	107
PID 2488 wrote to memory of 3288	2488	cmd.exe	107
PID 2488 wrote to memory of 5104	2488	cmd.exe	108
PID 2488 wrote to memory of 5104	2488	cmd.exe	108
PID 2488 wrote to memory of 5088	2488	cmd.exe	109
PID 2488 wrote to memory of 5088	2488	cmd.exe	109
PID 2488 wrote to memory of 4028	2488	cmd.exe	110
PID 2488 wrote to memory of 4028	2488	cmd.exe	110
PID 2488 wrote to memory of 3436	2488	cmd.exe	111
PID 2488 wrote to memory of 3436	2488	cmd.exe	111
PID 2488 wrote to memory of 2164	2488	cmd.exe	112
PID 2488 wrote to memory of 2164	2488	cmd.exe	112
PID 2488 wrote to memory of 2056	2488	cmd.exe	113
PID 2488 wrote to memory of 2056	2488	cmd.exe	113
PID 2488 wrote to memory of 1312	2488	cmd.exe	114
PID 2488 wrote to memory of 1312	2488	cmd.exe	114
PID 2488 wrote to memory of 4420	2488	cmd.exe	115
PID 2488 wrote to memory of 4420	2488	cmd.exe	115
PID 2488 wrote to memory of 3336	2488	cmd.exe	116
PID 2488 wrote to memory of 3336	2488	cmd.exe	116
PID 2488 wrote to memory of 3652	2488	cmd.exe	117
PID 2488 wrote to memory of 3652	2488	cmd.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MENU.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Windows\system32\chcp.com
  chcp 866
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg query "HKU\S-1-5-19"
  2⤵
  PID:3300
- C:\Windows\system32\mode.com
  Mode 81,37
  2⤵
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win center foreground
  2⤵
  PID:1308
- C:\Users\Admin\AppData\Local\Temp\Work\nircmd.exe
  nircmd win settext foreground "CMEditor"
  2⤵
  PID:1552
- C:\Windows\System32\Wbem\WMIC.exe
  wmic os get caption /Format:List
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\system32\find.exe
  find /i "11"
  2⤵
  PID:952
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"
  2⤵
  PID:4508
- C:\Windows\system32\reg.exe
  reg query "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location"
  2⤵
  PID:404
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\pintohome"
  2⤵
  PID:3968
- C:\Windows\system32\reg.exe
  reg query "HKCR\exefile\shellex\ContextMenuHandlers\Compatibility"
  2⤵
  PID:3844
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runasuser" /v "ProgrammaticAccessOnly"
  2⤵
  PID:4820
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ModernSharing"
  2⤵
  PID:5116
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\SendTo"
  2⤵
  PID:2920
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{470C0EBD-5D73-4d58-9CED-E91E22E23282}"
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{596AB062-B4D2-4215-9F74-E9109B0A8153}"
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\CLSID\{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"
  2⤵
  PID:4636
- C:\Windows\system32\reg.exe
  reg query "HKCR\*\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}"
  2⤵
  PID:4532
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Folder\shell\opennewprocess"
  2⤵
  PID:4664
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers\ShellImagePreview"
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\txtfile\shell\print" /v "ProgrammaticAccessOnly"
  2⤵
  PID:5064
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Display"
  2⤵
  PID:3288
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\DesktopBackground\Shell\Personalize" /v "ProgrammaticAccessOnly"
  2⤵
  PID:5104
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\exefile\shell\runas" /v "ProgrammaticAccessOnly"
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  reg query "HKCR\SystemFileAssociations\.jpeg\Shell\setdesktopwallpaper" /v "ProgrammaticAccessOnly"
  2⤵
  PID:4028
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\shellex\ContextMenuHandlers\DesktopSlideshow"
  2⤵
  PID:3436
- C:\Windows\system32\reg.exe
  reg query "HKCR\DesktopBackground\Shell\Display"
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Drive\shell\Powershell" /v "ProgrammaticAccessOnly"
  2⤵
  PID:4420
- C:\Windows\system32\reg.exe
  reg query "HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\CopyAsPathMenu"
  2⤵
  PID:3336
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  reg query "HKLM\Software\Classes\Directory\background\shell\cmd" /v "HideBasedOnVelocityId"
  2⤵
  PID:3660
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0a} Зеленым {08}цветом - пункт удален; {0c}красным{08} - показывается{\n #}{\n #}
  2⤵
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {08} 0{#} {08}Windows 11{\n #}
  2⤵
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 1{#} {0c}Предоставить доступ{\n #}
  2⤵
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 2{#} {0c}Добавить в библиотеку{\n #}
  2⤵
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 3{#} {0c}Закрепить на панели быстрого доступа{\n #}
  2⤵
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 4{#} {0c}Исправление проблем с совместимостью{\n #}
  2⤵
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 5{#} {0c}Запуск от имени другого пользователя{\n #}
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 6{#} {0c}Отправить [поделиться]{\n #}
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 7{#} {0c}Отправить [в программу]{#} {08}| {0e}70 - Дополнительные настройки{\n #}
  2⤵
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 8{#} {0c}Закрепить на начальном экране{\n #}
  2⤵
  PID:1092
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f} 9{#} {0c}Восстановить прежнюю версию{\n #}
  2⤵
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}10{#} {0c}Отправить на устройство{\n #}
  2⤵
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}11{#} {0c}Закрепить на панели задач{\n #}
  2⤵
  PID:620
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}12{#} {0c}Открыть в новом процессе{\n #}
  2⤵
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}13{#} {0c}Повернуть право/влево{\n #}
  2⤵
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}14{#} {0c}Печать{\n #}
  2⤵
  PID:3596
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}15{#} {0c}Параметры экрана{\n #}
  2⤵
  PID:5000
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}16{#} {0c}Персонализация {#}{08}| {0e}60 - Дополнительные настройки{\n #}
  2⤵
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}17{#} {0c}Запуск от имени администратора {08}[bat/cmd/exe/lnk]{\n #}
  2⤵
  PID:3740
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}18{#} {0c}Следующее фоновое изображение рабочего стола{\n #}
  2⤵
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}19{#} {0c}Сделать фоновым изображением рабочего стола{\n #}
  2⤵
  PID:960
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}20{#} {0c}Копировать как путь{\n #}
  2⤵
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}21{#} {0c}Открыть окно PowerShell здесь{\n #}
  2⤵
  PID:1628
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}22{#} {0a}Открыть окно комманд{\n #}
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {4f}77{04} Скрыть все пункты {4f}за раз{08} [1-18] [с подтверждением]{\n #}{\n #}
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}23{#} {09}Другое{\n #}
  2⤵
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}24{#} {0b}Рабочий стол и значок компьютер{\n #}
  2⤵
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}25{#} {0b}Меню Создать{\n #}
  2⤵
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}26{#} {0b}Панель задач {08}[сейчас {08}стандартное контекстное меню]{\n #}
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}27{#} {0b}Win + X{\n #}
  2⤵
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\Work\cecho.exe
  cecho.exe {0f}30{#} {3f}Проверить обновления{08} [{0e}текущая версия - {09}1.3.7{08}]{\n #}{\n #}
  2⤵
  PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-26-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/960-44-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1020-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1020-55-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1092-20-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1360-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1548-11-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1628-48-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1668-46-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1776-52-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2016-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2152-42-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2152-40-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2224-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-54-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2328-22-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-1-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2896-50-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3320-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3328-36-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3560-24-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3596-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3740-39-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3740-37-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4012-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4488-9-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4692-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4744-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4812-16-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4812-18-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4840-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4896-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5000-34-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5004-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5068-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5068-2-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download