6f1f614cc6f7e08a0749dfc8cc9946860c924410d0f3d2dae16cc7ce1b1976f1

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 07:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

sogou_pinyin_guanwang_14.7.exe
Size

181.0MB
MD5

16140f97ed51c0dbfc3668fa7e96f807
SHA1

1bb9fef2f5770a1dc835b70e6ff8f2fff223d2f8
SHA256

6f1f614cc6f7e08a0749dfc8cc9946860c924410d0f3d2dae16cc7ce1b1976f1
SHA512

c1efa4f6965e6ec012175d3aa63e807c4d2e1d6b8a4a1f6ecb74520bf618a3ae601a92f8373811e82ced545ffc1723c306856eb7b8a1ea5e627c6427e2866c2c
SSDEEP

3145728:448hObRuIVs6aVykHwhk8ts8sD/5rJspQXw62FNPOkqCgrc:0sRuWs6aysb/5rfowkqCgrc

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4796	WindowsProgram.exe

Loads dropped DLL 8 IoCs

pid	Process
2668	MsiExec.exe
2668	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe
1288	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Desktop\\WindowsProgram.exe"	WindowsProgram.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	WindowsProgram.exe
File opened (read-only)	\??\Q:	WindowsProgram.exe
File opened (read-only)	\??\B:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\H:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\S:	WindowsProgram.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	WindowsProgram.exe
File opened (read-only)	\??\J:	WindowsProgram.exe
File opened (read-only)	\??\J:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\M:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\W:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\X:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	WindowsProgram.exe
File opened (read-only)	\??\X:	WindowsProgram.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\E:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\I:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\R:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	WindowsProgram.exe
File opened (read-only)	\??\V:	WindowsProgram.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	WindowsProgram.exe
File opened (read-only)	\??\P:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\Q:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\U:	sogou_pinyin_guanwang_14.7.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	WindowsProgram.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	WindowsProgram.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57e88b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE908.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA74.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA54.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{84F431C8-956B-44C5-9213-30D4E181022F}	msiexec.exe
File created	C:\Windows\Installer\e57e88b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE986.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF33F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsProgram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang_14.7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WindowsProgram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WindowsProgram.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WindowsProgram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WindowsProgram.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2932	msiexec.exe
2932	msiexec.exe
2932	msiexec.exe
2932	msiexec.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe
4796	WindowsProgram.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2040	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2932	msiexec.exe
Token: SeCreateTokenPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeAssignPrimaryTokenPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeLockMemoryPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeIncreaseQuotaPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeMachineAccountPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeTcbPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSecurityPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeTakeOwnershipPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeLoadDriverPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSystemProfilePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSystemtimePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeProfSingleProcessPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeIncBasePriorityPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreatePagefilePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreatePermanentPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeBackupPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeRestorePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeShutdownPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeDebugPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeAuditPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSystemEnvironmentPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeChangeNotifyPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeRemoteShutdownPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeUndockPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSyncAgentPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeEnableDelegationPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeManageVolumePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeImpersonatePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreateGlobalPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreateTokenPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeAssignPrimaryTokenPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeLockMemoryPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeIncreaseQuotaPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeMachineAccountPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeTcbPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSecurityPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeTakeOwnershipPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeLoadDriverPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSystemProfilePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSystemtimePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeProfSingleProcessPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeIncBasePriorityPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreatePagefilePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreatePermanentPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeBackupPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeRestorePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeShutdownPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeDebugPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeAuditPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSystemEnvironmentPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeChangeNotifyPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeRemoteShutdownPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeUndockPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeSyncAgentPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeEnableDelegationPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeManageVolumePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeImpersonatePrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreateGlobalPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeCreateTokenPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeAssignPrimaryTokenPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeLockMemoryPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeIncreaseQuotaPrivilege	3168	sogou_pinyin_guanwang_14.7.exe
Token: SeMachineAccountPrivilege	3168	sogou_pinyin_guanwang_14.7.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3168	sogou_pinyin_guanwang_14.7.exe
1280	msiexec.exe
2040	7zFM.exe
2040	7zFM.exe
1280	msiexec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2668	2932	msiexec.exe	92
PID 2932 wrote to memory of 2668	2932	msiexec.exe	92
PID 2932 wrote to memory of 2668	2932	msiexec.exe	92
PID 3168 wrote to memory of 1280	3168	sogou_pinyin_guanwang_14.7.exe	93
PID 3168 wrote to memory of 1280	3168	sogou_pinyin_guanwang_14.7.exe	93
PID 3168 wrote to memory of 1280	3168	sogou_pinyin_guanwang_14.7.exe	93
PID 2932 wrote to memory of 1288	2932	msiexec.exe	94
PID 2932 wrote to memory of 1288	2932	msiexec.exe	94
PID 2932 wrote to memory of 1288	2932	msiexec.exe	94

C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang_14.7.exe
"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang_14.7.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Sogou.com\搜狗输入法 14.7.0.9739\install\sogou_pinyin_guanwang.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang_14.7.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1722947364 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FA8AEDCA6CE18340FCF835F5C9798410 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 794D5D39EC2752E5F69D853891646A3F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4168

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Roaming\Sogou.com\搜狗输入法 14.7.0.9739\install\sogou_pinyin_guanwang1.cab"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Users\Admin\Desktop\WindowsProgram.exe
"C:\Users\Admin\Desktop\WindowsProgram.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIE64A.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Roaming\Sogou.com\搜狗输入法 14.7.0.9739\install\sogou_pinyin_guanwang.msi

Filesize
2.2MB

MD5
09cc7a4f9941ec8c61971533d12eb8f6

SHA1
8c2d26b91b33c40c25974a1e02d9e54b189704d5

SHA256
305c4c3b9a8bd7315fc1f5ab7169954ca66b5864ce982a72b0a631b7b7899f63

SHA512
367c0cc9133506cbfaf43e362b4746743ebb40c7a871ed4acdb7db89344ccff260a5a6249654ee294a7d32a5bb3ece60004cfca91f1e2e7635a273fcac5928a3

Download Submit
C:\Users\Admin\Desktop\WindowsProgram.exe

Filesize
28.2MB

MD5
31e192a798661adc9a37287375988931

SHA1
f66408525050f5ab3d2490c10834f6c18f34569d

SHA256
6530c6a77435fca60a22a10a076c482642bc38515506c1345bf30ae65455bf31

SHA512
bb2de787ee26be7792ecb5bf0442ed3bfdfd5c93411378ee65c00c0c2f00003f7aa37b31f42ceca1063dd86791da3ae32902c2c7a9f62db1e3583ef9ff01fdaa

Download Submit
C:\Windows\Installer\MSIEA74.tmp

Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
memory/4796-13136-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-68-0x0000000076400000-0x0000000076615000-memory.dmp

Filesize
2.1MB

Download
memory/4796-3942-0x0000000075B40000-0x0000000075CE0000-memory.dmp

Filesize
1.6MB

Download
memory/4796-5951-0x0000000075630000-0x00000000756AA000-memory.dmp

Filesize
488KB

Download
memory/4796-67-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-13138-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-13139-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-13137-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-13141-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-13142-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-13143-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download
memory/4796-13144-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4796-13150-0x0000000000400000-0x000000000202D000-memory.dmp

Filesize
28.2MB

Download