d51d112f071390cb95010575572bdf3e0ad0a25b6b4bf83b41d6c59086cfedf7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tg_proX64.exe
Size

70.9MB
MD5

a15fe81c0d0661a089e2d3d78213d52c
SHA1

049d9028f66a46d2f5127c1ce44feac95f6581a7
SHA256

d51d112f071390cb95010575572bdf3e0ad0a25b6b4bf83b41d6c59086cfedf7
SHA512

9bb25d15214ee6d897293bdd8c6e88deb2f8a2d2cf8d74abd4855c56049b09af41016d2d8f827fe072be36e3a1d6e2b19e4b36adc839e3a43e306b688cfcbf47
SSDEEP

1572864:T8VnWS8+lvp0kdu8RojQ5qATl2iUUeC/oIH4ecuiAxBtg:T8JyM6XjomiReMoIH4eoga

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2776 created 872	2776	svcorenos.exe	104

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\kernelquick.sys	svcorenos.exe
File created	C:\Windows\system32\drivers\kernelquick.sys	svcorenos.exe
File created	C:\Windows\system32\drivers\kernelquick.sys	svcorenos.exe
File opened for modification	C:\Windows\system32\drivers\kernelquick.sys	svcorenos.exe

Executes dropped EXE 9 IoCs

pid	Process
2404	tg_proX64.tmp
2776	svcorenos.exe
4972	svcorenos.exe
3872	svcorenos.exe
4440	svcorenos.exe
4500	svcorenos.exe
996	svcorenos.exe
1244	svcorenos.exe
3936	svdocbox.exe

Loads dropped DLL 13 IoCs

pid	Process
2776	svcorenos.exe
2776	svcorenos.exe
4972	svcorenos.exe
4972	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
1244	svcorenos.exe
1244	svcorenos.exe
3936	svdocbox.exe

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	103.215.78.57
Destination IP	103.215.78.57

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	svcorenos.exe
File opened (read-only)	\??\Z:	svcorenos.exe
File opened (read-only)	\??\B:	svcorenos.exe
File opened (read-only)	\??\G:	svcorenos.exe
File opened (read-only)	\??\Y:	svcorenos.exe
File opened (read-only)	\??\P:	svcorenos.exe
File opened (read-only)	\??\T:	svcorenos.exe
File opened (read-only)	\??\U:	svcorenos.exe
File opened (read-only)	\??\W:	svcorenos.exe
File opened (read-only)	\??\X:	svcorenos.exe
File opened (read-only)	\??\I:	svcorenos.exe
File opened (read-only)	\??\M:	svcorenos.exe
File opened (read-only)	\??\O:	svcorenos.exe
File opened (read-only)	\??\L:	svcorenos.exe
File opened (read-only)	\??\N:	svcorenos.exe
File opened (read-only)	\??\Q:	svcorenos.exe
File opened (read-only)	\??\R:	svcorenos.exe
File opened (read-only)	\??\S:	svcorenos.exe
File opened (read-only)	\??\E:	svcorenos.exe
File opened (read-only)	\??\H:	svcorenos.exe
File opened (read-only)	\??\K:	svcorenos.exe
File opened (read-only)	\??\V:	svcorenos.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\svcorenos\app-0.82.1\zlibwapi.dll	svcorenos.exe
File created	C:\Windows\svcorenos\app-0.82.1\libcurl.dll	svcorenos.exe
File opened for modification	C:\Windows\svcorenos\app-0.82.1\libcurl.dll	svcorenos.exe
File opened for modification	C:\Windows\svcorenos\app-0.82.1\zlibwapi.dll	svcorenos.exe
File created	C:\Windows\svcorenos\svcorenos.exe	svcorenos.exe
File opened for modification	C:\Windows\svcorenos\svcorenos.exe	svcorenos.exe
File created	C:\Windows\svcorenos\app-0.82.1\svcorenos.exe	svcorenos.exe
File opened for modification	C:\Windows\svcorenos\app-0.82.1\svcorenos.exe	svcorenos.exe
File created	C:\Windows\svcorenos\app-0.82.1\checkUpdater.cfg	svcorenos.exe
File opened for modification	C:\Windows\svcorenos\app-0.82.1\checkUpdater.cfg	svcorenos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tg_proX64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tg_proX64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcorenos.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\3272b228006e\a7349afe5b7	svcorenos.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svcorenos.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\3272b228006e	svcorenos.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\3272b228006e\a7349afe5b7\592d10fa830fcd45891e3c1 = "1"	svcorenos.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
2404	tg_proX64.tmp
2404	tg_proX64.tmp
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
3872	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
4500	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe
996	svcorenos.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2404	tg_proX64.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
996	svcorenos.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 2404	4904	tg_proX64.exe	89
PID 4904 wrote to memory of 2404	4904	tg_proX64.exe	89
PID 4904 wrote to memory of 2404	4904	tg_proX64.exe	89
PID 2404 wrote to memory of 2776	2404	tg_proX64.tmp	102
PID 2404 wrote to memory of 2776	2404	tg_proX64.tmp	102
PID 2776 wrote to memory of 4972	2776	svcorenos.exe	105
PID 2776 wrote to memory of 4972	2776	svcorenos.exe	105
PID 4712 wrote to memory of 3872	4712	cmd.exe	107
PID 4712 wrote to memory of 3872	4712	cmd.exe	107
PID 4440 wrote to memory of 4500	4440	svcorenos.exe	109
PID 4440 wrote to memory of 4500	4440	svcorenos.exe	109
PID 4500 wrote to memory of 996	4500	svcorenos.exe	110
PID 4500 wrote to memory of 996	4500	svcorenos.exe	110
PID 3872 wrote to memory of 1244	3872	svcorenos.exe	111
PID 3872 wrote to memory of 1244	3872	svcorenos.exe	111
PID 996 wrote to memory of 3936	996	svcorenos.exe	112
PID 996 wrote to memory of 3936	996	svcorenos.exe	112

C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe
"C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\is-KC8KJ.tmp\tg_proX64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-KC8KJ.tmp\tg_proX64.tmp" /SL5="$C01BE,73296718,797696,C:\Users\Admin\AppData\Local\Temp\tg_proX64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe
    "C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\newdev.exe
      C:\Windows\system32\newdev.exe
      4⤵
      PID:32
  - - C:\Windows\system32\computerdefaults.exe
      C:\Windows\system32\computerdefaults.exe
      4⤵
      PID:872
    - - C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe
        
        C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe bf96c055b 2776 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:8
1⤵
PID:2324

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe" "184c8a2bf6" 4972 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe
  "C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe" "184c8a2bf6" 4972 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\svcorenos\app-0.82.1\svcorenos.exe
    C:\Windows\svcorenos\app-0.82.1\svcorenos.exe 6cd6db2a6 4972 "C:\Users\Admin\AppData\Local\Programs\TGprozhver\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1244

C:\Windows\svcorenos\svcorenos.exe
"C:\Windows\svcorenos\svcorenos.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\svcorenos\app-0.82.1\svcorenos.exe
  "C:\Windows\svcorenos\app-0.82.1\svcorenos.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\svcorenos\app-0.82.1\svcorenos.exe
    "C:\Windows\svcorenos\app-0.82.1\svcorenos.exe" "cf673c40a9"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Users\Admin\AppData\Local\Temp\svdocbox.exe
      C:\Users\Admin\AppData\Local\Temp\svdocbox.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\TGprozhver\checkUpdater.cfg

Filesize
18.4MB

MD5
3de39b89ac8560ca121fec31ef952bc4

SHA1
771ba8254037708a91d714689d08eeaa64eb6570

SHA256
2fee036810339596c2b690977bcec0c1d9fe2079f1260de80b18057eb35f0ce2

SHA512
92d38671ec1f1a49d256d085f3ee0155615c8b86a6f5ee4a6d0da8772db2b893edf769d2017fdc21627773133da2c4255ded2b1b63b7d1e54745b57ce6cb2f4f

Download Submit
C:\Users\Admin\AppData\Local\Programs\TGprozhver\libcurl.dll

Filesize
556KB

MD5
6b2548cc404f3dd55634efa291fa98d0

SHA1
a076a60d99d70fd8aa7664a2534445a502febe27

SHA256
7ae384b8695d7a9c2b6640927cb6ac592229aef9ebeeb80b91d556777c6dfb5d

SHA512
14068e9e7d5f7e4494ffa75d369068234cdb050286d3356298e0387cf13d7681c0d68b57b6b299958c86ee3ae1dc3e54adc4c376e7b869d7d76fc2e91ed95009

Download Submit
C:\Users\Admin\AppData\Local\Programs\TGprozhver\svcorenos.exe

Filesize
2.2MB

MD5
6cf29dbf1fa710cccf6ba1c4c01f6b85

SHA1
a1debdb076c8c655e3d78c6ae82f1beba386a2ba

SHA256
f85ce4492e1354f8310027c5f70ef73aae654fcd8fd9a58034e4f82a41a9826b

SHA512
ebcc6599c33a80bb3e5c627a5f861fc9742d8558c4551544109288f80155885791a3f701af1aa7a4513cc5d121b77678a4cd46ca38a7bdd3cf7288e58e01f4f5

Download Submit
C:\Users\Admin\AppData\Local\Programs\TGprozhver\zlibwapi.dll

Filesize
6.2MB

MD5
9c34ad9143eae99e157961a41f43b9d1

SHA1
63d1d2798eccafc5ba6e308d1200eef620d65a8d

SHA256
1f9dc739a9e45fe5b8fa43bfea41c3d45212df95f21b952c7f969dbc0b57d389

SHA512
0229041ae0b8ebc44d313cc81a5d12a6e4d55123eec346652f9bf09df60537194cb34d0f2f39a7ecafd18e8678016b924d8f686d46a73da5f64ac00c7ae165c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DTLHWBoxDock64.dll

Filesize
4.5MB

MD5
e28c56ff824f4c3b4b2a689d108d91ed

SHA1
ee0fc0b1dbb8fe7af50571de7b285aad0ac06eb5

SHA256
5fe95b031b46b81dc4aa6915d5ea81a76385df78ba36dc305f5921c3d0475f9c

SHA512
d1a94047599e977389640cc8d5edff6fb3eae1df9be25b7a2e5cc479827903cc1018d3537e7b0594551a460ca00542a4384c129a9e2c3d17875be19fcfcec6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KC8KJ.tmp\tg_proX64.tmp

Filesize
3.2MB

MD5
3f8d4835277b10465e0747b3d1c61fc7

SHA1
90561bc4041a447dff572401666680975943661d

SHA256
7b207e9fc0e6e7410b61c79534f3675945acd163e861a63649b7c3ad331c7ca4

SHA512
eea8e64f5a2c88c237b70a23d1025d2740dc2898ae6d77e63f898748273ff72d0c5564744729faec1d544ae10af2f5cab84643ae9bcd87ca7e1df1769feacdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\svdocbox.exe

Filesize
73KB

MD5
12538abf1a72475e6b7d0cd05cbb2359

SHA1
9f51a214b112a28dbd81cf03aa160560e2a3127c

SHA256
ad939835b9b87aed1c31ea3943cf42355b426d24faadae6e534d8e0a385b8b0a

SHA512
18581feb947bcb2195229b34da61040a988d5c7aa427e3217ffa7082c195b483bdd174a441b8dc103dd0f6605a275a707796fd08f589389fce7c431d1ba829b5

Download Submit
C:\Users\Admin\Desktop\TG-zh.lnk

Filesize
1KB

MD5
688b02f0f23d8f11033cc46300604be5

SHA1
9a93d3c3c8a788b078191c23df194492208b0f20

SHA256
c09108c4d83244ef425335d1c305c5e2e74e1715f2517b80251f1e16ee251807

SHA512
f12198fdebe726827d1c166663539762062bb5dbf07668ac1143d4f539fe3a3c48b39755eb16c78008ce5f279a8eaf7bd6a5aa4c6df992a595a47c4f7f640572

Download Submit
C:\Windows\svcorenos\app-0.82.1\zlibwapi.dll

Filesize
4.2MB

MD5
02b8105f3297ecb7e4dd0e94f83df4b6

SHA1
87673038d3832cdc2f574daf06135f4bb41170eb

SHA256
ffaa1755b4256cd210eae7f0e97fc27be76e1cc0c87da29c08b5be0d7c7815cf

SHA512
21e1ce524692c2fc1660e726f85d296ac8dbb2b4291d7e115b3f37590761d4b79cc8f0ae33559d7e684f41a2ddcd7a4951c3126fbf67f68a5c31611027137316

Download Submit
C:\Windows\svcorenos\svcorenos.exe

Filesize
691KB

MD5
d0cd80eda106fc87730d2034e8c2d632

SHA1
4e6a0454867097a1966c9d9bd1af366cfe640baf

SHA256
d53225a068e183b7c2bc3b48766551547ab0a679cfb9e2ddfd1602e041517fcb

SHA512
fe362285e4ee767876156cb63859d41ff06cef04153f67c01bd29b082966216171cf1683f6bccf78faf7c3b380ffc5e951ee24f856edfee2edada2e6301122e5

Download Submit
memory/996-180-0x00007FFD3B250000-0x00007FFD3B8D5000-memory.dmp

Filesize
6.5MB

Download
memory/996-190-0x000002E792430000-0x000002E7947FF000-memory.dmp

Filesize
35.8MB

Download
memory/996-194-0x000002E792430000-0x000002E7947FF000-memory.dmp

Filesize
35.8MB

Download
memory/996-184-0x000002E792430000-0x000002E7947FF000-memory.dmp

Filesize
35.8MB

Download
memory/996-193-0x000002E792430000-0x000002E7947FF000-memory.dmp

Filesize
35.8MB

Download
memory/996-196-0x000002E795310000-0x000002E795A63000-memory.dmp

Filesize
7.3MB

Download
memory/996-201-0x000002E795310000-0x000002E795A63000-memory.dmp

Filesize
7.3MB

Download
memory/1244-189-0x000002723A5A0000-0x000002723C96F000-memory.dmp

Filesize
35.8MB

Download
memory/1244-185-0x00007FFD3B250000-0x00007FFD3B8D5000-memory.dmp

Filesize
6.5MB

Download
memory/2404-23-0x0000000000930000-0x0000000000C71000-memory.dmp

Filesize
3.3MB

Download
memory/2404-97-0x0000000000930000-0x0000000000C71000-memory.dmp

Filesize
3.3MB

Download
memory/2404-8-0x0000000000930000-0x0000000000C71000-memory.dmp

Filesize
3.3MB

Download
memory/2404-9-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/2404-6-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/2776-108-0x00007FF76C4B0000-0x00007FF76C6EC000-memory.dmp

Filesize
2.2MB

Download
memory/2776-117-0x00007FF76C4B0000-0x00007FF76C6EC000-memory.dmp

Filesize
2.2MB

Download
memory/2776-110-0x000001F224220000-0x000001F2265EF000-memory.dmp

Filesize
35.8MB

Download
memory/2776-107-0x000001F220AB0000-0x000001F221D1B000-memory.dmp

Filesize
18.4MB

Download
memory/2776-109-0x000001F224220000-0x000001F2265EF000-memory.dmp

Filesize
35.8MB

Download
memory/2776-102-0x00007FF76C566000-0x00007FF76C567000-memory.dmp

Filesize
4KB

Download
memory/2776-99-0x00007FFD3A140000-0x00007FFD3AB09000-memory.dmp

Filesize
9.8MB

Download
memory/3872-131-0x00007FFD3A140000-0x00007FFD3AB09000-memory.dmp

Filesize
9.8MB

Download
memory/3872-135-0x0000020022D00000-0x00000200250CF000-memory.dmp

Filesize
35.8MB

Download
memory/3872-137-0x0000020022D00000-0x00000200250CF000-memory.dmp

Filesize
35.8MB

Download
memory/4500-170-0x00000221EA780000-0x00000221ECB4F000-memory.dmp

Filesize
35.8MB

Download
memory/4500-171-0x00000221EA780000-0x00000221ECB4F000-memory.dmp

Filesize
35.8MB

Download
memory/4500-167-0x00000221EA780000-0x00000221ECB4F000-memory.dmp

Filesize
35.8MB

Download
memory/4500-166-0x00000221EA780000-0x00000221ECB4F000-memory.dmp

Filesize
35.8MB

Download
memory/4500-161-0x00007FFD3B250000-0x00007FFD3B8D5000-memory.dmp

Filesize
6.5MB

Download
memory/4904-0-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4904-98-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4904-7-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4904-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4972-124-0x00000210A88A0000-0x00000210AAC6F000-memory.dmp

Filesize
35.8MB

Download
memory/4972-122-0x00000210A88A0000-0x00000210AAC6F000-memory.dmp

Filesize
35.8MB

Download
memory/4972-118-0x00007FFD3A140000-0x00007FFD3AB09000-memory.dmp

Filesize
9.8MB

Download