c96b41fac848211321861fcf957e5f475a950c56f9024f792e5c9584f1fbd3ef

Analysis

max time kernel
299s
max time network
290s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

schet1074.15.03.16.rtf
Size

1.1MB
MD5

99289be18f8eff90737733fd7e1255c6
SHA1

736c1b31cb3735f301d8cd4981c24ad70d017083
SHA256

72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9
SHA512

351d9ab3c36dccbe591fdd7aa4cfc6e33e82c3a2dc07a829b79a99794b7184811307f749ddba7881eab4ed46660ae6b8214c1c41c974d9f8a3c934a786b0560e
SSDEEP

24576:kbKw4bfMpV7ceKPvi14LEt5k/W0DPwCna++V8TQheoP:TwOMAtPq18Et5k+qH+GTQZ

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1680	2948	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1916	2948	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1724	2948	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1752	2948	cmd.exe	WINWORD.EXE

Executes dropped EXE 2 IoCs

Processes:

vmsk.exevmsk.exe

pid process

832 vmsk.exe
2400 vmsk.exe
Loads dropped DLL 3 IoCs

Processes:

WINWORD.EXEvmsk.exe

pid process

2948 WINWORD.EXE
2948 WINWORD.EXE
832 vmsk.exe

pid	process
832	vmsk.exe
2400	vmsk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vmsk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	vmsk.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vmsk.exe

description pid process target process

PID 832 set thread context of 2400 832 vmsk.exe vmsk.exe

description	pid	process	target process
PID 832 set thread context of 2400	832	vmsk.exe	vmsk.exe

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral32/memory/2400-221-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-206-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-208-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-211-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-216-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-222-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-214-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-220-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-225-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral32/memory/2400-261-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-262-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-263-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-264-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-265-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-266-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-269-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-270-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-271-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-272-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-273-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-274-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-275-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-276-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-277-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-278-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-279-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-280-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-281-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-282-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-283-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-284-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-285-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-286-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-287-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-288-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-289-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-290-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-291-0x0000000000400000-0x00000000005D5000-memory.dmp	upx
behavioral32/memory/2400-292-0x0000000000400000-0x00000000005D5000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vmsk.exevmsk.execmd.execmd.execmd.execmd.exereg.exeWINWORD.EXEreg.exereg.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

2948 WINWORD.EXE
1716 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vmsk.exevmsk.exe

pid process

832 vmsk.exe
2400 vmsk.exe
2400 vmsk.exe

pid	process
832	vmsk.exe
2400	vmsk.exe
2400	vmsk.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

WINWORD.EXEvmsk.exeWINWORD.EXE

pid	process
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
2948	WINWORD.EXE
832	vmsk.exe
1716	WINWORD.EXE
1716	WINWORD.EXE

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

WINWORD.EXEvmsk.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2948 wrote to memory of 2972	2948	WINWORD.EXE	splwow64.exe
PID 2948 wrote to memory of 2972	2948	WINWORD.EXE	splwow64.exe
PID 2948 wrote to memory of 2972	2948	WINWORD.EXE	splwow64.exe
PID 2948 wrote to memory of 2972	2948	WINWORD.EXE	splwow64.exe
PID 2948 wrote to memory of 832	2948	WINWORD.EXE	vmsk.exe
PID 2948 wrote to memory of 832	2948	WINWORD.EXE	vmsk.exe
PID 2948 wrote to memory of 832	2948	WINWORD.EXE	vmsk.exe
PID 2948 wrote to memory of 832	2948	WINWORD.EXE	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 832 wrote to memory of 2400	832	vmsk.exe	vmsk.exe
PID 2948 wrote to memory of 1752	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1752	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1752	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1752	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1724	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1724	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1724	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1724	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1916	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1916	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1916	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1916	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1680	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1680	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1680	2948	WINWORD.EXE	cmd.exe
PID 2948 wrote to memory of 1680	2948	WINWORD.EXE	cmd.exe
PID 1752 wrote to memory of 1628	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1628	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1628	1752	cmd.exe	reg.exe
PID 1752 wrote to memory of 1628	1752	cmd.exe	reg.exe
PID 1724 wrote to memory of 2144	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 2144	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 2144	1724	cmd.exe	reg.exe
PID 1724 wrote to memory of 2144	1724	cmd.exe	reg.exe
PID 1916 wrote to memory of 2368	1916	cmd.exe	reg.exe
PID 1916 wrote to memory of 2368	1916	cmd.exe	reg.exe
PID 1916 wrote to memory of 2368	1916	cmd.exe	reg.exe
PID 1916 wrote to memory of 2368	1916	cmd.exe	reg.exe
PID 1680 wrote to memory of 1716	1680	cmd.exe	WINWORD.EXE
PID 1680 wrote to memory of 1716	1680	cmd.exe	WINWORD.EXE
PID 1680 wrote to memory of 1716	1680	cmd.exe	WINWORD.EXE
PID 1680 wrote to memory of 1716	1680	cmd.exe	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\schet1074.15.03.16.rtf"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\vmsk.exe
  C:\Users\Admin\AppData\Local\Temp\vmsk.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\vmsk.exe
    C:\Users\Admin\AppData\Local\Temp\vmsk.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\document.doc"
  2⤵
  - Process spawned unexpected child process
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\document.doc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\82F80691.wmf

Filesize
664B

MD5
656ddbdc2244cea646b2ca50edf5a7a6

SHA1
5becebd9bbbd2cd6a339cb54171ec8727c44fadb

SHA256
9d5a1b9b2c0645000b91eb6ee7d2791f30afed5a6d2f8924cdd7a54ad1309ff9

SHA512
08eee6e31fbfa5055d1b0f9dddd4e0a6c18a17a2c0f0c249594b1fe58184b311b65f2b7e3be25e85496fc44c0102d6e82ca85eab96233c4fc3c54eacbba2ec2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0000.doc

Filesize
43KB

MD5
2800112cb3c23cf703e8149101f52bea

SHA1
364720339e2709be4f272da14fe64836f33c6d57

SHA256
1028e211fc2c560e362344c80cbb1611cc5348b6b5c7256776c55405eea7a592

SHA512
656dcab7a17225bb8435c39fe30acca33989084ea9b532155c5b742a2c06d80647bd7bff15d4034c57ba9f9a83f7611647ddd73376cf4896f544a58ed812d55f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0001.doc

Filesize
28KB

MD5
40290a636532fa4212d4e9e1496f68b1

SHA1
5bb0dec8f0b5b2f8f39cbfda2802bca85d23266c

SHA256
ae01daa7d73c52f0f4cb19c1eb51b9774f133defcca3aed0a5262c0ee9721418

SHA512
9d87973e6271b490044910111274db632b4bec71746707c83eeacf6c18a26fbec36a0cb4b0169dce02c4c028cbcaa458401b656167c688c3c944d9fac4062e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\document.doc

Filesize
1.1MB

MD5
64da7cf56dd89ccda3a9b0af28bd46c9

SHA1
371f6280be89c91e00244810caf1c0a6d394f5a4

SHA256
6f332f27bbf0831acd786596cb3ce1ecccd8e9388bf5cd529e2d24895e23e964

SHA512
535e9cfa0636a95f890abf0ec38398724f03137cc651322de4ed54c970a339031a5737ef979fa79d24fffea44caf8fc819fa595977bd9d71e447b26c7d51b070

Download Submit
\Users\Admin\AppData\Local\Temp\vmsk.exe

Filesize
892KB

MD5
d1217c81cca33f5fcc4bed6cd948a36b

SHA1
b1a299b2e29141618fd8ee1eba33f46dcbaa3f0a

SHA256
d460e5870a252c2827b88fdfc651a033a5d5875770f21a23b476a36e56ad5a8e

SHA512
bd63a2a187e5fba3691933b3eef02e86a09efd07d18c68dc1e372f9f848655ef4fffd930c5df6cc1f1ec10f66d424595c22866b74aa4d3688998c6c7013b897b

Download Submit
memory/1716-254-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2400-262-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-279-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-292-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-221-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-202-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2400-204-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-265-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-266-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-290-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-289-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-208-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-211-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-216-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-288-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-287-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-222-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-214-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-220-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-264-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-286-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-285-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-261-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-215-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-263-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-225-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-206-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2400-291-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-269-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-270-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-271-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-272-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-273-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-274-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-275-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-276-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-277-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-278-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-284-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-280-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-281-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-282-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2400-283-0x0000000000400000-0x00000000005D5000-memory.dmp

Filesize
1.8MB

Download
memory/2948-2-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/2948-0-0x000000002FA41000-0x000000002FA42000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2948-223-0x000000000CD10000-0x000000000D210000-memory.dmp

Filesize
5.0MB

Download
memory/2948-224-0x0000000008FD0000-0x00000000091D0000-memory.dmp

Filesize
2.0MB

Download
memory/2948-209-0x00000000717BD000-0x00000000717C8000-memory.dmp

Filesize
44KB

Download
memory/2948-190-0x0000000008FD0000-0x00000000091D0000-memory.dmp

Filesize
2.0MB

Download
memory/2948-192-0x000000000CD10000-0x000000000D210000-memory.dmp

Filesize
5.0MB

Download
memory/2948-189-0x0000000008FD0000-0x00000000091D0000-memory.dmp

Filesize
2.0MB

Download